Menu
Amazon Redshift
Management Guide (API Version 2012-12-01)

Transitioning to ACM Certificates for SSL Connections

Amazon Redshift is replacing the SSL certificates on your clusters with AWS Certificate Manager (ACM) issued certificates. ACM is a trusted public certificate authority (CA) that is trusted by most current systems. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL.

This change affects you only if all of the following apply:

  • Your SQL clients or applications connect to Amazon Redshift clusters using SSL with the sslMode connection option set to require, verify-ca, or verify-full configuration option.

  • Your clusters are in any AWS region except the AWS GovCloud (US) region, the China (Beijing) region, or the China (Ningxia) region.

  • You aren't using the Amazon Redshift ODBC or JDBC drivers, or you use Amazon Redshift drivers prior to ODBC version 1.3.7.1000 or JDBC version 1.2.8.1005.

If this change affects you, then you must update your current trust root CA certificates before October 23, 2017. Amazon Redshift will transition your clusters to use ACM certificates between now and October 23, 2017. The change should have very little or no effect on your cluster's performance or availability.

To update your current trust root CA certificates, identify your use case and then follow the steps in that section.

Using the Latest Amazon Redshift ODBC or JDBC drivers

The preferred method is to use the latest Amazon Redshift ODBC or JDBC drivers. Amazon Redshift drivers beginning with ODBC version 1.3.7.1000 and JDBC version 1.2.8.1005 automatically manage the transition from an Amazon Redshift self-signed certificate to an ACM certificate. To download the latest drivers, see Configure an ODBC Connection or Configure a JDBC Connection.

If you use the latest Amazon Redshift JDBC driver, it's best not to use -Djavax.net.ssl.trustStore in JVM options. If you must use -Djavax.net.ssl.trustStore, import the Redshift Certificate Authority Bundle into the truststore it points to. For more information, see Importing the Redshift Certificate Authority Bundle into a TrustStore.

Using Earlier Amazon Redshift ODBC or JDBC drivers

If you must use an Amazon Redshift ODBC driver prior to version 1.3.7.1000, then download the Redshift Certificate Authority Bundle and overwrite the old certificate file.

  • If your ODBC DSN is configured with SSLCertPath, overwrite the certificate file in the specified path.

  • If SSLCertPath is not set, then overwrite the certificate file named root.crt in the driver DLL location.

If you must use an Amazon Redshift JDBC driver prior to version 1.2.8.1005, then do one of the following:

Importing the Redshift Certificate Authority Bundle into a TrustStore

You can use the redshift-keytool.jar to import CA certificates in the Redshift Certificate Authority bundle into a Java TrustStore or your private truststore.

To import the Redshift Certificate Authority Bundle into a TrustStore:

  1. Download the redshift-keytool.jar

  2. Do one of the following:

    • To import Redshift Certificate Authority bundle into a Java TrustStore, run the following command.

      Copy
      java -jar redshift-keytool.jar -s
    • To import Redshift Certificate Authority bundle into your private TrustStore, run the following command:

      Copy
      java -jar redshift-keytool.jar -k <your_private_trust_store> -p <keystore_password>

Using Other SSL Connection Types

Follow the steps in this section if you connect using any of the following:

  • Open source ODBC driver

  • Open source JDBC driver

  • The psql command line interface

  • Any language bindings based on libpq, such as psycopg2 (Python) and ruby-pg (Ruby)

To use ACM certificates with other SSL connection types:

  1. Download the Redshift Certificate Authority Bundle .

  2. Place the certificates from the bundle in your root.crt file.

    • On Linux and Mac OS X operating systems, the file is ~/.postgresql/root.crt

    • On Microsoft Windows, the file is %APPDATA%\postgresql\root.crt