Login/Register
What is the difference between the CAs available for upgrade in AWS RDS? [closed]
Asked Answered
amazon-web-servicesamazon-rds
S

1

10

We have a PostgreSQL RDS instance that currently uses the SSL/TLS certificate rds-ca-2019. It's recommended to update to a new CA.

The options are rds-ca-ecc384-g1, rds-ca-rsa4096-g1, or rds-ca-rsa2048-g1.

What is the difference between the CAs?

Staton answered 13/9, 2023 at 12:33 Comment(0)
U
12

TLDR: for a drop-in replacement, use rds-ca-rsa2048-g1

rds-ca-2019 certificates are set to expire in August, 2024.

The new CA certificates are:

  • rds-ca-rsa2048-g1 (RSA 2048)
  • rds-ca-rsa4096-g1 (RSA 4096)
  • rds-ca-ecc384-g1 (ECC 384)

A good general guideline, as recommended by AWS, is to use rds-ca-rsa2048-g1, which offers the same security as rds-ca-2019. The main difference between the CAs is the private key algorithm and lesser so, the signing algorithm.

The available CAs will depend on the DB engine and DB engine version. If you need stronger security, you can also use rds-ca-rsa4096-g1 or rds-ca-ecc384-g1 as they use stronger algorithms. However, keep in mind that not all clients or systems may support the more complex RSA 4096 or ECC 384 algorithms.

Unmistakable answered 13/9, 2023 at 12:49 Comment(3)
AWS does not specifically recommend rds-ca-rsa2048-g1.Machiavelli
@KrzysztofCzelusniak Incorrect, if you are using rds-ca-2019 - 'If you are using this CA and want to keep the same standard, we recommend that you switch to the rds-ca-rsa2048-g1 CA.'Unmistakable
That is only to keep the same standard. AWS recommends using "ECDSA certificates wherever possible. RSA 2048 remains the default certificate type in order to prevent compatibility issues with legacy applications or with applications that do not support ECDSA certificate types." aws.amazon.com/blogs/security/…Machiavelli

© 2022 - 2024 — McMap. All rights reserved.