Open jimleroyer opened 4 months ago
From the AWS docs:
Amazon RDS provides the following CAs to sign the DB server certificate for a DB instance.
rds-ca-2019 (currently in use, expiring soon)
Uses a certificate authority with RSA 2048 private key algorithm and SHA256 signing algorithm. This CA expires in 2024 and doesn't support automatic server certificate rotation. If you are using this CA and want to keep the same standard, we recommend that you switch to the rds-ca-rsa2048-g1 CA.
rds-ca-rsa2048-g1 (recommended replacement)
Uses a certificate authority with RSA 2048 private key algorithm and SHA256 signing algorithm in most AWS Regions.
In the AWS GovCloud (US) Regions, this CA uses a certificate authority with RSA 2048 private key algorithm and SHA384 signing algorithm.
This CA remains valid for longer than the rds-ca-2019 CA. This CA supports automatic server certificate rotation.
rds-ca-rsa4096-g1
Uses a certificate authority with RSA 4096 private key algorithm and SHA384 signing algorithm. This CA supports automatic server certificate rotation.
rds-ca-ecc384-g1
Uses a certificate authority with ECC 384 private key algorithm and SHA384 signing algorithm. This CA supports automatic server certificate rotation.
posted in #security-privacy for feedback.
Moved to Blocked while we're waiting on feedback.
Notes from Slack discussion:
No need to update apps or anything due to RDS proxy: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
Created a PR to upgrade staging to 2048 bit
@sastels and I will run a perf test this morning to get a baseline in before merging the above PR.
We shall test in the group session today!
testiung was attempted but the change didn't take. need to set an apply-immediately tag to make sure it takes. we will attempt this again today. we have a script that sends 1 email per second to soak test.
cert change didn't take :/ need to enable an "apply now" flag on RDS for it to work (?) - whii try again today with a soak test running. 😅
With apply immediately, the certificate took, and there was no downtime! Proceeding with upgrading the blazer db, and setting notify db to 4096 since that's working now. Will then run a performance test.
Perf test ran against 4096 certs, no change in performance
This one was done and worked on Staging. Hoping to get some time with Jimmy to get this done on Prod. The PR commented above is the one for prod.
This will get merged to Prod today and needs to get QA'd
@Pond QA'ed
It worked! just checked the cert and it's upgraded on prod.
Description
As a devops, I need to update the database certificates in all environments and products so that it remains operational and secure.
WHY are we building?
Keep our security certificates for database communication up to date.
WHAT are we building?
Updating the security certificates.
VALUE created by our solution
Security and stability.
Acceptance Criteria
rds-ca-rsa2048-g1
.QA Steps
[ ] Blazer database communication is functional in production.
Additional information:
Pat's magic 🧙♂️
Command used to upgrade the certification using the default certificate. Choosing a non-default certificate would require more operations such as setting the default account certificate.
AWS email
This is the correspondence we received from AWS: