Importing AWS RDS PEM Certificate to Java Keystore using KeyStore Explorer

Download the AWS RDS Certificate Bundle
https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

Install KeyStore Explorer

After installing you will need to run KeyStore Explorer as root or run as administrator on Windows.

$ sudo /Applications/KeyStore\ Explorer.app/Contents/MacOS/KeyStore\ Explorer

Click Open an existing KeyStore

Choose the keystore you wish to use and enter the password for it. If you are unsure of a password try the word changeit. On macOS the path to the default keystore is under your Java's home directory similar to the path below.

/Library/Java/JavaVirtualMachines/jdk1.8.0_161.jdk/Contents/Home/jre/lib/security/cacerts

Click the Examine menu at the top and click Examine File

Browse to and select the rds-combined-ca-bundle.pem downloaded from AWS in the first step.

Select the Amazon RDS Root CA certificate and click Import

Enter your own or select the default alias and click OK

Click OK on the success import message

Repeat the import steps to import each of the certificates for any of the other AWS regions you want to be able to connect to with SSL.

These are the AWS US regions with a certificate:

  • Amazon RDS us-east-1 CA
  • Amazon RDS us-east-2 CA
  • Amazon RDS us-west-1 CA
  • Amazon RDS us-west-2 CA

Click OK on the Certificate details for File window.

Finally, be sure to click Save on the cacerts KeyStore to retain the imported certificates.

Now you should be able to securely connect to an AWS RDS MySQL instance with a JDBC connection string similar to the following.

jdbc:mysql://${DBHOST}:3306/${DBNAME}?verifyServerCertificate=true&useSSL=true&requireSSL=true