Configuring SSL/TLS certificates

This page describes how to configure an instance to use SSL/TLS. Learn more about using SSL/TLS with Cloud SQL.

Overview

Cloud SQL creates a server certificate automatically when you create your instance. To use SSL/TLS you need to create a client certificate and download the certificates to your MySQL client host machine. If you plan to connect using SSL/TLS, we recommend that you enforce all connections to use SSL/TLS.

Enforcing SSL/TLS

To enforce SSL/TLS for all connections to your instance:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the SSL connections section.
  5. Click Allow only SSL connections.

gcloud

gcloud sql instances patch [INSTANCE_NAME] --require-ssl

REST

  1. Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

    Request JSON body: 

    {
  "settings": {
    "ipConfiguration": {"requireSsl": "true"}
  }
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Server certificates

Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate.

In the console you can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL server certificates section.

    You can see the expiration date of your server certificate in the table.

Client certificates

Creating a new client certificate

You can create up to 10 client certificates for each instance. If you lose the private key for a certificate, you must create a new one; the private key cannot be recovered.

Console (2nd Gen)

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL client certificates section.
  5. Click Create a client certificate.
  6. In the Create a client certificate dialog box, add a unique name.
  7. Click Create.
  8. In the first section of the New SSL certificate created dialog box, click Download client-key.pem to download the private key to a file named client-key.pem.
  9. In the second section, click Download client-cert.pem to download the client certificate to a file named client-cert.pem.
  10. In the third section, click Download server-ca.pem to download the server certificate to a file named server-ca.pem.
  11. Click Close.

Console (1st Gen)

This task causes your Cloud SQL instance to be restarted.

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. In the Client Certificates section, click Create a Client Certificate.
  5. In the New client certificate dialog box, give the certificate a unique name and click Add.
  6. In the first section of the New SSL certificate created dialog box, click the link to download the private key to a file named client-key.pem.
  7. In the second section, click the link to download the client certificate to a file named client-cert.pem.
  8. In the third section, click the link to download the server certificate to a file named server-ca.pem.

  9. Click Close and Restart to restart the instance immediately or click Close and manually restart the instance later.

    A restart of the instance is required to enable the certificate.

gcloud

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Create a client certificate using the ssl client-certs create command:

    gcloud sql ssl client-certs create [CERT_NAME] client-key.pem --instance=[INSTANCE_NAME]

  2. Retrieve the public key for the certificate you just created and copy it into the client-cert.pem file with the ssl client-certs describe command:

    gcloud sql ssl client-certs describe [CERT_NAME] --instance=[INSTANCE_NAME] --format="value(cert)" > client-cert.pem

  3. Copy the server certificate into the server-ca.pem file using the instances describe command:

    gcloud sql instances describe [INSTANCE_NAME]  --format="value(serverCaCert.cert)" > server-ca.pem

  4. For First Generation instances, restart the instance to enable the certificate and SSL/TLS configuration change.

    gcloud sql instances restart [INSTANCE_NAME]

REST

For First Generation instances, this task requires your Cloud SQL instance to be restarted.

  1. Create an SSL/TLS certificate, giving it a unique name for this instance:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • client-cert-name: The client cert name

    HTTP method and URL: 

    POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    Request JSON body: 

    {
  "commonName" : "client-cert-name"
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy all of the certificate contents within the quotation marks (but not the quotation marks themselves) from the response into local files as follows:
    1. Copy serverCaCert.cert into server-ca.pem.
    2. Copy clientCert.cert into client-cert.pem.
    3. Copy certPrivateKey into client-key.pem.

  3. For First Generation instances, restart the instance:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • activation-policy: The activation policy is ALWAYS or NEVER

    HTTP method and URL: 

    POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/restart

    Request JSON body: 

    {
  "settings": {
    "activationPolicy": "activation-policy"
  }
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    {
  "kind": "sql#operation",
  "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "RESTART",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

At this point, you have:

  • A server certificate saved as server-ca.pem.
  • A client public key certificate saved as client-cert.pem.
  • A client private key saved as client-key.pem.

Depending on which tool you use to connect, these three items are specified in different ways. For example, when connecting using MySQL client, these three files are the values for the --ssl-ca, --ssl-cert, and --ssl-key command options, respectively. For an example connection using MySQL client and SSL/TLS, see Connecting with MySQL Client.

What's next