‹ Return to How tos

Modifying your managed database in Amazon Lightsail to use a specific certificate

Last updated: January 2, 2020

Amazon Lightsail has published new Certificate Authority (CA) certificates for connecting to your managed database using SSL/TLS. The new certificates are referred to as rds-ca-2019, and the old certificates are referred to as rds-ca-2015. We provide the CA certificates as an AWS security best practice. For information about the CA certificates for your managed database, and the supported AWS Regions, see Downloading an SSL certificate for your managed database in Amazon Lightsail.

The old CA certificate (rds-ca-2015) on your managed database expires on March 5, 2020. Therefore, we strongly recommend completing the steps in this guide as soon as possible to modify your managed database to use the new certificate. If your applications are not connecting to your Lightsail managed database using SSL/TLS, no action is required. If these steps are not completed, your applications will fail to connect to your managed database using SSL/TLS after March 5, 2020.

New managed databases created after January 14, 2020 will use the new certificates by default. If you want to temporarily modify new managed databases to use the old certificates (rds-ca-2015), you can do so using the AWS Command Line Interface (AWS CLI). Any managed databases created prior to January 14, 2020 use the rds-ca-2015 certificates until you update them to the rds-ca-2019 certificates.

Note

Test the steps in this guide on a development or staging environment before using them on your production environments.

Contents

Prerequisites

Modifying your managed database to use the new CA certificate

Complete the following steps to modify your managed database in Lightsail to use the new CA certificate (rds-ca-2019).

  1. Open a Terminal or Command Prompt window.

  2. Enter the following command to use the rds-ca-2019 certificate on your managed database.

    aws lightsail update-relational-database --relational-database-name DatabaseName --ca-certificate-identifier rds-ca-2019 --no-apply-immediately

    In the command, replace DatabaseName with the name of the database you want to modify.

    Example

    aws lightsail update-relational-database --relational-database-name Database-1 --ca-certificate-identifier rds-ca-2019 --no-apply-immediately

    The CA certificate used by your managed database will be updated during your database’s next maintenance window.

Modifying your managed database to use the old CA certificate

Complete the following steps to modify your managed database in Lightsail to use the old CA certificate (rds-ca-2015). You may want to do this in case you experience a critical issue with the new certificate (rds-ca-2019) and need to temporarily revert the old one.

  1. Open a Terminal or Command Prompt window.

  2. Enter the following command to use the rds-ca-2015 on your managed database.

    aws lightsail update-relational-database --relational-database-name DatabaseName --ca-certificate-identifier rds-ca-2015 --no-apply-immediately

    In the command, replace DatabaseName with the name of the database you want to modify.

    Example

    aws lightsail update-relational-database --relational-database-name Database-1 --ca-certificate-identifier rds-ca-2015 --no-apply-immediately

    The CA certificate used by your managed database will be updated during your database’s next maintenance window.