AWS Warns Database Users To Update Their Certs Soon
An "urgent & important" announcement from Amazon Web Services (AWS) evangelist Jeff Barr this week is urging users of AWS database services to update their existing SSL/TLS certificates or risk losing connectivity.
Affected customers are those who are "using Amazon Aurora, Amazon Relational Database Service (RDS), or Amazon DocumentDB (with MongoDB compatibility) and are taking advantage of SSL/TLS certificate validation when you connect to your database instances," Barr said in a blog post Tuesday.
The SSL/TLS certificates for these products are set to expire on March 5, 2020, Barr explained, as part of AWS' five-year maintenance cycle. At that date, the 5-year-old CA-2015 certificates (CA stands for certificate authority) will expire, and any affected database apps that haven't been updated with the new CA-2019 certificate, released last September, will lose connectivity.
To avoid application failure, Barr urged affected users to "to download & install a fresh certificate, rotate the certificate authority (CA) for the instances, and then reboot the instances."
Starting Jan. 14, 2020, any new instances will automatically have the new CA-2019 certificate applied to them, though users will have the option to "temporarily" revert to the CA-2015 certificate if they need to. Starting on Feb. 5 through March 5, existing instances on Amazon RDS will be "staged" with the CA-2019 certificate, but it will take a restart to actually activate the new certificate.
Barr noted that certificates for the Amazon Aurora Serverless service are automatically rotated by AWS Certificate Manager, so users don't have to manually update them. Additionally, users who don't use certificate validation or SSL/TLS connections aren't required to switch to the new CA-2019 certificate, but it is recommended.
Barr walks through the steps of updating certificates in his blog post here.