Is it unusual for a database client to install the server's SSL certificate?

Question

We use Amazon RDS for our databases at work. Recently we got an automated email from Amazon stating they'd be updating the SSL certificates and that if we didn't upgrade our database instances within X amount of time, they would cease to function. Thankfully, they provide instructions explaining how to do this in the AWS documentation.

The instructions are pretty straight-forward, although I have to admit I'm a little confused. Step 1 and Step 2 describe how to download the SSL certificate and install it in client applications. Isn't it pretty unusual for a client application to need to install the server's SSL certificate in order to connect to it? I might be totally off-base here, but the analogy I was thinking of was that web browsers similarly don't need to be provided with a PKCS7 certificate file before accessing websites, right? They just access them.

Likewise, I don't ever remember having to install a certificate file in MySQL WorkBench, for example, before connecting to a database instance. So I'm thinking that step 1 and step 2 of that linked document (above) are probably unnecessary in my situation, and perhaps in most people's situations.

But then, like I said, I could be totally off base here. Can anyone enlighten me on when and why you would ever need to install an SSL cert in a client application accessing a database?

Answer 1

They are using a private PKI, thus essentially self-signed certs, this makes sense. It's kind of a bad practice, but the documentation is all there, hopefully you have some out-of-band way to confirm the certs before downloading them. The risk is that an attacker could change the KB webpage and the certs, and own your connection; you'd never know until it hit the papers.

/Edit - go ahead and download the certs and look at the trust chain. Unless you've already done it yourself, you don't trust the Amazon root CA.

I've more often been on the other side of that - wanting to make a secure connection with a cloud service without having to pay for a real cert on my side. I would export my self-signed cert, and import it into the cloud service, so they know they're connecting to who I told them I am. Half a loaf is better than none in that case.