Java: Import AWS RDS certificate

To establish secure connection between Java application and AWS MySQL RDS instance the ssl/tls certificate needs to be imported in to JVM.

Step #1: Find Java home

Using the following commands you can find the Java home directory

whereis java
ls -l /etc/alternatives/java

Step #2: backup existing cacerts file for future reference

cp $JAVA_HOME/jre/lib/security/cacerrts $JAVA_HOME/jre/lib/security/cacerrts.original

Here are the steps to import RDS certificate into JVM

wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem
openssl x509 -outform der -in rds-ca-2019-root.pem -out rds-ca-2019-root.der
keytool -import -alias rds-root -keystore $JAVA_HOME/jre/lib/security/cacerrts -file rds-ca-2019-root.der
wget https://s3.amazonaws.com/rds-downloads/rds-ca-2019-us-west-2.pem
openssl x509 -outform der -in rds-ca-2019-us-west-2.pem -out rds-ca-2019-us-west-2.der
keytool -import -alias rds-intermediate -keystore $JAVA_HOME/jre/lib/security/cacerts -file rds-ca-2019-us-west-2.der

Step #3: Update JDBC url in your Java application

Here is the sample JDBC url with SSL enabled

jdbc:mysql://aws.rds.com/dname?useUnicode=true&characterEncoding=UTF8&verifyServerCertificate=true&useSSL=true&requireSSL=true