Jeff Barr, Amazon Web Services (AWS), has made an “urgent and important” announcement this week. He is asking users of AWS database services for updates to their SSL/TLS certificates in order to avoid losing connectivity.
Customers affected are those who “use Amazon Aurora, Amazon Relational Database Service(RDS) or Amazon DocumentDB (with MongoDB compatibleity) and are taking full advantage of SSL/TLS certificate validation whenever you connect to your databases instances,” Barr stated in a Tuesday blog post.
Barr explained that SSL/TLS certificates will expire on March 5, 2020 as part of AWS’ five year maintenance cycle. The 5-year-old CA 2015 certificates (CA stands to certificate authority) will expire at that time. Any affected database apps that haven’t been updated with the CA-2019 certificate, which was released last September, will also lose connectivity.
Barr advised affected users to “download & install a new certificate, rotate the certificate authority for the instances, then reboot the instances.”
All new instances will automatically be issued the CA-2019 certificate starting Jan. 14, 2020. However, users will have the option of “temporarily” returning to the CA-15 certificate if necessary. All existing instances on Amazon RDS will now be “staged” with a CA-2019 certificate. However, it will take a restart in order to activate the certificate.
Barr pointed out that certificates for Amazon Aurora Serverless are automatically rotated through AWS Certificate Manager so that users don’t need to manually update them. Users who do not use SSL/TLS connections or certificate validation are not required to switch to the CA-2019 certificate. However, it is recommended.
Barr explains the steps involved in updating certificates in this blog post.
AWS warns database users to update their certs soon
