Manage SSL/TLS certificates

This page describes how to manage your client and server certificate authority (CA) certificates.

Manage client certificates

Use the following procedures to manage client certificates in Cloud SQL.

Retrieve a client certificate

You can retrieve the public key portion of a client certificate. You cannot retrieve the private key, however. If you have lost your private key, you must create a new certificate.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. In Manage client certificates, click a certificate name.
  6. The SSL Client Certificate page opens and shows the client certificate (client-cert.pem) with a link to download the certificate.

gcloud

Retrieve the client certificate public key with the ssl client-certs describe command:

gcloud sql ssl client-certs describe CERT_NAME \
--instance=INSTANCE_NAME \
--format="value(cert)" > client-cert.pem

REST v1

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to retrieve. Don't include the quotation marks.

  2. Retrieve the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Don't copy the quotation marks themselves.

REST v1beta4

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to retrieve. Don't include the quotation marks.

  2. Retrieve the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Don't copy the quotation marks themselves.

Delete a client certificate

When you delete a client certificate, the database server is updated and doesn't need to be restarted.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. In Manage client certificates, find the certificate you want to delete and click Delete..
  6. In the Delete client certificate pane, click Ok.

gcloud

Delete the client certificate using the ssl client-certs delete command:

gcloud sql ssl client-certs delete CERT_NAME \
--instance=INSTANCE_NAME

REST v1

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to delete. Don't include the quotation marks.

  2. Delete the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL: 

    DELETE https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to delete. Don't include the quotation marks.

  2. Delete the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL: 

    DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Manage server CA certificates (per-instance CA)

This section describes how to manage server CA certificates that are created internally by Cloud SQL. This is the default server CA mode in Cloud SQL. In this certificate authority hierarchy, Cloud SQL creates a server CA for each instance.

Rotate server CA certificates

If you've received a notice about your certificates expiring, or you want to initiate a rotation, then take the following steps to complete the rotation. Before you start the rotation, you must have a new server CA on the instance. If a new server CA has already been created, then you can skip the first step in the following procedure.

  1. Create a new server CA.
  2. Download the new server CA certificate information.
  3. Update your clients to use the new server CA certificate information.
  4. Complete the rotation, which moves the active certificate into the "previous" slot and updates the newly added certificate to be the active certificate.

Console

Download the new server CA certificate, encoded as a PEM file, to your local environment:

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rotate CA certificate.

    If there are no eligible certificates, then the rotate option is unavailable. You must create a new server CA certificate.

  7. Click Download Certificates.

Update all of your MySQL clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.

After you have updated your clients, complete the rotation:

  1. Return to the Security tab.
  2. Click to expand Manage certificates.
  3. Select Rotate CA certificate.
  4. Confirm that your clients are connecting properly.

    5. If any clients are not connecting using the newly rotated certificate, then you can select Rollback CA certificate to rollback to the previous configuration.

gcloud

  1. Create a server CA certificate: 
    gcloud sql ssl server-ca-certs create \
--instance=INSTANCE
  2. Download the certificate information to a local PEM file: 
    gcloud sql ssl server-ca-certs list \
--format="value(cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH/FILE_NAME.pem
  3. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.
  4. After you have updated your clients, complete the rotation: 
    gcloud sql ssl server-ca-certs rotate \
--instance=INSTANCE_NAME
  5. Confirm that your clients are connecting properly.

    6. If any clients are not connecting using the newly rotated certificate, then you can rollback to the previous configuration.

REST v1

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

If you receive an error when you try to rotate a certificate that says No upcoming/previous Server CA Certificate exists, then verify that you're running the command on an instance that uses the per-instance CA hierarchy. You can view which CA hierarchy is configured for a Cloud SQL instance by using the gcloud sql instances describe command. For more information, see View instance information.

Roll back a certificate rotation operation

After you complete a certificate rotation, your clients must all use the new certificate to connect to your Cloud SQL instance. If the clients aren't updated properly to use the new certificate information, then they can't connect using SSL/TLS to your instance. If this happens, then you can roll back to the previous certificate configuration.

A rollback operation moves the active certificate into the "upcoming" slot (replacing any "upcoming" certificate). The "previous" certificate becomes the active certificate, returning your certificate configuration to the state it was in before you completed the rotation.

To roll back to the previous certificate configuration:

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rollback CA certificate.

    If there are no eligible certificates, then the rollback option is unavailable. Otherwise, the rollback action completes after a few seconds.

gcloud

gcloud sql ssl server-ca-certs rollback \
--instance=INSTANCE_NAME

REST v1

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body: 

    {
  "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body: 

    {
  "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

If you receive an error when you try to roll back a certificate CA rotation that says No upcoming/previous Server CA Certificate exists, then verify that you're running the command on an instance that uses the per-instance CA hierarchy. You can view which CA hierarchy is configured for a Cloud SQL instance by using the gcloud sql instances describe command. For more information, see View instance information.

Initiate a rotation

You don't need to wait for the email from Cloud SQL to start a rotation. You can start one at any time. When you start a rotation, a new certificate is created and placed into the "upcoming" slot. If a certificate is already present in the "upcoming" slot at the time of your request, then that certificate is deleted. There can be only one upcoming certificate.

To initiate a rotation:

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Click Create new CA certificate.
  7. Select Rotate CA certificate.

    If there are no eligible certificates, then the rotate option is unavailable.

  8. Complete the rotation as described in Rotate server CA certificates.

gcloud

  1. Initiate the rotation: 
    gcloud sql ssl server-ca-certs create \
--instance=INSTANCE_NAME
  2. Complete the rotation as described in Rotate server CA certificates.

REST v1

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotate server CA certificates.

REST v1beta4

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotate server CA certificates.

Get information about a server CA certificate

You can get information about your server CA certificate, such as when it expires or what level of encryption it provides.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.

    In Manage server CA certificates, you can see the expiration date of your server CA certificate in the table.

    To see the certificate type, use the gcloud sql ssl server-ca-certs list --instance=INSTANCE_NAME command.

gcloud

gcloud sql ssl server-ca-certs list \
--instance=INSTANCE_NAME

REST v1

When you describe your instance, you can see details about the server CA certificate:

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL: 

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

REST v1beta4

When you describe your instance, you can see details about the server CA certificate:

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL: 

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

View the content of CA certificates

You can use openssl storeutl to view the content of CA certificates.

When you run the sql ssl server-ca-certs list command, you might get multiple CA certificates from previous rotation-related operations.

gcloud

  1. Run the following command: 
    gcloud sql ssl server-ca-certs list \
  --instance=INSTANCE_NAME \
  --format='value(cert)' > temp_cert.pem

    Replace INSTANCE_NAME with the name of the instance.

  2. Use openssl to examine the contents of the CA certificates.
    3. openssl storeutl -noout -text temp_cert.pem

View the content of a server certificate

You can use openssl s_client to view the content of server certificates.

gcloud

To view the server certificate content, run the following command:

openssl s_client -starttls mysql -connect INSTANCE_IP_ADDRESS:3306

Replace INSTANCE_IP_ADDRESS with the IP address of the instance.

External server SSL expiry notification

  • If the external server's server CA certificate is expiring, then rotate the SSL certificates, including the server CA certificate on the on-premises instance. This step depends on how the on-premises instance is managed. Steps can vary if, for example, you're using an RDS server CA certificate, Cloud SQL server CA certificate, or database-generic server CA certificate.
  • If the client certificate is expiring, then you need to generate a new certificate and key. This applies to both Google Cloud-managed SSL certificates and self-signed certificates.
  • Update the Cloud SQL source representation instance with the new SSL certificates.

Manage server certificates (shared CA)

This section describes how to manage server certificates on instances that use shared CAs or customer-managed CAs.

You can opt in to using shared CAs as the server CA mode for your instance by specifying GOOGLE_MANAGED_CAS_CA for the serverCaMode setting (Cloud SQL Admin API) or the --server-ca-mode flag (gcloud CLI) when you create your instance.

To use customer-managed CA as the server CA mode for your instance, you must specify CUSTOMER_MANAGED_CAS_CA for the serverCaMode setting (Cloud SQL Admin API) or the --server-ca-mode flag (gcloud CLI) when you create your instance, and you must have a valid CA pool and CA. For more information, see Use customer-managed CA.

Rotate server certificates

If you've received a notice about your server certificates expiring, or you want to initiate a rotation, then take the following steps to complete the rotation. Before you start the rotation, there must be a new server certificate created for the upcoming rotation. If there is already a new server certificate created for the upcoming rotation, then you can skip the first step in the following procedure.

To rotate the server certificate on your instance, perform the following steps:

  1. If you need a new server certificate, then create one.

  2. If your clients already trust the root CA, then this step is optional. However, if you need to update your clients with server CA information, then do the following:

    1. Download the latest server CA information.
    2. Update your clients to use the latest server CA information.

  3. Complete the rotation by moving the active certificate to the previous slot, and updating the new certificate to be the active certificate.

Console

Download the server CA certificate information, encoded as a PEM file, to your local environment:

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Confirm that the Rotate server certificate option appears as an available option; however, don't select it yet.

    If there are no eligible certificates, then the rotate option is unavailable. You must create a new server certificate.

  7. Click Download certificates.

Update all of your MySQL clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.

After you have updated your clients, complete the rotation:

  1. Return to the Security tab.
  2. Click to expand Manage certificates.
  3. Select Rotate certificate.
  4. In the Confirm certificate rotation dialog, click Rotate.

  5. Confirm that your clients are connecting properly.

    If any clients are not connecting using the newly rotated certificate, then you can select Rollback certificate to rollback to the previous configuration.

gcloud

  1. To create a server certificate, use the following command: 
    gcloud sql ssl server-certs create \
--instance=INSTANCE
    2. Replace INSTANCE with the name of the instance.
  2. Make sure that you're using the latest CA bundle. If you aren't using the latest CA bundle, then run the following command to download the latest server CA information for the instance to a local PEM file: 
    gcloud sql ssl server-certs list \
--format="value(ca_cert.cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH/server-ca.pem

    Or download the CA bundles from the root and regional CA certificate bundle table on this page.

    Then update all of your clients to use new server CA information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.

  3. After you update all your clients (if client updates are required), complete the rotation: 
    gcloud sql ssl server-certs rotate \
--instance=INSTANCE_NAME

  4. Confirm that your clients are connecting properly.

    If any clients aren't connecting using the newly rotated server certificate, then roll back to the previous configuration.

REST v1

  1. Create a server certificate.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. If you need to download server CA certificate information, then you can use the following command.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Complete the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: The project ID
    • INSTANCE_ID: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Create a server certificate.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. If you need to download server CA certificate information, then you can use the following command.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Complete the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Roll back a certificate rotation

After you complete a server certificate rotation, all your clients must use the new certificate to connect to your Cloud SQL instance. If the clients aren't updated properly to use the new certificate information, then they can't connect using SSL/TLS to your instance. If this happens, then you can roll back to the previous certificate configuration.

A rollback operation moves the active certificate into the "upcoming" slot, which replaces any "upcoming" certificate. The "previous" certificate becomes the active certificate and returns your certificate configuration to its previous state before you completed the rotation.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rollback server certificate.

    If there are no eligible certificates, then the rollback option is unavailable.

  7. In the Confirm certificate rollback dialog, select Rollback.

    The rollback might take a few seconds to complete.

gcloud

gcloud sql ssl server-certs rollback \
--instance=INSTANCE_NAME

REST v1

  1. List your server certificates.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    Request JSON body: 

    {
  "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint"}
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. List your server certificates.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    Request JSON body: 

    {
  "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint"}
}

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

View the content of CA certificates

You can use the openssl storeutl utility to view the content of CA certificates.

When you run the sql ssl server-certs list command, you always get multiple CA certificates due to the trust chain. You might also get multiple CA certificates from previous rotation-related operations.

gcloud

  1. Run the following command: 
    gcloud sql ssl server-certs list \
  --instance=INSTANCE_NAME \
  --format='value(cert)' > temp_cert.pem

    Replace INSTANCE_NAME with the name of the instance.

  2. Use openssl to examine the contents of the CA certificates.
    3. openssl storeutl -noout -text temp_cert.pem

View the content of a server certificate

You can use openssl utilities and the sql ssl server-certs list command to view the content of a server certificate.

When you run the gcloud CLI command, you always get multiple CA certificates due to the trust chain. You also might get multiple CA certificates from previous rotation-related operations.

gcloud

Using openssl s_client only:

openssl s_client -starttls mysql -connect INSTANCE_IP_ADDRESS:3306

Replace INSTANCE_IP_ADDRESS with the IP address of the instance.

Using the gcloud CLI and openssl storeutl:

  1. Run the following command: 
    gcloud sql ssl server-certs list \
  --instance=INSTANCE_NAME \
  --format='value(ssl_cert.cert)' > temp_cert.pem

    Replace INSTANCE_NAME with the name of the instance.

  2. Use openssl to examine the contents of the server certificates.
    3. openssl storeutl -noout -text temp_cert.pem

Download root and regional CA certificate bundles for a shared CA

If you're using a Google-managed shared CA configuration, then you can download the root and regional CA certificate bundles from the following table.

These certificate bundles don't apply to instances that use the per-instance or customer-managed CA options.

Region name Location Certificate bundle
Global
CA for all regions All locations global.pem
Asia
asia-east1 Taiwan asia-east1.pem
asia-east2 Hong Kong asia-east2.pem
asia-northeast1 Tokyo asia-northeast1.pem
asia-northeast2 Osaka asia-northeast2.pem
asia-northeast3 Seoul asia-northeast3.pem
asia-south1 Mumbai asia-south1.pem
asia-south2 Delhi asia-south2.pem
asia-southeast1 Singapore asia-southeast1.pem
asia-southeast2 Jakarta asia-southeast2.pem
Africa
africa-south1 Johannesburg africa-south1.pem
Australia
australia-southeast1 Sydney australia-southeast1.pem
australia-southeast2 Melbourne australia-southeast2.pem
Europe
europe-central2 Warsaw europe-central2.pem
europe-north1 Finland europe-north1.pem
europe-north2 Stockholm europe-north2.pem
europe-southwest1 Madrid europe-southwest1.pem
europe-west1 Belgium europe-west1.pem
europe-west2 London europe-west2.pem
europe-west3 Frankfurt europe-west3.pem
europe-west4 Netherlands europe-west4.pem
europe-west6 Zürich europe-west6.pem
europe-west8 Milan europe-west8.pem
europe-west9 Paris europe-west9.pem
europe-west10 Berlin europe-west10.pem
europe-west12 Turin europe-west12.pem
Middle East
me-central1 Doha me-central1.pem
me-central2 Dammam me-central2.pem
me-west1 Tel Aviv me-west1.pem
North America
northamerica-northeast1 Montréal northamerica-northeast1.pem
northamerica-northeast2 Toronto northamerica-northeast2.pem
northamerica-south1 Mexico northamerica-south1.pem
us-central1 Iowa us-central1.pem
us-east1 South Carolina us-east1.pem
us-east4 Northern Virginia us-east4.pem
us-east5 Columbus us-east5.pem
us-south1 Dallas us-south1.pem
us-west1 Oregon us-west1.pem
us-west2 Los Angeles us-west2.pem
us-west3 Salt Lake City us-west3.pem
us-west4 Las Vegas us-west4.pem
South America
southamerica-east1 São Paulo southamerica-east1.pem
southamerica-west1 Santiago southamerica-west1.pem

Reset the SSL/TLS configuration

You can completely reset your SSL/TLS configuration.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Go to the Reset SSL configuration section.
  5. Click Reset SSL Configuration.

gcloud

  1. Refresh the certificate:

    gcloud sql instances reset-ssl-config INSTANCE_NAME
  2. gcloud sql instances restart INSTANCE_NAME
  3. Create new client certificates.

REST v1beta4

  1. Refresh the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL: 

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Create new client certificates.

What's next