Yeah, I ended up deleting the certificate. I ended up using the same
request (since there's no place on the request to specify additional
key usage, such as ServerAuth, which it turns out the RDS services
need. So I just changed my cert issuing to include these other
features, re-imported the cert, and then was able to use it in RDS
deployment. (Before I added the key extensions, RDS rejected the
certificate, because - while a valid certificate for a web server, RDS
wants a cert with extra options. Specifically:
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
I needed to add those extensions to the cert, for the RDS -
Publishing deployment to accept and use it.
On Fri, Oct 25, 2013 at 2:08 PM, Ben Scott <[email protected]> wrote:
> On Fri, Oct 25, 2013 at 11:42 AM, Michael Leone <[email protected]> wrote:
>> But what do I do about the fact that I have already imported a
>> certificate?
>
> Just a guess, but my guess would be, you repeat the request/issue
> process with an entirely new keypair and certificate. The RDS
> subsystem will be happy when you feed it that certificate. The fact
> that you have an extra (useless) certificate sitting around shouldn't
> hurt anything.
>
> The extra cert may cause human confusion, so you may want to delete
> it from the RDS server. And it could be considered a security
> exposure, so you could revoke it. But neither of these should be
> necessary.
>
> -- Ben
>
>
