Sunday, April 14, 2024
No menu items!
HomeDatabase ManagementUpdate your Amazon DocumentDB TLS certificates: Expiring in 2024

Update your Amazon DocumentDB TLS certificates: Expiring in 2024

You may have seen the recent notifications to rotate your SSL/TLS certificates in Amazon RDS and Amazon Aurora, or you may have already received notification from AWS about updating your Amazon DocumentDB TLS certificates before they update starting in August 2024.

If you are using Amazon DocumentDB (with MongoDB compatibility) clusters with Transport Layer Security (TLS) enabled (the default setting) and you have not rotated your client application and server certificates, you should follow the steps outlined in this post to mitigate any connectivity issues between your clients and Amazon DocumentDB clusters.

Transport Layer Security

Data encrypted in transit for your Amazon DocumentDB cluster is managed by the TLS parameter in a cluster parameter group. TLS connections provide a layer of security by encrypting data that moves between your client application and database instances, as well as perform server identity verification by validating the server certificate installed on the database instances.

A certificate authority (CA) generates time-bound certificates that are checked by client applications to authenticate with database instances before exchanging information. AWS renews the CA and creates new certificates on a routine basis to make sure your connections are properly protected for years to come.

Two new CA certificates were made available to Amazon DocumentDB clusters in October 2023: one that will expire (generally) in 2061 (rds-ca-rsa2048-g1) and one that will expire in 2121 (rds-ca-rsa-4096-g1). A third CA certificate was made available in March 2024 (rds-ca-ecc384-g1) that will also expire in 2121 and is only available for Amazon DocumentDB 4.0 and 5.0 engine versions. If you created an Amazon DocumentDB cluster after January 25, 2024, you already have the latest server certificates.

In 2024, the rds-ca-2019 CA certificate is set to expire by the dates for each Amazon DocumentDB Region listed in the following table.

Expiration Date

August 22, 2024
US East (Ohio), US East (N. Virginia), US West (Oregon), Asia Pacific (Mumbai), Asia Pacific (Seoul), Asia Pacific (Singapore), Asia Pacific (Sydney), Asia Pacific (Tokyo), Canada (Central), Europe (Frankfurt), Europe (Ireland), Europe (London), Europe (Paris), and South America (São Paulo)

September 9, 2024
China (Beijing), China (Ningxia)

October 28, 2024
Europe (Milan)

Not affected until 2061
Asia Pacific (Hong Kong), Asia Pacific (Hyderabad), AWS GovCloud (US-East), and AWS GovCloud (US-West)

Update your certificate via the Amazon DocumentDB console

To update the certificate on each instance in your Amazon DocumentDB cluster, complete the following steps:

On the Amazon DocumentDB console, choose Clusters in the navigation pane.
Select the cluster identifier for one of your primary or replica instances.

On the Configuration tab, under Security and network, locate your current CA and the DB instance certificate expiration date.

If your instance is using the rds-ca-2019 CA, similar to the following screenshot, you need to update your instance.

If your instance is already using the rds-ca-rsa4096-g1, rds-ca-rsa2048-g1, or rds-ca-ecc384-g1 certificate, you are already using the latest server certificate and don’t need to complete the remaining steps. For more information about the differences between these certificates, refer to Updating Your Application and Amazon DocumentDB Cluster.

On the Configuration tab, choose Modify.
In the Certificate authority section, choose your new server certificate as either rds-ca-rsa4096-g1, rds-ca-rsa2048-g1, or rds-ca-ecc384-g1.

Choose Continue.
In the Scheduling of modifications section, select if you want to apply your changes immediately or during the next maintenance window.
Choose Modify instance.

If you return to the Clusters page on the Amazon DocumentDB console, you will notice your instance’s status change to modifying, then rebooting, before showing as available again. Rebooting an instance restarts the database engine service and results in a momentary outage. Refer to Rebooting an Amazon DocumentDB instance for more information.

Update your certificate using the AWS CLI

You can also use AWS CloudShell to check and rotate your certificate using the AWS Command Line Interface (AWS CLI). For more information about getting started with CloudShell, refer to the AWS CloudShell User Guide.

Run the following command to return all the Amazon DocumentDB instances in your Region that are using the rds-ca-2019 certificate:

aws docdb describe-db-instances
–filters Name=engine,Values=docdb
–query ‘DBInstances[?CACertificateIdentifier==`rds-ca-2019`].DBInstanceIdentifier[]’

To update the certificate, pass the DBInstanceIdentifier returned from the output of the preceding command and choose the appropriate certificate:

aws docdb modify-db-instance
–db-instance-identifier [DBInstanceIdentifier]
–ca-certificate-identifier [rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, rds-ca-ecc384-g1]

You can view the –ca-certificate-identifier supported in your cluster by running the following command and checking the value of SupportedCACertificateIdentifiers:

aws docdb describe-db-engine-versions
–engine docdb
–query ‘DBEngineVersions[*].[Engine,EngineVersion,SupportedCACertificateIdentifiers]’

You should repeat these steps in all the Regions where you have Amazon DocumentDB clusters.


If your applications are using TLS to connect with Amazon DocumentDB, you should start the process of updating your certificates today. Amazon DocumentDB will not automatically rotate your certificates before they expire, and you are required to update your clients and clusters to use the new CA certificates before the expiration date to continue using the default encryption in transit behavior of Amazon DocumentDB.

To learn more about security on Amazon DocumentDB, see Security in Amazon DocumentDB. You can also refer to the Frequently Asked Questions about TLS certificates on Amazon DocumentDB to learn more about updating your certificates. You can always contact your AWS Support by your Support plan for additional questions or issues.

About the authors

Raghu Rao is a Senior Technical Program Manager at AWS. He is passionate about solving customer problems by delivering products and services utilizing cloud services, open source, and AI/ML. Raghu manages complex global programs with knowledge of security and regulatory compliances. In his free time, he enjoys spending time with his family and hiking.

Cody Allen is a Senior DocumentDB Specialist Solutions Architect based out of Texas. He is passionate about working side by side with customers to solve complex problems, and supporting teammates through mentorship and knowledge transfer. He has spent his career deploying and managing systems, softwares, and infrastructure for B2B SaaS providers, materiel and logistics suppliers, the U.S Air Force, and other government agencies domestic and international.

Read MoreAWS Database Blog



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments