Transitioning to ACM certificates for SSL connections - Amazon Redshift

Transitioning to ACM certificates for SSL connections

Amazon Redshift is replacing the SSL certificates on your clusters with AWS Certificate Manager (ACM) issued certificates. ACM is a trusted public certificate authority (CA) that is trusted by most current systems. You might need to update your current trust root CA certificates to continue to connect to your clusters using SSL.

This change affects you only if all of the following apply:

  • Your SQL clients or applications connect to Amazon Redshift clusters using SSL with the sslMode connection option set to require, verify-ca, or verify-full configuration option.

  • You aren't using the Amazon Redshift ODBC or JDBC drivers, or you use Amazon Redshift drivers before ODBC version 1.3.7.1000 or JDBC version 1.2.8.1005.

If this change affects you on commercial Amazon Redshift Regions, then you must update your current trust root CA certificates before October 23, 2017. Amazon Redshift will transition your clusters to use ACM certificates between now and October 23, 2017. The change should have very little or no effect on your cluster's performance or availability.

If this change affects you on AWS GovCloud (US) (US) Regions, then you must update your current trust root CA certificates before April 1, 2020 to avoid service interruption. Beginning on this date, clients connecting to Amazon Redshift clusters using SSL encrypted connections need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Amazon Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.

Important

In the China Regions on January 5, 2021, Amazon Redshift is replacing the SSL certificates on your clusters with AWS Certificate Manager (ACM) issued certificates. If this change affects you on China (Beijing) Region or China (Ningxia) Region, then you must update your current trust root CA certificates before January 5, 2021 to avoid service interruption. Beginning on this date, clients connecting to Amazon Redshift clusters using SSL encrypted connections need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Amazon Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.

Using the latest Amazon Redshift ODBC or JDBC drivers

The preferred method is to use the latest Amazon Redshift ODBC or JDBC drivers. Amazon Redshift drivers beginning with ODBC version 1.3.7.1000 and JDBC version 1.2.8.1005 automatically manage the transition from an Amazon Redshift self-signed certificate to an ACM certificate. To download the latest drivers, see Configuring an ODBC connection or Configuring a JDBC driver version 1.x connection.

If you use the latest Amazon Redshift JDBC driver, it's best not to use -Djavax.net.ssl.trustStore in JVM options. If you must use -Djavax.net.ssl.trustStore, import the Redshift certificate authority bundle into the truststore it points to. For download information, see Connect using SSL. For more information, see Importing the Amazon Redshift certificate authority bundle into a TrustStore.

Using earlier Amazon Redshift ODBC or JDBC drivers

  • If your ODBC DSN is configured with SSLCertPath, overwrite the certificate file in the specified path.

  • If SSLCertPath is not set, then overwrite the certificate file named root.crt in the driver DLL location.

If you must use an Amazon Redshift JDBC driver before version 1.2.8.1005, then do one of the following:

Importing the Amazon Redshift certificate authority bundle into a TrustStore

You can use redshift-keytool.jar to import CA certificates in the Amazon Redshift Certificate Authority bundle into a Java TrustStore or your private truststore.

To import the Amazon Redshift certificate authority bundle into a TrustStore

  1. Download redshift-keytool.jar.

  2. Do one of the following:

    • To import the Amazon Redshift Certificate Authority bundle into a Java TrustStore, run the following command.

      java -jar redshift-keytool.jar -s
    • To import the Amazon Redshift Certificate Authority bundle into your private TrustStore, run the following command:

      java -jar redshift-keytool.jar -k <your_private_trust_store> -p <keystore_password>

Using other SSL connection types

Follow the steps in this section if you connect using any of the following:

  • Open source ODBC driver

  • Open source JDBC driver

  • The psql command line interface

  • Any language bindings based on libpq, such as psycopg2 (Python) and ruby-pg (Ruby)

To use ACM certificates with other SSL connection types:

  1. Download the Amazon Redshift certificate authority bundle. For download information, see Connect using SSL.

  2. Place the certificates from the bundle in your root.crt file.

    • On Linux and macOS X operating systems, the file is ~/.postgresql/root.crt.

    • On Microsoft Windows, the file is %APPDATA%\postgresql\root.crt.