Rotating database certificates when SSL enforcement is disabled

If the Data Lake for your environment or your Data Hub cluster is using an RDS where SSL enforcement is disabled, no action is required on your side. You can simply let the root certificate expire and be replaced by AWS upon expiry.

It is recommended to check SSL enforcement setting on the Data Lake of your environment and separately for each Data Hub cluster.

A Data Lake or a Data Hub using an RDS that is shown as SSL Disabled are essentially immune to the validity of the RDS root certificate. This is because DB connections made from CDP cluster services do not explicitly validate the certificate chain received from the RDS instance in such cases. The AWS RDS instance may, therefore, be left as is safely, letting its root certificate expire and be replaced automatically by AWS upon the expiry date.

Alternatively, you can instead opt to change the RDS root certificate manually using standard AWS tools like the AWS RDS Console or the AWS CLI, as described in Updating your CA certificate by modifying your DB instance or cluster in the AWS documentation.

When manually rotating the root certificate, you have the option to choose from the following available RDS certificates based on your region:

rds-ca-rsa2048-g1, which is valid for 40 years
rds-ca-rsa4096-g1, which is valid for 100 years
rds-ca-ecc384-g1, which is valid for 100 years

CDP does not provide automation for the rotation of the RDS root certificate for databases where SSL enforcement is disabled.