10/25 2023

Amazon RDS Certificates Expiring: Three Strategies for Seamless Improvement of Data Transmission Security!

Recently, while using Amazon RDS, the relational database service on AWS backend, you may have noticed a notification about an update displayed in the interface:

Amazon RDS 憑證到期
The alarm screen appeared within the Amazon RDS service.

The warning message inside states that necessary updates are required for the database, specifically mentioning that the ‘rds-ca-2019’ certificate in the Certificate Authority (CA) of Amazon RDS will no longer be supported after August 2024. It is understandable that many enterprise users get quite concerned when they encounter warnings in familiar services. Therefore, BoHong Cloud Architects are here to guide you through a ‘three-step’ process, ensuring a seamless update of the Certificate Authority and maintaining the security of data transmission!

Why Did I Receive an Amazon RDS Warning?

Amazon RDS is a common relational database service. When enterprises use RDS, data transmitted between the client and the database is encrypted through SSL/TLS connections, providing an additional layer of security. This service is typically employed in website services or applications. Recently, in the Amazon RDS user interface, there was a warning indicating that the ‘rds-ca-2019’ certificate in the Certificate Authority (CA) of the Certificate Management Center would expire in August 2024. Certificates in the Certificate Management Center are crucial tools for issuing SSL/TLS certificates. While this warning does not have an immediate impact on enterprise databases, companies still need to complete the update before the specified date.

Amazon RDS Update Strategy

As there is still time before the expiration date of the ‘rds-ca-2019’ certificate in Amazon RDS, if your environment has a large number of database instances, it is recommended to perform operations in batches. Start with the testing environment before updating the certificate management in the production environment. Ensure that the database instances where operations are carried out have no connection issues before proceeding with updates on other instances. This approach ensures that your current operations are not affected by the update.

Additionally, during the certificate update period, there might be a few minutes of database connection interruption, causing a service impact. Therefore, cloud architects at Nextlink Technology suggest scheduling the update during off-peak business hours whenever possible to minimize disruptions.

How to Update Amazon RDS?

To update the certificate before it expires and enhance data transmission security, Nextlink’s cloud architects have summarized the “Three-Step Painless Certificate Update” guidelines, guiding you through the complete process of enhancing data transmission security!

Select Database Instance Certificate Update and Timing

The primary step in updating the certificate is to click on ‘Certificate update’ in the lower left corner of the RDS page to display a temporary page showing all affected database instances. It’s important to note that this page will only show affected database instance sets if you select the appropriate AWS region. (If you switch to an AWS region without affected database instances, your page will be blank.)

Next, select all the database instances you need to update, and click ‘apply now’ in the upper right corner to perform the CA update immediately. Alternatively, click ‘Schedule’ to arrange the update during the next maintenance window scheduled by Amazon RDS itself.

Amazon RDS CA更新
Clicking the “Apply Now” button in the Amazon RDS interface initiates the CA update.

Updating Encryption Certificates

After clicking “Apply Now” or “Schedule,” the following Certificate Authority (CA) menu will appear. If you wish to maintain the same encryption standard as the original rds-ca-2019, it is recommended to switch to the certificate rds-ca-rsa2048-g1. After making your selection, please click “Confirm” to complete the update process. If you have considerations about which CA to update to, you can also refer to AWS’s official documentation for guidance.

Amazon RDS CA選擇
Nextlink’s cloud architects suggest selecting an appropriate CA for the update based on the customer’s requirements.

Viewing Update Status

After completing the update, you can check the details of the database instance’s certificate management center in the Connectivity & Security tab on the console. As shown in the image below, confirm whether the certificate management center has been successfully updated to the new version.

Amazon RDS 憑證更新 如何操作?
After updating the certificate, return to the original service interface to confirm whether the update has been completed.

Common Q&A about Amazon RDS Updates

Common QuestionRecommendation from Nextlink’s Cloud Architects
Does the different instance levels of Amazon RDS cause varying downtime?Generally, the different instance levels are not the primary factor affecting downtime. It depends mainly on your database engine and the current activities in your database.
Does the volume of data affect downtime?Indeed, the volume of data does impact downtime. To ensure data integrity, if there is a significant amount of data that has not been committed or written to disk, longer recovery times might be needed.
Are there differences in downtime between scheduled and manual updates?If your database instance needs a restart to apply the new certificate, the background process involves restarting your database. Therefore, there are no differences in downtime between scheduled and manual updates.

In this way, these three steps can assist users in updating the certificates inside Amazon RDS and maintaining security. If you need further technical support regarding RDS updates, feel free to contact Nextlink Technology. Our professional architects are here to handle all your database instance security settings effortlessly.