Update (Rotate) RDS SSL Certificates

SSL/TLS Certificate Rotation Guide for Amazon RDS

Amazon RDS CA certificates rds-ca-2019 are expiring soon. To maintain secure connections, switch to new CA certificates: rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1. This guide outlines the steps to update your clients or applications and RDS certificates.

Amazon RDS provides the following CA’s to sign the DB server certificate for a DB instance.

Certificate authority (CA)Description
rds-ca-2019Uses a certificate authority with RSA 2048 private key algorithm and SHA256 signing algorithm. This CA expires in 2024 and doesn’t support automatic server certificate rotation. If you are using this CA and want to keep the same standard, we recommend that you switch to the rds-ca-rsa2048-g1 CA.
rds-ca-rsa2048-g1Uses a certificate authority with RSA 2048 private key algorithm and SHA256 signing algorithm in most AWS Regions.In the AWS GovCloud (US) Regions, this CA uses a certificate authority with RSA 2048 private key algorithm and SHA384 signing algorithm.This CA remains valid for longer than the rds-ca-2019 CA. This CA supports automatic server certificate rotation.
rds-ca-rsa4096-g1Uses a certificate authority with RSA 4096 private key algorithm and SHA384 signing algorithm. This CA supports automatic server certificate rotation.
rds-ca-ecc384-g1Uses a certificate authority with ECC 384 private key algorithm and SHA384 signing algorithm. This CA supports automatic server certificate rotation.
Source – Click here

This can also be done via the AWS-CLI

aws rds describe-db-engine-versions --default-only --engine postgres


  1. Update Before Rotation: Update clients or applications connecting to RDS databases before rotating certificates. You will likely need to update them with the latest RDS global certificates found here.
  2. New CA Certificates: Refer to AWS documentation for details on new certificates and supported regions.
  3. RDS Proxy: No update is required for applications using RDS Proxy connections. (if applicable)
  4. Go Version 1.15: Update the certificate if using a Go version 1.15 application that had the rds-ca-2019 certificate before July 28, 2020. (if applicable)

Updating Your Clients or Applications

  1. Download the New Certificate: Download the new SSL/TLS certificate as per the documentation.
  2. Update Applications: Collaborate with application developers to update the SSL/TLS certificates within your applications.
  3. Specific DB Engines: Follow the guidance in the documentation for updating applications for various DB engines, including MariaDB, Microsoft SQL Server, MySQL, Oracle, and PostgreSQL.
  4. Certificate Bundle: Use the provided certificate bundle to maintain connectivity during the transition.

Step-by-Step Procedure

Preparing for the Update

  • Backup: Back up your RDS instance and application configurations.
  • Inform Stakeholders: Notify stakeholders about the planned update.

Update Clients

  • Download the New Certificate: Obtain the new certificate from AWS documentation.
  • Update Application Configuration: Modify the application configuration to point to the new certificate.
  • Update MySQL Client Libraries: Update MySQL client libraries if necessary.
  • Test in a Non-Production Environment: Test the updated application in a non-production environment.
  • Deploy Changes to Production: Deploy the application changes to the production environment.
  • Monitor the Application: Monitor application logs and database connections.

Update RDS Certificates

  • Log in to AWS Management Console: Navigate to the RDS section.
  • Select the RDS Instance: Choose the DB instance to modify.

  • Initiate Modification: Click on the Modify button.
  • Update CA Certificate: Change the CA to the new certificate.
  • Apply Changes immediately or schedule them for the next maintenance window.

  • Monitor RDS Instance: Monitor the RDS instance for any issues.


  • Validation: Validate that all applications are functioning correctly.
  • Inform Stakeholders: Inform stakeholders about the completion of the update process.

Ansible Script to pull all this information from your AWS Account


  • Make sure you configure your AWS_ACCESS_KEY and SECURE_TOKEN in your local console.
  • Make sure you change the value for your ECS Clusters.

- name: Get ECS Task Details
  ignore_errors: true  
  hosts: localhost
    - name: List All Task ARNs in the Cluster
      shell: "aws ecs list-tasks --cluster ecs-cluster-prod"
      register: task_list

    - name: Get Details of Each Task
      shell: "aws ecs describe-tasks --cluster ecs-cluster-prod --tasks {{ task_list.stdout | from_json | json_query('taskArns[]') | join(' ') }}"
      register: task_details

    - name: Extract Task Details
        task_info: "{{ task_details.stdout | from_json | json_query('tasks[*].{Name: taskDefinitionArn, Group: group, Image: containers[0].image, PrivateIP: containers[0].networkInterfaces[0].privateIpv4Address}') }}"

    - name: Get Load Balancer Details
      shell: "aws ecs describe-services --cluster ecs-cluster-qa --services {{ item | regex_replace('service:', '') }}"
      register: service_details
      loop: "{{ task_details.stdout | from_json | json_query('tasks[*].group') | map('regex_replace', '^task:', '') | list }}"

    - name: Display Task Details
        msg: "{{ task_info }}"

    - name: Extract Load Balancer Details
        lb_info: "{{ service_details.results | map(attribute='stdout') | map('from_json') | map('json_query', \"services[0].loadBalancers[0].{ContainerName: containerName, ContainerPort: containerPort, TargetGroupArn: targetGroupArn, }\") }}"

    - name: Display Load Balancer Details
        msg: "{{ lb_info }}"
Elsewhere On TurboGeek:  Configure RDS Alert SNS Event Subscription AWS


Richard Bailey, a seasoned tech enthusiast, combines a passion for innovation with a knack for simplifying complex concepts. With over a decade in the industry, he's pioneered transformative solutions, blending creativity with technical prowess. An avid writer, Richard's articles resonate with readers, offering insightful perspectives that bridge the gap between technology and everyday life. His commitment to excellence and tireless pursuit of knowledge continues to inspire and shape the tech landscape.

You may also like...

1 Response

  1. 20/10/2023

    […] a revolutionary cloud database service. While the service shares some similarities with traditional RDS offerings, it brings a host of features to the table that set it apart. Designed as a fully managed […]

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate ยป