Menu
I found https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem in a legacy repository and came to the conclusion this contains RDS certificates as described here for Lightsail. On the contrary, the RDS documentation proclaims to use https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem. What is the difference of the two URLs? Is the first just the "older", "legacy" version?
999
I have been recently faced with the same issue, and although I did not find an official answer from AWS in the documentation, I think the right one nowadays is the one hosted in truststore.pki.rds.amazonaws.com:
truststore.pki...openssl crl2pkcs7 -nocrl -certfile global-bundle.pem | openssl pkcs7 -print_certs -text -noout | less
openssl crl2pkcs7 -nocrl -certfile rds-combined-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout | less
rds-combined-ca-bundle.pem contains a subset (~30) of the certificates included in global-bundle.pem (~100). More regions are included in the latter, and multiple CA variants for RSA vs elliptic curve.Long story short, I think you are right and the one on s3.amazonaws.com is a legacy file just kept not to break existing flows, probably done at the time of the 2015 to 2019 CAs migration.
77
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
