If you’ve ever used Postico to connect to a PostgreSQL database on Amazon’s RDS, you’ve probably encountered this warning:

Clicking “Show Certificate” gives us some insight into how we might get rid of this warning:

Note the “This certificate was signed by an untrusted issuer” message and the fact that every step of the certificate chain has a red ⓧ on it. To fix this warning, you want to get Amazon’s root certificate for RDS and add it to your computer as a trusted certificate.

First step: download the root certificate. The AWS docs for [Using SSL to Encrypt a Connection to a DB Instance](Using SSL to Encrypt a Connection to a DB Instance) contain a link to the certificate. As of the time of writing, that’s 2015-root.pem.

To tell your computer to trust it, you need to add it to your keychain. Open the Keychain Access application (it’s in Applications > Utilities > Keychain Access). From the “Keychains” portion of the left sidebar, select either your login keychain (if you want to make this change just for your user) or your system keychain (if you want to make this change for all users on the computer). Choose File > Import Items from the menu bar and choose the certificate you downloaded. You should now see “Amazon RDS Root CA” show up among the items in the main part of the window. Double-click it to open its settings and details, expand the “Trust” section, and for “When using this certificate:” choose “Always Trust”. When you close this window Keychain Access will ask for your password to make these changes.

You’re done! You can close Keychain Access. Try connecting to your RDS database now, and you should find that Postico no longer has trust issues.

(These instructions were written referencing macOS 10.12.5 “High Sierra”, but should be similar in other versions of macOS.)