2020年AWS RDS公有证书更新准备(Postgres)
[英]Preparing for renewal of AWS RDS public certificate in 2020 (Postgres)
问题描述
I have a question related to the expiration of the Amazon rds-ca-2015-root certificate for Postgres databases which is scheduled to expire Mar 5 of 2020. I would like to prepare my java client software components so they have minimal downtime when the server switches to the new 2020 certificate.
我有一个与 Postgres 数据库的 Amazon rds-ca-2015-root证书到期有关的问题,该证书计划于 2020 年 3 月 5 日到期。我想准备我的 java 客户端软件组件,以便它们在服务器时的停机时间最短切换到新的 2020 证书。 The clients use a jks truststore with the RDS certificate when authenticating the server with SSL.在使用 SSL 对服务器进行身份验证时,客户端使用带有 RDS 证书的 jks 信任库。 I'm assuming the 2020 certificate will be made available 30 days prior or so, ie Feb 5 of 2020.我假设 2020 年证书将在 30 天左右之前提供,即 2020 年 2 月 5 日。
This is what I think I should do, and I'm looking for some confirmation that this will indeed work as I expect:这是我认为我应该做的,我正在寻找一些确认这确实会按我的预期工作:
Sometime prior to the expiration, push a software update to the clients with a truststore file containing both the 2015 certificate and the 2020 certificate.
在到期前的某个时间,使用包含 2015 证书和 2020 证书的信任库文件向客户端推送软件更新。 The client should continue happily along authenticating against the 2015 certificate.客户端应该继续愉快地根据 2015 证书进行身份验证。 The new cert has a different signature/fingerprint and will not match.新证书具有不同的签名/指纹,不会匹配。 It should be ignored.它应该被忽略。Just prior to the expiration, modify the RDS instance to use the 2020 certificate.
在即将到期之前,修改 RDS 实例以使用 2020 证书。 Requires server reboot.需要重新启动服务器。 Clients will then match against the 2020 certificate, ignoring the 2015 certificate whose signature no longer matches.然后,客户端将匹配 2020 证书,忽略签名不再匹配的 2015 证书。 Downtime is limited only to the reboot of the server.停机时间仅限于重新启动服务器。Sometime later, push a new update to the clients with a truststore removing the 2015 certificate.
稍后,使用删除 2015 证书的信任库向客户端推送新更新。
Is this the correct approach?这是正确的方法吗? Is there any reason to think in #1, the java clients will try and fail to authenticate against the 2020 certificate instead because it is matching against the same Subject and Issuer?是否有任何理由认为在 #1 中,java 客户端将尝试对 2020 证书进行身份验证但失败,因为它与相同的主题和颁发者匹配? Or conversely, in #3, they try and fail to authenticate against the 2015 certificate because of the identical fields?或者相反,在#3 中,他们尝试验证 2015 年证书但由于字段相同而失败?
I guess to put the question another way, can a client (java or otherwise) hold two public certificates for server authentication, where one is either expired or not yet valid, yet both refer to the same subject and issuer, and potentially even have the same public key if Amazon doesn't rotate their keys (although I would assume best practice says they will).我想以另一种方式提出问题,客户端(java或其他)是否可以持有两个用于服务器身份验证的公共证书,其中一个已过期或尚未有效,但两者都引用相同的主题和颁发者,甚至可能拥有如果亚马逊不轮换他们的密钥,则使用相同的公钥(尽管我认为最佳实践表明他们会这样做)。
2 个解决方案
解决方案1
0 已采纳 2019-09-24 02:10:05
Yes you have it all correct.是的,你说得对。 For reference, I came across Amazon RDS Customers: Update Your SSL Certificates which confirms the process.作为参考,我遇到了Amazon RDS 客户:更新您的 SSL 证书以确认该过程。 The cert references are from 2015, but the process is still the same.证书参考来自 2015 年,但过程仍然相同。
Regards to having two valid certs in the client store with the same subject, and how the client matches:关于在客户端存储中具有相同主题的两个有效证书,以及客户端如何匹配:
The verification is done by building a certification path, by chaining the Issuer DN (Distinguished Name) of the certificate to verify to the Subject DN of a CA certificate you trust.
See In SSL how a certificate is matched/found in truststore?请参阅SSL 如何在信任库中匹配/找到证书?
Since the CAs are different, the certs can coexist in the same truststore, and it will resolve to the correct cert.由于 CA 不同,证书可以共存于同一个信任库中,并且会解析为正确的证书。
解决方案2
0 2020-01-10 05:59:10
Before upgrading Certificate authority in RDS to rds-ca-2019, without connection interruption, you can upgrade certificate on client-side.在升级 RDS 中的证书颁发机构到 rds-ca-2019 之前,在不中断连接的情况下,您可以在客户端升级证书。
If your RDS has rds-ca-2015, you should upgrade client-side key with this https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem .如果您的 RDS 有 rds-ca-2015,您应该使用此https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem升级客户端密钥。
As per AWS document https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html It says rds-combined-ca-bundle.pem file has both certs intermediate and root. As per AWS document https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html It says rds-combined-ca-bundle.pem file has both certs intermediate and root.
Once your applications have combined-ca file then you should proceed to upgrade your RDS to Certificate authority rds-ca-2019.一旦您的应用程序具有组合 ca 文件,那么您应该继续将您的 RDS 升级到证书颁发机构 rds-ca-2019。
This way without downtime you can upgrade Certificate authority in RDS to rds-ca-2019.通过这种方式,您可以将 RDS 中的证书颁发机构升级到 rds-ca-2019。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.