How to get hold of Amazon MySQL RDS certificates

aws rds ssl certificate
rotating your ssl/tls certificate aws
check rds certificate
rds ssl certificate install
amazon update rds certificate
aws rdp certificate
aws certificate rotation
aws rds certification

Amazon RDS documentation (http://aws.amazon.com/rds/faqs/#53) specifies that "Amazon RDS generates an SSL certificate for each [MySQL] DB Instance". I haven't been able to find any documentation on how to find the certificates and the certificates are nowhere to be found in the management console.

Where are the certificates?

Updating Applications to Connect to MySQL DB Instances Using , As of September 19, 2019, Amazon RDS has published new Certificate Authority (CA) certificates for connecting to your RDS DB instances using Secure Socket� Amazon RDS Certificate Rotation Instructions; Amazon Aurora Certificate Rotation Instructions; If you are unable to complete all three steps by March 5, 2020, which is the last date to update your certificates, your client or application may be unable to connect to your database instance using SSL or TLS.

You can get the AWS RDS certificate file information from the AWS Documentation guide itself

http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_MySQL.html

Download the certificate from here

https://rds.amazonaws.com/doc/mysql-ssl-ca-cert.pem

Update - Amazon updated the SSL certificate, you can download the it from here : https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

Use the following command to login into mysql

root@sathish:/usr/src# mysql -h awssathish.xxyyzz.eu-west-1.rds.amazonaws.com -u awssathish -p --ssl-ca=mysql-ssl-ca-cert.pem
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 22
Server version: 5.6.13-log MySQL Community Server (GPL)

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 
mysql> GRANT USAGE ON *.* TO ‘awssathish’@’%’ REQUIRE SSL
Query OK, 0 rows affected (0.02 sec)
mysql> 
mysql> show variables like "%ssl";
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_openssl  | YES   |
| have_ssl      | YES   |
+---------------+-------+
2 rows in set (0.00 sec)
mysql> 
mysql> SHOW STATUS LIKE 'Ssl_cipher';
+---------------+------------+
| Variable_name | Value      |
+---------------+------------+
| Ssl_cipher    | AES256-SHA |
+---------------+------------+
1 row in set (0.01 sec)

mysql> exit
Bye

Where

awssathish.xxyyzz.eu-west-1.rds.amazonaws.com

is Endpoint of RDS,

awssathish

is the username of the rds server

Amazon RDS customers: Update your SSL/TLS certificates by March , section. If you are an Amazon RDS and Amazon Aurora customer, you might have received emails from AWS notifying you about rotating your� To get a certificate bundle that contains both the intermediate and root certificates, download from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem. If your application is on Microsoft Windows and requires a PKCS7 file, you can download the PKCS7 certificate bundle.

I used http://aws-blog.io/2016/rds-over-ssl/ You have to get root pem and pem for the region and concatenate 2 files in one. https://s3.amazonaws.com/rds-downloads/rds-ca-2015-us-west-2.pem https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem

And merge files to have single rds-ca-2015-us-west-2-bundle.pem file. With --ssl-ca provide full path to you pem file.

Updating Applications to Connect to Microsoft SQL Server DB , AWS Documentation update As of September 19, 2019, Amazon RDS has published new Certificate Run the following query to get the current encryption option for all the open connections to a DB instance. When you update the trust store, you can retain older certificates in addition to adding the new certificates. Amazon’s documentation recommends to use both the intermediate and root certificates rds-combined-ca-bundle.pem with MySQL but only root certificate rds-ca-2019-root.pem with PostgreSQL . I suspect that using rds-ca-2019-root.pem should be enough for both MySQL and PostgreSQL but it may depend on other factors.

Using SSL/TLS to Encrypt a Connection to a DB Instance, To get a certificate bundle that contains both the intermediate and root certificates for the AWS� Amazon RDS provides new CA certificates as an AWS security best practice. For information about the new certificates and the supported AWS Regions, see Using SSL/TLS to Encrypt a Connection to a DB Instance.

"Update Your Amazon RDS SSL/TLS Certificates by October 31 , When I use MySQL Workbench, for instance, I have to specify that mkdir /usr/ local/share/ca-certificates/aws sudo mv rds-ca-2019-root.pem� Connecting to Amazon RDS MySQL Database Amazon RDS is a secure and reliable web-based service, which greatly simplifies the process of deploying, managing, and scaling relational databases in the cloud, thus, allowing you to connect at any time and from any place where the Internet access is available.

Amazon RDS 2019 Intermediate Certificates � Issue #2292 � mysqljs , https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS. MySQL 5.6.37 server configured with the rds-ca-2019 certificate, I got to those older MySQL server versions, the client needs to hold a copy of� First, get the CA file from AWS: To enable an SSL connection to RDS for MySQL the first step is to download the certificate authority (CA) file from Amazon which can be found here. You may also want to read the AWS docs on the subject. To make sure your MySQL connection is done over SSL you need to supply the CA file when connecting.

Comments
  • For those who may run into the same problem, the path to my .pem file failed as long as I had a ~ (e.g. ~/Downloads/mysql-ssl-ca-cert.pem). Had to do --ssl_ca=/Users/myusername/Downloads/mysql-ssl-ca-cert.pem. Error with ~ was: ERROR 2026 (HY000): SSL connection error: ASN: bad other signature confirmation
  • The certificate from Amazon expired on April 4, 2015, and I cannot see any updates. If anyone has the new URL, please share.
  • Yes, I just updated the cert from this address: docs.aws.amazon.com/AmazonRDS/latest/UserGuide/…
  • The certificate expired on April 4, 2015. If anyone has a new certificate URL, please share.
  • added new SSL certificate link.