AWS RDS SSL/TLS Certificate Rotation: Technical Deep Dive on rds-ca-2019 Migration and Client-Side Implications


1 views

Many developers are surprised to find their RDS connections working without explicitly installing Amazon's intermediate certificates. Here's why:

# Check installed root certificates on Ubuntu
ls -l /etc/ssl/certs | grep -i amazon

Ubuntu 18.04 and later include the Amazon Root CA certificates by default in the ca-certificates package. These root CAs (valid until 2038/2040) can verify certificates signed by Amazon's intermediate CAs, including rds-ca-2015.

The connection works because:

  1. RDS presents its server certificate (signed by rds-ca-2015)
  2. Your client automatically downloads the intermediate certificate
  3. The system verifies the chain against the pre-installed root CAs
# Verify certificate chain with OpenSSL
openssl s_client -connect your-db-instance.rds.amazonaws.com:5432 -showcerts

While basic connections may continue working after switching to rds-ca-2019, you should:

# For applications with explicit certificate verification:
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
# Update your connection string:
psql "host=your-db.rds.amazonaws.com sslrootcert=global-bundle.pem"

You need manual intervention if your application:

  • Hardcodes certificate fingerprints
  • Uses pinned certificates
  • Has custom trust stores
  • Runs on older Linux distributions
# Java applications may need:
keytool -importcert -alias rds2019 -file global-bundle.pem -keystore cacerts

To confirm proper certificate rotation:

# Check active certificate:
openssl s_client -connect your-db.rds.amazonaws.com:5432 | openssl x509 -noout -text | grep "Issuer:"
# Should show:
Issuer: CN = rds-ca-2019

Remember to test all client applications, including cron jobs and background services.

When working with Amazon RDS PostgreSQL on Ubuntu 18.04, many developers notice SSL connections work without explicitly installing RDS certificates. This happens because Ubuntu's default CA bundle already includes the root certificates that chain up to Amazon's RDS certificates.


# Check installed Amazon root certificates on Ubuntu
ls -la /etc/ssl/certs | grep -i amazon
# Typically shows:
# Amazon_Root_CA_1.pem
# Amazon_Root_CA_2.pem
# Amazon_Root_CA_3.pem
# Amazon_Root_CA_4.pem

The RDS CA certificates (rds-ca-2015/rds-ca-2019) are intermediates signed by these root CAs. Your PostgreSQL client (like psql) automatically trusts them through the system's CA store.

To check which certificate your RDS instance is using:


openssl s_client -connect your-db-endpoint.rds.amazonaws.com:5432 -showcerts | \
grep -A 1 "Certificate chain" | \
grep "subject="

For applications connecting to RDS, here's how to implement certificate verification properly:

Python (psycopg2) Example


import psycopg2
import ssl

conn = psycopg2.connect(
    host="your-db-endpoint.rds.amazonaws.com",
    dbname="yourdb",
    user="user",
    password="password",
    sslmode="verify-full",
    sslrootcert="/etc/ssl/certs/ca-certificates.crt"
)

Node.js Example


const { Client } = require('pg');
const fs = require('fs');
const path = require('path');

const client = new Client({
  host: 'your-db-endpoint.rds.amazonaws.com',
  user: 'user',
  password: 'password',
  database: 'yourdb',
  ssl: {
    rejectUnauthorized: true,
    ca: fs.readFileSync(path.join('/etc/ssl/certs', 'ca-certificates.crt')).toString()
  }
});

In these scenarios, download the intermediate certificate:


# For rds-ca-2019
wget https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem

Then configure your client to use it:


# For mysql client
mysql --ssl-ca=global-bundle.pem -h your-db-endpoint -u user -p

Set up CloudWatch alerts for the DBInstanceCertificateRotation event to get notified of future rotations.