Configuring SSL for Instances

This page describes how to configure an instance to use SSL, and how to manage your server and client certificates.

For more information about using SSL with MySQL, see Using SSL Connections in the MySQL Reference Manual.

Introduction

Cloud SQL supports connecting to an instance using the Secure Socket Layer (SSL) protocol. If you are not connecting to an instance by using the Cloud SQL Proxy, you should use SSL, so that the data you send to and receive from Google Cloud SQL is secure.

Cloud SQL uses a self-signed server certificate and a certificate (public/private key pair) on the client (for example, an external application accessing the Cloud SQL instance). These certificates work together to enable the server (instance) and client (application) to encrypt their communication. You must have both a valid server certificate and a valid client certificate (key pair) to support encrypted communication.

Managing your server certificates

Google Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance.

Getting information about your server certificate

You can get information about your server certificate, such as when it expires or what level of encryption it provides.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the SSL tab.

    You can see the expiration date of your server certificate under SSL Configuration. To see the certificate type, use the Cloud SDK.

gcloud

You can see details about the server certificate when you describe your instance:

gcloud sql instances describe [INSTANCE_NAME]

The server certificate information is listed under serverCaCert.

cURL

You can see details about the server certificate when you describe your instance:

ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
     --header 'Content-Type: application/json' \
     -X GET \
     https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]?fields=serverCaCert

Refreshing your server certificate

When your server cerficate expires, you must create a new one. You should refresh your server certificate before it expires to ensure that your clients can connect to the instance securely.

Console (2nd Gen)

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the name of the instance to open its Instance details page.
  3. Select the SSL tab.
  4. Click Reset SSL Configuration.
  5. Click Revoke Certificates.
  6. Create new client certificates.

Console (1st Gen)

This task causes your Cloud SQL instance to be restarted.

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the name of the instance to open its Instance details page.
  3. Select the SSL tab.
  4. Click Reset SSL Configuration.
  5. Click Revoke Certificates and Restart.

    The instance restart is required to complete the refresh.

  6. Create new client certificates.

gcloud

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Refresh the certificate:
    gcloud sql instances reset-ssl-config [INSTANCE_NAME]
    
  2. For First Generation instances, restart the instance to complete the refresh.
    gcloud sql instances restart [INSTANCE_NAME]
    
  3. Create new client certificates.

cURL

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Refresh the certificate:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Type: application/json' \
         --header 'Content-Length: 0' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/resetSslConfig
    
  2. For First Generation instances, restart the instance:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Length: 0' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/restart
    
  3. Create new client certificates.

Managing your client certificates

Creating a new client certificate

You can create up to 10 client certificates for each instance. If you lose the private key for a certificate, you must create a new one; the private key cannot be recovered.

Console (2nd Gen)

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the SSL tab.
  4. In the SSL Connections section, click Allow only SSL connection to enforce that only SSL connections can connect to the instances.
  5. In the Client Certificates section, click Create a Client Certificate.
  6. In the New client certificate dialog box, give the certificate a name unique for this instance and click Add.
  7. In the first section of the New SSL certificate created dialog box, click the link to download the private key to a file named client-key.pem.
  8. In the second section, click the link to download the client certificate to a file named client-cert.pem.
  9. In the third section, click the link to download the server certificate to a file named server-ca.pem.
  10. Click Close.

Console (1st Gen)

This task causes your Cloud SQL instance to be restarted.

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the SSL tab.
  4. In the SSL Connections section, click Allow only SSL connection to enforce that only SSL connections can connect to the instances, then click Restart Now.
  5. In the Client Certificates section, click Create a Client Certificate.
  6. In the New client certificate dialog box, give the certificate a unique name and click Add.
  7. In the first section of the New SSL certificate created dialog box, click the link to download the private key to a file named client-key.pem.
  8. In the second section, click the link to download the client certificate to a file named client-cert.pem.
  9. In the third section, click the link to download the server certificate to a file named server-ca.pem.
  10. Click Close and Restart to restart the instance immediately or click Close and manually restart the instance later.

    A restart of the instance is required to enable the certificate.

gcloud

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Configure the instance to require SSL connections:
    gcloud sql instances patch [INSTANCE_NAME] --require-ssl
    
  2. Create an SSL certificate using the ssl-certs create command:
    gcloud sql ssl-certs create [CERT_NAME] client-key.pem --instance [INSTANCE_NAME]
    
  3. Retrieve the public key you just created with the ssl-certs describe command:
    gcloud sql ssl-certs describe [CERT_NAME] --instance [INSTANCE_NAME] --format text
    
  4. Copy all of the certificate, from the first line "-----BEGIN CERTIFICATE-----" to the last line "-----END CERTIFICATE-----" to a file named client-cert.pem.
  5. Get the server certificate using the instances describe command:
    gcloud sql instances describe [INSTANCE_NAME] --format text
    
  6. Copy all of the certificate, from the first line "-----BEGIN CERTIFICATE-----" to the last line "-----END CERTIFICATE-----" to a file named server-ca.pem.
  7. For First Generation instances, restart the instance to enable the certificate and SSL configuration change.
    gcloud sql instances restart [INSTANCE_NAME]
    

cURL

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Configure the instance to require SSL connections:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Type: application/json' \
         --data '{"settings" : {"ipConfiguration" : {"requireSsl": true }}}' \
         -X PATCH \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]
    
  2. Create an SSL certificate, giving it a unique name for this instance:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Type: application/json' \
         --data '{"commonName" : "[CERT_NAME]"}' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts
    
  3. Copy all of the certificate contents within the quotation marks (but not the quotation marks themselves) from the response into local files as follows:
    1. Copy serverCaCert.cert into server-ca.pem.
    2. Copy clientCert.cert into client-cert.pem.
    3. Copy certPrivateKey into client-key.pem.
  4. For First Generation instances, restart the instance:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Length: 0' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/restart
    

At this point, you have:

  • A server certificate saved as server-ca.pem.
  • A client public key certificate saved as client-cert.pem.
  • A client private key saved as client-key.pem.

Depending on which tool you use to connect, these three items are specified in different ways. For example, when connecting using MySQL client, these three files are the values for the --ssl-ca, --ssl-cert, and --ssl-key command options, respectively. For an example connection using MySQL client and SSL, see Connecting with MySQL Client.

Retrieving a client certificate

You can retrieve the public key portion of a client certificate. You cannot retrieve the private key, however. If you have lost your private key, you must create a new certificate.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the SSL tab.
  4. In the Client Certificates section, click a certificate name to see the client certificate (client-cert.pem).

gcloud

  1. Retrieve a client public key certificate with the ssl-certs describe command:
    gcloud sql ssl-certs describe [CERT_NAME] --instance [INSTANCE_NAME] --format text
    
  2. Copy all of the certificate, from the first line "-----BEGIN CERTIFICATE-----" to the last line "-----END CERTIFICATE-----" to a file, for example client-cert.pem.

cURL

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X GET \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]sslCerts
    

    Record the sha1Fingerprint field for the certificate you want to retrieve. Do not include the quotation marks.

  2. Retrieve the certificate:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X GET \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts/[FINGERPRINT]
    
  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Do not copy the quotation marks themselves.

Deleting a client certificate

Console (2nd Gen)

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the SSL tab.
  4. In the Client Certificates section, find the certificate you want to delete and click delete Delete..
  5. In the Delete client certificate dialog box, click OK.

Console (1st Gen)

This task causes your Cloud SQL instance to be restarted.

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Select the SSL tab.
  4. In the Client Certificates section, find the certificate you want to delete and click delete Delete..
  5. In the Delete client certificate dialog box, click Restart now.
  6. The instance must be restarted to complete the operation.

gcloud

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Delete the SSL certificate using the ssl-certs delete command:
    gcloud sql ssl-certs delete [CERT_NAME] --instance [INSTANCE_NAME]
    
  2. For First Generation instances, restart the instance:
    gcloud sql instances restart [INSTANCE_NAME]
    

cURL

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X GET \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts
    

    Record the sha1Fingerprint field for the certificate you want to delete. Do not include the quotation marks.

  2. Delete the certificate:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X DELETE \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts/[FINGERPRINT]
    
  3. For First Generation instances, restart the instance:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Length: 0' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/restart
    

What's next

Send feedback about...

Cloud SQL for MySQL