[takeda]

> Here's probably a silly question: Shouldn't this work automatically? I just assumed they would have an intermediate CA or whatever it's called and have that certificate be signed by some widely trusted CA.

Yeah, that would work if someone at AWS would make a bit of sense and would sign them using their pubic CA, but they decided not to and instead generate new RDS CA every 5 years.

Anyway at least with PostgreSQL clients that rely on libpq (the main postgres client library) by default while it prefers SSL when available it won't verify the certificate unless you explicit use verify-ca or verify-full sslmode.