问题描述
我最近收到了一封电子邮件,内容涉及我的RDS证书颁发机构的必要更新.RDS方面的说明似乎很简单: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
但是,在第4步上,有一条重要消息:安排此操作时,请确保事先更新了客户端信任库."
我似乎找不到任何有关更新服务器的信息,该服务器连接到RDS以进行CA更新.
我的设置是Beanstalk上的EC2实例.
有谁知道我该怎么做/该怎么做?
谢谢你.
类似的问题:更新Amazon RDS SSL/TLS证书-Elastic Beanstalk
I recently received an email regarding a required update to my RDS Certificate Authority.The instructions on the RDS side seems straight forward: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
However on step 4 there was an important message, "When you schedule this operation, make sure that you have updated your client-side trust store beforehand."
I cant seem to find any information about updating my server which connects to RDS for the CA update.
My Setup is EC2 instances on Beanstalk.
Does anyone know how/what I am supposed to do?
Thank you.
similar question: Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk
推荐答案
基本上,仅当您使用从应用程序到RDS服务器的SSL连接时,才需要安装证书.不管采用哪种SSL连接,建议推荐更新服务器的证书,但是当您不使用与RDS的SSL连接时,则没有必要.
Basically, the installation of certification is only required when you use the SSL connection from your application to the RDS server. Regardless of the SSL connection, it is recommended to update the certificate of your server but it is not necessary when you did not use the SSL connection to the RDS.
服务器端使用情况
使用SSL连接时,应尽快更改RDS服务器的证书.转到RDS控制台,然后从左侧菜单列表中找到证书更新菜单.找到您的数据库集群,立即检查并更新SSL,或将更新保留给下次维护.
When you use the SSL connection, you should change the certificate of the RDS server as soon as possible. Go to the RDS console, then you can find the Certificate update menu from the left menu list. Find your DB cluster, check and update your SSL right now or reserve the update for the next maintenance.
客户端使用情况
有关SSL证书的详细信息,请参见文档.从这里,您可以下载rds 2019的根CA证书.下面是链接.
The details about the SSL certificate are noted in the documentation. From here, you can download the root CA certificate of rds 2019. The link is below.
此CA证书用于连接rds服务器,例如
This CA certificate is used to connect the rds server, e.g.
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY
或将其添加到客户端操作系统的受信任根CA 中.
or add it to the Trusted Root CA for the client OS.
例如,在Windows中,您可以运行certmgr.msc
,然后右键单击受信任的根ca,导入此证书.在Mac中,打开keychain access
并导入此证书.这是一个选择.
For example in Windows, you can run certmgr.msc
and right-click the trusted root ca, import this certificate. In Mac, open keychain access
and import this certificate. This is an option.
这篇关于AWS RDS证书颁发机构更新的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!