This page describes how to view and implement recommendations about rotating server certificates for instances whose server certificates are about to expire within 30 days. If an instance's server certificate is about to expire within 30 days, then the clients using this certificate won't be able securely connect to the instance, making them vulnerable to security breaches. This recommender is called Rotate server certificate.
Every day, this recommender checks instances for expiring certificates and provides insights and recommendations to improve your instance security. You can view insights and detailed recommendations about these instances by using the Google Cloud console, gcloud CLI, or the Recommender API.
Before you begin
Ensure that you enable the Recommender API.
Required roles and permissions
To get the permissions to view and work with insights and recommendations, ensure that you have the required Identity and Access Management (IAM) roles.
| Tasks | Roles |
|---|---|
| View recommendations |
recommender.cloudsqlViewer or
cloudsql.admin.
|
| Apply recommendations |
cloudsql.editor
or cloudsql.admin.
|
List the recommendations
To list the recommendations, follow these steps:
Console
Go to the Recommendation Hub.
For more information, see Exploring recommendations.
In the Secure Cloud SQL instances card, click View all. The Security Recommendations page appears. It lists the recommendations along with the instances to which these recommendations apply.
gcloud
Run the gcloud recommender recommendations list command as follows:
gcloud recommender recommendations list \ --project=PROJECT_ID \ --location=LOCATION \ --recommender=google.cloudsql.instance.SecurityRecommender \ --filter=recommenderSubtype=ROTATE_SERVER_CERT
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as us-central1.
API
Call the recommendations.list method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/recommenders/google.cloudsql.instance.SecurityRecommender/recommendations?filter=recommenderSubtype=ROTATE_SERVER_CERT
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1.
View insights and detailed recommendations
To view insights and detailed recommendations, follow these steps:
Console
On the Security Recommendations page, click the recommendation for an instance. The recommendation panel appears, which contains insights and detailed recommendations.
gcloud
Run the gcloud recommender insights list command as follows:
gcloud recommender insights list \ --project=PROJECT_ID \ --location=LOCATION \ --insight-type=google.cloudsql.instance.SecurityInsight \ --filter=insightSubtype=SERVER_CERT_EXPIRING
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION : A region where your instances are located, such as
us-central1.
API
Call the insights.list method as follows:
GET https://recommender.googleapis.com/v1beta1/projects/PROJECT_ID/locations/LOCATION/insightTypes/google.cloudsql.instance.SecurityInsight/insights?filter=insightSubtype=SERVER_CERT_EXPIRING
Replace the following:
- PROJECT_ID: Your project ID.
- LOCATION: A region where your instances are located, such as
us-central1.
Apply the recommendation
Console
To implement the recommendation, click Manage server certificates and rotate server certificates on your instance.
gcloud
To implement the recommendation, rotate server certificates on your instance.
API
To implement the recommendation, rotate server certificates on your instance.