Menu
Amazon Relational Database Service
User Guide (API Version 2014-10-31)

Using SSL to Encrypt a Connection to a DB Instance

You can use SSL from your application to encrypt a connection to a DB instance running MySQL, MariaDB, Amazon Aurora, SQL Server, Oracle, or PostgreSQL. Each DB engine has its own process for implementing SSL. To learn how to implement SSL for your DB instance, use the link following that corresponds to your DB engine:

A root certificate that works for all regions can be downloaded at https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem . It is the trusted root entity and should work in most cases but might fail if your application does not accept certificate chains. If your application does not accept certificate chains, download the region-specific certificate from the list of intermediate certificates found later in this section.

A certificate bundle that contains both the old and new root certificates can be downloaded at https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem .

If your application is on the Microsoft Windows platform and requires a PKCS7 file, you can download the PKCS7 certificate bundle that contains both the old and new certificates at https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.p7b .

Intermediate Certificates

You might need to use an intermediate certificate to connect to your region. For example, you must use an intermediate certificate to connect to the AWS GovCloud (US) region using SSL. If you need an intermediate certificate for a particular region, download the certificate from the following list:

Asia Pacific (Mumbai)

Asia Pacific (Tokyo)

Asia Pacific (Seoul)

Asia Pacific (Singapore)

Asia Pacific (Sydney)

EU (Frankfurt)

EU (Ireland)

South America (São Paulo)

US East (N. Virginia)

US East (Ohio)

US West (N. California)

US West (Oregon)

China (Beijing)

AWS GovCloud (US) (CA-2012, for CA-2017 see below)

GovCloud (US) SSL Certificates 2017

To maintain connectivity, you need to update the CA-2012 SSL certificates your client or application is using to connect to RDS before August 15, 2017, at 20:00 UTC. Follow these steps:

  1. Download the new AWS GovCloud Intermediate SSL certificate bundle.

  2. Use the new certificates you downloaded in the previous step to update your database client or application by following the steps on the download page. This action is specific to the configuration of your client or application.

Use the Modify operation for your RDS instance on the AWS Management Console (or the ModifyDBInstance API) to change the Certificate Authority (CA) from rds-ca-2012 to rds-ca-2017, and then click Apply Immediately. This operation will update the SSL certificates on the RDS instance and initiate a reboot operation to have the new certificates take effect. This reboot operation typically takes less than two minutes to complete. In some cases, such as when a database has a large number of tables, a reboot could take longer. For more information, see Best Practices for Amazon RDS.