AWS, Rotating SSL/TLS certificates for RDS

Question

As part of, AWS's standard maintenance everyone using RDS should update their SSL/TLS by 2/5/2020. I don't use SSL/TLS keys for my personal project, and I understand we still need to rotate the certs if you do not wish to restart.

From AWS docs:

I don’t use SSL/TLS, can I rotate the certificate without restarting my database?

If you do not want to restart your database, you can use a new CLI option for the modify-db- 
instance CLI command (--no-certificate-rotation-restart) specifically to rotate and stage the 
new certificates on the database host to avoid a restart. However, new certificates will be 
picked up by the database only when a planned or unplanned database restart happens.

So I tried command:

aws rds modify-db-instance --db-instance-identifier my-instance-1 --ca-certificate-identifier rds-ca-2019 --no-certificate-rotation-restart --region us-east-1

This is what I get in output

Unknown options: --no-certificate-rotation-restart

I Have the latest awscli

awscli==1.16.314

score 3 · Accepted Answer · answered Jan 11 '20 at 03:27

You can check supported options by

aws rds modify-db-instance help

if --no-certificate-rotation-restart not supported, You need to upgrade your AWS CLI

pip3 install awscli --upgrade

Refer: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv1.html

AWS, Rotating SSL/TLS certificates for RDS

1 Answers1