RDS SSL/TLS Cert Update

Overview

AWS RDS SSL certificates periodically expire and need to be updated. You can modify the Certificate Authority on the RDS database with minimal impact to SFTP Gateway.

Receiving warning emails from AWS

You receive an email from AWS with the following subject line:

[Action required] Update Your Amazon RDS and Amazon Aurora SSL/TLS Certificates by August 22, 2024

This email describes how you have an RDS instance with a Certificate Authority rds-ca-2019 that expires on August 22, 2024.

It advises you to make sure to update any database client software relying on the SSL cert. It also recommends that you update the Certificate Authority to rds-ca-rsa2048-g1.

SFTP Gateway v3 is not affected by changing the Certificate Authority from rds-ca-2019 to rds-ca-rsa2048-g1. So you can perform this change at your earliest convenience.

Updating the Certificate Authority in RDS

Updating the Certificate Authority in RDS can be performed in-place without affecting the underlying RDS instance. While you can perform this action during a maintenance window to be on the safe side, this is not necessary.

• In RDS, go to the instance detail page.
• On the top right, click Modify
• In the Connectivity section, go to the Certificate authority dropdown menu
• Change it from rds-ca-2019 to rds-ca-rsa2048-g1 (default) (see screenshot below)
• Click Continue
• Under Schedule modifications, select the Apply immediately radio button
• Click Modify DB instance

The RDS instance will be in a Modifying... state for 1 or 2 minutes. During this time, SFTP Gateway users will continue to be able to perform SFTP actions such as logging in and uploading files.