This is a note about what I did to update the SSL/TLS certificate of AWS RDS
Background
I got the following notice about the expiration of my RDS certificate from AWS a long time ago.
You are receiving this message because your AWS Account has one or more Amazon RDS, or Amazon Aurora database instances in the EU-WEST-2 Region using a SSL/TLS Certificate that is expiring on August 22, 2024.
I usually don’t take action soon after I get a notice from any service to give others enough time to deal with the change. Especially for what I’ve never done before, I give enough time before I work on it. Then I come to decide the best way among their experiences.
This time, I needed to update the Certificate Authority (CA), which was my first time. Then last week, the deadline was within one month and I thought it was time to manage it. So I started to investigate.
What I did
I googled quickly and found the following web pages.
From the web pages, it looked similar to updating just the certificate. So I updated the CA from rds-ca-2019 to rds-ca-rsa4096-g1 with the console on staging first. I needed to reboot the database to apply for the change so I set a maintenance window. Before the maintenance, the console said I had still the warning.
After the maintenance window, I checked the connection with the database and the monitoring metrics. Then I didn’t see any problems. Also, the warning had gone from the console. So I did the same thing to the production database and waited for the maintenance window and checked the same metrics as the staging. Then the warning had gone from the production as well.
I’m always a bit nervous to update anything on the infrastructure but it was much more straightforward than I thought.
That’s it!