Amazon is rotating its CA for its RDS instances, and here they say that the updated certificate can be found here. However, if I download that file and inspect it with openssl x509 -noout -text -in rds-combined-ca-bundle.pem, I see that the expiration date is April 4, 2015.
This doesn't seem right; shouldn't the updated certificate have a later expiration date?
I believe that file is a certificate bundle, containing several CA certificates. I'm guessing your command picked up the first one by default. Every ----BEGIN CERTIFICATE---- represents a different CA
I believe this page has a script that will parse the bundle. http://blog.swwomm.com/2015/02/importing-new-rds-ca-certificate-into.html