Certificate update
Affected versions
All databases listed in the AWS console: RDS > Certificate update. If there are no databases requiring certificate update there are no further action to take.
Rationale
The rds-ca-2019
certificate will expire in 2024.
All databases must be updated with the new certificate before August 2024.
Related issues
The golden-path-iac
RDS template was updated in #1284
Step 1: Set correct certificate
Set the correct certificate in postgres_aurora_serverless.tf
There are two available certificates:
rds-ca-rsa2048-g1
expires in 40 years (default in Golden Path).rds-ca-rsa4096-g1
andrds-ca-ecc384-g1
expires in 100 years.
Step 2: Apply update
Downtime when updating
When running the following terrafrom apply
command against your database
instance it will result in a short downtime.
The actual time will depend on the database, but we have seen times between
2 and 3 minutes for reference implementations.
Verify this in dev
first, and make sure to time this before applying the
same configuration to prod
.
Step 3: Verify
Verify that Certificate authority under Connectivity & security for the updated database is set to the correct version.
After applying correct certificate to all affected databases there should be no databases listed under RDS > Certificate update.
Additional information
AWS is using the default certificate for a region when creating a new database.
To see which certificate AWS will be using you can run the following command:
And look for DefaultCertificateForNewLaunches
, if this is rds-ca-2019
then
all new databases will get this certificate when created (if you haven't set
the certificate as in Step 1
above).
You can override the default certificate for a region by running the following:
Affecting all new databases
This command will affect every new database created in the current account in the region specified.