Manage SSL/TLS certificates

This page describes how to manage your client and server certificates.

Manage client certificates

Retrieve a client certificate

You can retrieve the public key portion of a client certificate. You cannot retrieve the private key, however. If you have lost your private key, you must create a new certificate.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Below Manage client certificates, click on a certificate name.
  6. The SSL Client Certificate dialog box opens and shows the client certificate (client-cert.pem) with a link to download the certificate.

gcloud

Retrieve the client certificate public key with the ssl client-certs describe command:

gcloud sql ssl client-certs describe CERT_NAME \
--instance=INSTANCE_NAME \
--format="value(cert)" > client-cert.pem

REST v1

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to retrieve. Do not include the quotation marks.

  2. Retrieve the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Do not copy the quotation marks themselves.

REST v1beta4

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to retrieve. Do not include the quotation marks.

  2. Retrieve the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Do not copy the quotation marks themselves.

Delete a client certificate

When you delete a client certificate, the database server is updated and doesn't need to be restarted.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Below Manage client certificates, find the certificate you want to delete and click Delete..
  6. In the Delete client certificate dialog box, click Ok.

gcloud

Delete the client certificate using the ssl client-certs delete command:

gcloud sql ssl client-certs delete CERT_NAME \
--instance=INSTANCE_NAME

REST v1

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to delete. Do not include the quotation marks.

  2. Delete the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL:

    DELETE https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to delete. Do not include the quotation marks.

  2. Delete the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL:

    DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Manage server certificates

Rotate server certificates

If you've received a notice about your certificates expiring, or you have initiated a rotation, then you must take the following steps to complete the rotation:

  1. Download the new server certificate information.
  2. Update your clients to use the new server certificate information.
  3. Complete the rotation, which moves the currently active certificate into the "previous" slot and updates the newly added certificate to be the active certificate.

Console

Download the new server certificate information:

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rotate certificate.

    The rotate option will be grayed-out if there are no eligible certificates.

  7. Click Download Certificates.

The server certificate information, encoded as a PEM file, is downloaded to your local environment:

  • Update all of your MySQL clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.

After you have updated your clients, complete the rotation:

  1. Return to the Security tab.
  2. Click to expand Manage certificates.
  3. Select Rotate certificate.
  4. Confirm that your clients are connecting properly.
  5. If any clients are not connecting using the newly rotated certificate, you can select Rollback certificate to rollback to the previous configuration.

gcloud

  1. Create a server certificate:
    gcloud beta sql ssl server-ca-certs create \
    --instance=INSTANCE
    
  2. Download the certificate information to a local PEM file:
    gcloud beta sql ssl server-ca-certs list \
    --format="value(cert)" \
    --instance=INSTANCE_NAME > \
    FILE_PATH/FILE_NAME.pem
    
  3. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.
  4. After you have updated your clients, complete the rotation:
    gcloud beta sql ssl server-ca-certs rotate \
    --instance=INSTANCE_NAME
          
  5. Confirm that your clients are connecting properly.

    If any clients are not connecting using the newly rotated certificate, you can rollback to the previous configuration.

REST v1

  1. Download your server certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Download your server certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Roll back a certificate rotation operation

After you complete a certificate rotation, your clients must all use the new certificate to connect to your Cloud SQL instance. If the clients were not updated properly to use the new certificate information, they will not be able to connect using SSL/TLS to your instance. If this happens, you can roll back to the previous certificate configuration.

A rollback operation moves the currently active certificate into the "upcoming" slot (replacing any current "upcoming" certificate). The "previous" certificate becomes the currently active certificate, returning your certificate configuration to the state it was in before you completed the rotation.

To roll back to the previous certificate configuration:

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rollback certificate.

    The rotate option is grayed-out if there are no eligible certificates. Otherwise, the rollback action completes after a few seconds.

gcloud

gcloud beta sql ssl server-ca-certs rollback \
--instance=INSTANCE_NAME
   

REST v1

  1. Download your server certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body:

    {
      "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Download your server certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body:

    {
      "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Initiate a rotation

You do not need to wait for the email from Cloud SQL to start a rotation. You can start one at any time. When you start a rotation, a new certificate is created and placed into the "upcoming" slot. If a certificate was already in the "upcoming" slot, it is deleted; there can be only one upcoming certificate.

To initiate a rotation:

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click Create new certificate.
  6. Click to expand Manage certificates.
  7. Select Rotate certificate.

    The rotate option will be grayed-out if there are no eligible certificates.

  8. Complete the rotation as described in Rotating your server certificates.

gcloud

  1. Initiate the rotation:
    gcloud beta sql ssl server-ca-certs create \
    --instance=INSTANCE_NAME
         
  2. Complete the rotation as described in Rotating your server certificates.

REST v1

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotating your server certificates.

REST v1beta4

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotating your server certificates.

Get information about a server certificate

You can get information about your server certificate, such as when it expires or what level of encryption it provides.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.

    Below Manage server certificates, you can see the expiration date of your server certificate in the table.

    To see the certificate type, use the gcloud beta sql ssl server-ca-certs list --instance=INSTANCE_NAME command.

gcloud

gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME

REST v1

You can see details about the server certificate when you describe your instance:

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

REST v1beta4

You can see details about the server certificate when you describe your instance:

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

Reset the SSL/TLS configuration

You can completely reset your SSL/TLS configuration.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Scroll down to the Reset SSL configuration section.
  5. Click Reset SSL Configuration.

gcloud

  1. Refresh the certificate:

    gcloud sql instances reset-ssl-config INSTANCE_NAME
    
  2. gcloud sql instances restart INSTANCE_NAME
    
  3. Create new client certificates.

REST v1beta4

  1. Refresh the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Create new client certificates.

What's next