AWS RDS Certificate Authority update


I recently received an email regarding a required update to my RDS Certificate Authority.
The instructions on the RDS side seems straight forward:

However on step 4 there was an important message, “When you schedule this operation, make sure that you have updated your client-side trust store beforehand.”

I cant seem to find any information about updating my server which connects to RDS for the CA update.

My Setup is EC2 instances on Beanstalk.

Does anyone know how/what I am supposed to do?
Thank you.

similar question: Update Amazon RDS SSL/TLS Certificates – Elastic Beanstalk


Basically, the installation of certification is only required when you use the SSL connection from your application to the RDS server. Regardless of the SSL connection, it is recommended to update the certificate of your server but it is not necessary when you did not use the SSL connection to the RDS.

Server-side Usage

When you use the SSL connection, you should change the certificate of the RDS server as soon as possible. Go to the RDS console, then you can find the Certificate update menu from the left menu list. Find your DB cluster, check and update your SSL right now or reserve the update for the next maintenance.

Client-side Usage

The details about the SSL certificate are noted in the documentation. From here, you can download the root CA certificate of rds 2019. The link is below.

This CA certificate is used to connect the rds server, e.g.

or add it to the Trusted Root CA for the client OS.

For example in Windows, you can run certmgr.msc and right-click the trusted root ca, import this certificate. In Mac, open keychain access and import this certificate. This is an option.

Leave a Reply