Hey there! I totally get how frustrating it is when you’re trying to grab the right CA cert for RDS and keep ending up with the expired rds-ca-2019 one. Let me share the correct way to get the rds-ca-rsa2048-g1 certificate (plus all other valid latest RDS CAs) without that hassle:

• Use the official global RDS CA bundle – This bundle includes rds-ca-rsa2048-g1 along with all other currently trusted RDS CA certificates, so you don’t have to hunt for individual files. On Linux/macOS, you can download it directly with this command:

  curl -O https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem
  

• Verify you’ve got the right cert – After downloading, confirm rds-ca-rsa2048-g1 is included using OpenSSL:

  openssl x509 -in global-bundle.pem -text -noout | grep "rds-ca-rsa2048-g1"
  

  If you see output referencing the certificate name, you’ve successfully got the correct file.
• Quick setup reminder – Make sure your application or database client is configured to use this new global-bundle.pem as its trusted certificate source. Also, don’t forget to update your RDS instance’s CA certificate (via AWS Console or CLI) to rds-ca-rsa2048-g1 first—otherwise your connection might fail even with the new local cert.

备注：内容来源于stack exchange，提问作者skkc