View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cloud
January 8, 2020updated 29 Jun 2023 5:20pm

AWS to DB Users: Download Fresh Certs Urgently, or Risk Applications Breaking

"You need to download & install a fresh certificate, rotate the certificate authority for the instances, and then reboot the instances."

By CBR Staff Writer

AWS has warned users of its Aurora, DocumentDB and RDS databases that they need to download and install new SSL/TLS certificates by January 14, or risk applications that use them breaking when they fail to connect to AWS database instances.

Most users should have received console notifications: the new SSL/TLS certificates –rolled out every five years “as part of our standard maintenance and security discipline” – have been available since September 19, 2019.

But the cloud giant late Tuesday pushed out a public notice too, in a bid to remind laggards to make the “urgent and important” move, as the deadline looms – although not everyone, of course, will be using SSL/TLS to encrypt connections to DB instances.

AWS certificate update
Best not to ignore this…

The move has drawn howls of complaint from some users, who said they were startled that the issue was not automated on the AWS side.

AWS Certificate Update

AWS users choosing to add more nodes to an existing cluster to one of the affected databases will get the new CA-2019 certificate if one of the existing nodes already has it, AWS notes; the cert. won’t magically self-install. Otherwise, new nodes will use the CA-2015 certificate by default.

See also: Running Windows 7 or Server 2008 Boxes? Your Migration Window is Shrinking Fast

AWS’s Jeff Barr noted: “If you are taking advantage of SSL/TLS certificate validation when you connect to your database instances, you need to download & install a fresh certificate, rotate the certificate authority (CA) for the instances, and then reboot the instances. If you are not using SSL/TLS connections or certificate validation, you do not need to make any updates, but I recommend that you do so in order to be ready in case you decide to use SSL/TLS connections in the future.

He added: “In this case, you can use a new CLI option that rotates and stages the new certificates but avoids a restart.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

On Twitter and a Reddit thread confusion reigned supreme about why the manual update was necessary. As one user put it: “So ridiculous that AWS requires our interaction for updating their certs.. poor design. It’s kinda like requiring web users to do something when I rotate my ssl certs on a web box.”

AWS’s timeline is as follows:

  • January 14, 2020 – Instances created on or after this date will have the new (CA-2019) certificates. Users can temporarily revert to the old certificates if necessary.
  • February 5 to March 5, 2020 – RDS will stage (install but not activate) new certificates on existing instances. Restarting the instance will activate the certificate.
  • March 5, 2020 – The CA-2015 certificates will expire. Applications that use certificate validation but have not been updated will lose connectivity.

If your database client knows how to handle certificate chains, users can download the root certificate and use it for all regions. If not, they need to download a certificate that is specific to the region where their database instance resides.

All regions are affected apart from Bahrain, Hong Kong, and China (Ningxia).

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.