
Amazon Redshift Clients to require adding Amazon certificate authority (CA) - eyepulp
Just received this, and wondering how to interpret the ask from Amazon, and why there&#x27;s only a month of lead time:<p>Hello,<p>You are receiving this email because you are an Amazon Redshift customer. Your action is required by October 23rd, 2017 to ensure continued connectivity to your Redshift cluster.<p>Beginning on this date, clients connecting to Amazon Redshift clusters will need an additional trusted certificate authority (CA). Clients use trusted certificate authorities to confirm the identity of the Redshift cluster when they connect to it. Your action is required to update your SQL clients and applications to use an updated certificate bundle that includes the new trusted CA.<p>* How do I update clients and applications to use an updated certificate bundle?<p>Go to the Transitioning to ACM Certificates for SSL Connections documentation page at https:&#x2F;&#x2F;docs.aws.amazon.com&#x2F;redshift&#x2F;latest&#x2F;mgmt&#x2F;connecting-transitioning-to-acm-certs.html to download a new trusted certificate bundle, and then follow the steps on that page to configure your SQL clients to use the new bundle. The steps are specific to your application or SQL client configuration. The certificate bundle contains both old and new certificate authorities, so you can upgrade your application safely and maintain connectivity during the transition period.<p>To maintain connectivity, you&#x27;ll need to install the new certificate bundle before October 23rd, 2017 at 17:00:00 UTC. After you&#x27;ve configured your clients to use the new bundle, you&#x27;re done.<p>* What if I have questions or issues?<p>If you have questions or issues, please contact AWS Support at https:&#x2F;&#x2F;aws.amazon.com&#x2F;support or your Technical Account Manager (TAM).<p>Sincerely, 
Amazon Web Services
======
arcdigital
If you read the transition page linked in the email pasted above, you will
learn that this won't affect most people.

You only need to update your trust store in a very narrow set of cases. All of
the below need to be true AND you need to be running a system that doesn't
already trust the AWS root CA - most systems already do. If the AWS website
doesn't show an SSL error, you already trust the certs.

1) If you're actually forcing SSL verification in your client

2) If you're not using the GovCloud or China regions

3) You are using Redshift drivers prior to ODBC version 1.3.7.1000 or JDBC
version 1.2.8.1005, or not using the Redshift drivers.

------
QuinnyPig
Seems straightforward to me. They’re going to sign Redshift certs themselves
via ACM rather than paying a third party vendor to do it for them. This is a
heads up so your app doesn’t break when they do.

What else would you like to know?

