Here's probably a silly question: Shouldn't this work automatically? I just assumed they would have an intermediate CA or whatever it's called and have that certificate be signed by some widely trusted CA.<p>Or have they done it in a different way for security reasons?
In the spirit of asking silly questions (as encouraged in some comments here), here's mine:<p>My small SaaS company's PostgreSQL RDS instance and app servers are in a VPC with security groups configured to only allow connections from the app servers to the DB (no public access to the RDS instance). My client (ruby-pg) on the app servers is connecting via SSL, but not currently with certificate validation (though I believe the cert date still needs to be valid [?], hence the need to rotate the PostgreSQL server's certificate).<p>In this scenario, how important is certificate validation? I understand the theoretical risk of clients not being able to fully trust that they're connected to the database I intend, but from a practical standpoint, it seems that if an attacker is able to poison the VPC's DNS and trick the app servers into connecting to something else, I'm already hosed and cert validation wouldn't do much to help me. Am I missing something obvious and very dangerous?
I created a new RDS instance via Cloudformation just last week and immediately had the notice that I should update the cert. Looks like the new cert will be the default on 1/14, but I thought that was really weird.
> Next, I update my client applications to use the new certificates. This process is specific to each app and each database client library, so I don’t have any details to share.<p>This is how I lost the last two days of work. Learned a lot at least.
Is it possible to simply concatenate the two `bundle` files (2015 and 2019) and feed that to client apps? That would allow updating the client first without changing the db, then updating the db without breaking the client. (Then step 3 would be to update the client to just use the 2019 bundle)
Just think this may important to check if any of your app is using TLS.<p><pre><code> SELECT s.pid, s.ssl, s.version, a.client_addr, a.usename, a.datname, a.query
FROM pg_stat_ssl as s
JOIN pg_stat_activity as a ON a.pid=s.pid;
</code></pre>
You can see `t|f` in `ssl` field.
> Regions – Rotation is needed for database instances in all commercial AWS regions except Asia Pacific (Hong Kong), Middle East (Bahrain), and China (Ningxia).<p>I wonder why?<p>Are these CAs subject to... shall we say, additional goverment oversight?