[Until March 5, 2020] Renew RDS certificate for java

prologue

Update your application to connect to your MySQL DB instance with a new SSL / TLS certificate (https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/ssl-certificate-rotation- mysql.html)

Please update ca of RDS by March 5, 2020. There is no problem if you follow the procedure, but ~~ I wrote an article because there were some addictive points. ~~ I was so addicted to it that I wrote an article.

Premise

・ Java ・ Tomcat ・ Mysql ・ Certificate is in JKS format -Update the client certificate first and the mysql certificate later (At the same time, the certificate to download is different)

procedure

1. Obtaining a certificate

We will update the client first, so download the bundled version of ~~ 2015, 2019 ~~ ** Download the certificates of 2015 and 2019 **

Is the place the same as it is now?

$ cd /etc/pki/java
$ wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
$ wget https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
$ wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-ap-northeast-1.pem
$ wget https://s3.amazonaws.com/rds-downloads/rds-ca-2015-ap-northeast-1.pem

--2020-01-22 21:19:38--  https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
s3.amazonaws.com (s3.amazonaws.com)Is inquiring to DNS... 52.216.139.61
s3.amazonaws.com (s3.amazonaws.com)|52.216.139.61|:Connecting to 443...Connected.
Sent a connection request via HTTP, waiting for a response... 200 OK
length: 1456 (1.4K) [binary/octet-stream]
`rds-ca-2019-root.pem'Saving in

100%[==========================================================================================================================================>] 1,456       --.-K/s time 0s

2020-01-22 21:19:40 (12.8 MB/s) - `rds-ca-2019-root.pem'Save to[1456/1456]

[root@letsnote java]#  wget https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
--2020-01-22 21:19:40--  https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem
s3.amazonaws.com (s3.amazonaws.com)Is inquiring to DNS... 52.216.139.61
s3.amazonaws.com (s3.amazonaws.com)|52.216.139.61|:Connecting to 443...Connected.
Sent a connection request via HTTP, waiting for a response... 200 OK
length: 1432 (1.4K) [binary/octet-stream]
`rds-ca-2015-root.pem'Saving in

100%[==========================================================================================================================================>] 1,432       --.-K/s time 0s

2020-01-22 21:19:41 (13.0 MB/s) - `rds-ca-2015-root.pem'Save to[1432/1432]

[root@letsnote java]#  wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-ap-northeast-1.pem
--2020-01-22 21:19:41--  https://s3.amazonaws.com/rds-downloads/rds-ca-2019-ap-northeast-1.pem
s3.amazonaws.com (s3.amazonaws.com)Is inquiring to DNS... 52.216.139.61
s3.amazonaws.com (s3.amazonaws.com)|52.216.139.61|:Connecting to 443...Connected.
Sent a connection request via HTTP, waiting for a response... 200 OK
length: 1464 (1.4K) [binary/octet-stream]
`rds-ca-2019-ap-northeast-1.pem'Saving in

100%[==========================================================================================================================================>] 1,464       --.-K/s time 0s

2020-01-22 21:19:42 (13.3 MB/s) - `rds-ca-2019-ap-northeast-1.pem'Save to[1464/1464]

[root@letsnote java]#  wget https://s3.amazonaws.com/rds-downloads/rds-ca-2015-ap-northeast-1.pem
--2020-01-22 21:19:42--  https://s3.amazonaws.com/rds-downloads/rds-ca-2015-ap-northeast-1.pem
s3.amazonaws.com (s3.amazonaws.com)Is inquiring to DNS... 52.216.139.61
s3.amazonaws.com (s3.amazonaws.com)|52.216.139.61|:Connecting to 443...Connected.
Sent a connection request via HTTP, waiting for a response... 200 OK
length: 1448 (1.4K) [binary/octet-stream]
`rds-ca-2015-ap-northeast-1.pem'Saving in

100%[==========================================================================================================================================>] 1,448       --.-K/s time 0s

2020-01-22 21:19:43 (10.0 MB/s) - `rds-ca-2015-ap-northeast-1.pem'Save to[1448/1448]

If you want to update the client and server at the same time, use SSL / TLS to encrypt the connection to your DB instance (https://docs.aws.amazon.com/en_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL) From .html) to 2019 version. For the Tokyo region, rds-ca-2019-ap-northeast-1.pem

2. Certificate conversion

Convert pem to jks You need to take two steps, pem-> der, der-> jks ** When converting to jks, use a different file name from the current certificate ** The password can be the same as it is now. Since it is for certificate access, it has nothing to do with the DB password.

$ cd /etc/pki/java
$ openssl x509 -outform der -in ./rds-ca-2019-root.pem -out ./rds-ca-2019-root.der
$ openssl x509 -outform der -in ./rds-ca-2015-root.pem -out ./rds-ca-2015-root.der
$ openssl x509 -outform der -in ./rds-ca-2019-ap-northeast-1.pem -out ./rds-ca-2019-ap-northeast-1.der
$ openssl x509 -outform der -in ./rds-ca-2015-ap-northeast-1.pem -out ./rds-ca-2015-ap-northeast-1.der
$ ll

lrwxrwxrwx.1 root root 40 June 9 2019 cacerts-> /etc/pki/ca-trust/extracted/java/cacerts
-rw-r--r--1 root root 1029 January 22 21:23 rds-ca-2015-ap-northeast-1.der
-rw-r--r--1 root root 1448 March 7 2015 rds-ca-2015-ap-northeast-1.pem
-rw-r--r--1 root root 1016 January 22 21:23 rds-ca-2015-root.der
-rw-r--r--1 root root 1432 March 7 2015 rds-ca-2015-root.pem
-rw-r--r--1 root root 1040 January 22 21:23 rds-ca-2019-ap-northeast-1.der
-rw-r--r--1 root root 1464 September 19 02:07 rds-ca-2019-ap-northeast-1.pem
-rw-r--r--1 root root 1034 January 22 21:23 rds-ca-2019-root.der
-rw-r--r--1 root root 1456 September 5 02:53 rds-ca-2019-root.pem
[root@letsnote java]#

$ keytool -import -file ./rds-ca-2019-root.der -destkeystore ./rds-combined-ca-bundle-2019.jks -deststoretype jks -alias rds_root

Please enter the keystore password:
Keystore password is too short-Must be at least 6 characters
Please enter the keystore password:
Please re-enter your new password:
owner: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: c73467369250ae75
Validity start date: Fri Aug 23 02:08:50 JST 2019 End Date: Fri Aug 23 02:08:50 JST 2024
Certificate finger print:
         MD5:  66:EC:63:BB:25:C4:A5:34:82:C6:C0:18:2E:88:9F:0D
         SHA1: D4:0D:DB:29:E3:75:0D:FF:A6:71:C3:14:0B:BF:5F:47:8D:1C:80:96
         SHA256: F2:54:C7:D5:E9:23:B5:B7:51:0C:D7:9E:F7:77:7C:1C:A7:E6:4A:3C:97:22:E4:0D:64:54:78:FC:70:AA:D0:08
Signature algorithm name: SHA256withRSA
Subject public key algorithm:2048-bit RSA key
version: 3

Expansion:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]

Do you trust this certificate?[No]:Yes
Certificate added to keystore

$ keytool -import -file ./rds-ca-2015-root.der -destkeystore ./rds-combined-ca-bundle-2019.jks -deststoretype jks -alias rds_root_2015
$ keytool -import -file ./rds-ca-2019-ap-northeast-1.der -destkeystore ./rds-combined-ca-bundle-2019.jks -deststoretype jks -alias rds_ap-northeast-1
$ keytool -import -file ./rds-ca-2015-ap-northeast-1.der -destkeystore ./rds-combined-ca-bundle-2019.jks -deststoretype jks -alias rds_ap-northeast-1_2015

$ ll

-rw-r--r--1 root root 1029 January 22 21:23 rds-ca-2015-ap-northeast-1.der
-rw-r--r--1 root root 1448 March 7 2015 rds-ca-2015-ap-northeast-1.pem
-rw-r--r--1 root root 1016 January 22 21:23 rds-ca-2015-root.der
-rw-r--r--1 root root 1432 March 7 2015 rds-ca-2015-root.pem
-rw-r--r--1 root root 1040 January 22 21:23 rds-ca-2019-ap-northeast-1.der
-rw-r--r--1 root root 1464 September 19 02:07 rds-ca-2019-ap-northeast-1.pem
-rw-r--r--1 root root 1034 January 22 21:23 rds-ca-2019-root.der
-rw-r--r--1 root root 1456 September 5 02:53 rds-ca-2019-root.pem
-rw-r--r--1 root root 4313 January 22 21:26 rds-combined-ca-bundle-2019.jks

$ keytool -v -list -keystore  ./rds-combined-ca-bundle-2019.jks

Please enter the keystore password:
Keystore type: jks
Keystore provider: SUN

Keystore contains 4 entries

alias: rds_root_2015
Created date: 2020/01/22
Entry type: trustedCertEntry

owner: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Serial number: 42
Validity start date: Thu Feb 05 18:11:31 JST 2015 end date: Thu Mar 05 18:11:31 JST 2020
Certificate finger print:
         MD5:  CF:C1:A2:0D:A1:C1:B1:3C:12:0B:C1:5A:E5:33:73:EF
         SHA1: E8:11:88:56:E7:A7:CE:3E:5E:DC:9A:31:25:1B:93:AC:DC:43:CE:B0
         SHA256: AF:EB:B8:40:BE:0C:1A:F6:5E:63:E0:CB:D7:9C:CE:35:65:4B:F6:0F:4E:07:62:54:BB:A9:35:E9:63:6D:53:F7
Signature algorithm name: SHA1withRSA
Subject public key algorithm:2048-bit RSA key
version: 3

Expansion:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4E 02 EE AC 3E F6 15 C8   4C ED 2C F5 05 C1 8F 9C  N...>...L.,.....
0010: 84 08 49 83                                        ..I.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E 02 EE AC 3E F6 15 C8   4C ED 2C F5 05 C1 8F 9C  N...>...L.,.....
0010: 84 08 49 83                                        ..I.
]
]



*******************************************
*******************************************


alias: rds_ap-northeast-1
Created date: 2020/01/22
Entry type: trustedCertEntry

owner: CN=Amazon RDS ap-northeast-1 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: 7045
Validity start date: Thu Sep 19 01:56:20 JST 2019 end date: Fri Aug 23 02:08:50 JST 2024
Certificate finger print:
         MD5:  E1:E7:BE:95:BC:D4:C1:F8:BE:8C:44:EE:A1:34:48:0C
         SHA1: 47:A3:F9:20:64:5C:9F:9D:48:8C:7D:E6:0B:86:D6:05:13:00:16:A1
         SHA256: 90:91:AF:2D:FA:F4:ED:88:2A:4A:B3:3B:9B:4E:DD:2A:8C:BA:41:0A:AB:22:04:17:EF:3D:57:61:85:C2:20:ED
Signature algorithm name: SHA256withRSA
Subject public key algorithm:2048-bit RSA key
version: 3

Expansion:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 2E 6A 0E 4B 59 85 4A 38   FE B2 75 0F C7 80 E0 4B  .j.KY.J8..u....K
0010: 74 A4 2C 56                                        t.,V
]
]



*******************************************
*******************************************


alias: rds_ap-northeast-1_2015
Created date: 2020/01/22
Entry type: trustedCertEntry

owner: CN=Amazon RDS ap-northeast-1 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Issuer: CN=Amazon RDS Root CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", L=Seattle, ST=Washington, C=US
Serial number: 44
Validity start date: Fri Feb 06 07:03:06 JST 2015 End date: Fri Mar 06 07:03:06 JST 2020
Certificate finger print:
         MD5:  D0:F8:8E:C5:33:AF:FC:6B:76:92:0F:78:C4:BE:4A:CE
         SHA1: 4B:2D:8A:E0:C1:A3:A9:AF:A7:BB:65:0C:5A:16:8A:39:3C:03:F2:C5
         SHA256: DC:11:19:D5:45:F2:2A:CF:13:B6:6E:29:D9:3F:E8:AC:75:F6:9E:EC:CB:D3:AE:F3:CB:22:EC:A4:FD:77:17:F8
Signature algorithm name: SHA1withRSA
Subject public key algorithm:2048-bit RSA key
version: 3

Expansion:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 4E 02 EE AC 3E F6 15 C8   4C ED 2C F5 05 C1 8F 9C  N...>...L.,.....
0010: 84 08 49 83                                        ..I.
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 88 8A 33 44 3A 9F 52 B8   12 62 F1 B3 76 57 C4 83  ..3D:.R..b..vW..
0010: 5B C0 4C 11                                        [.L.
]
]



*******************************************
*******************************************


alias: rds_root
Created date: 2020/01/22
Entry type: trustedCertEntry

owner: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Issuer: CN=Amazon RDS Root 2019 CA, OU=Amazon RDS, O="Amazon Web Services, Inc.", ST=Washington, L=Seattle, C=US
Serial number: c73467369250ae75
Validity start date: Fri Aug 23 02:08:50 JST 2019 End Date: Fri Aug 23 02:08:50 JST 2024
Certificate finger print:
         MD5:  66:EC:63:BB:25:C4:A5:34:82:C6:C0:18:2E:88:9F:0D
         SHA1: D4:0D:DB:29:E3:75:0D:FF:A6:71:C3:14:0B:BF:5F:47:8D:1C:80:96
         SHA256: F2:54:C7:D5:E9:23:B5:B7:51:0C:D7:9E:F7:77:7C:1C:A7:E6:4A:3C:97:22:E4:0D:64:54:78:FC:70:AA:D0:08
Signature algorithm name: SHA256withRSA
Subject public key algorithm:2048-bit RSA key
version: 3

Expansion:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 73 5F 60 D8 BC CB 03 98   F4 2B 17 34 2E 36 5A A6  s_`......+.4.6Z.
0010: 60 FF BC 1F                                        `...
]
]



*******************************************
*******************************************

A list of certificates will be displayed with keytool -v -list -keystore ./rds-combined-ca-bundle-2019.jks, so make sure you have four. You can also check the start date and end date of the validity period.

3. Update context.xml

Stop tomcat before updating.

Make trustCertificateKeyStoreUrl = file: ///etc/pki/java/rds-combined-ca-bundle.jks of url the name of the created jks file.

context.xml


<Resource name="jdbc/honyaDB" auth="Container"
    type="javax.sql.DataSource"
    username="honya"
    password="honyapasswd"
    driverClassName="com.mysql.jdbc.Driver"
    url="jdbc:mysql://honya.ap-northeast-1.rds.amazonaws.com:3306/honyaDB?useUnicode=true&amp;characterEncoding=UTF-8&amp;useSSL=true&amp;requireSSL=true&amp;verifyServerCertificate=true&amp;trustCertificateKeyStoreUrl=file:///etc/pki/java/rds-combined-ca-bundle.jks&amp;trustCertificateKeyStoreType=JKS&amp;trustCertificateKeyStorePassword=password"
/>

epilogue

I was impatient because it will be reflected the moment I save context.xml: scream: (Because it is a verification environment, it is not so)

If the certificate has the same file name, it is not necessary to change the context.xml, but managing the old and new with the same file name causes trouble, so I decided to change the file name.

I tried it with the 2019 certificate (rds-ca-2019-ap-northeast-1.pem) and it didn't work well: sweat_smile:

  1. Do not use the bundled version of the certificate where you want to install the ** certificate in Certificate Conversion. alert-2.gif Only the first one will be installed. ** **

Please refer to "Renewal of SSL / TLS certificate" because the server side just clicks on the aws console.

reference

Update your application to connect to your MariaDB DB instance with a new SSL / TLS certificate (https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/ssl-certificate-rotation- mariadb.html)

Encrypting the connection to your DB instance using SSL / TLS (https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html)

Renewing SSL / TLS Certificate

Recommended Posts

[Until March 5, 2020] Renew RDS certificate for java
For JAVA learning (2018-03-16-01)
2017 IDE for Java
Java for statement
[Java] for statement, while statement
[Java] Package for management
[Java] for statement / extended for statement
Countermeasures for Java OutOfMemoryError
NLP for Java (NLP4J) (2)
(Memo) Java for statement
NLP for Java (NLP4J) (1)