Configuring SSL/TLS certificates

MySQL | PostgreSQL | SQL Server

This page describes how to configure an instance to use SSL/TLS. Learn more about using SSL/TLS with Cloud SQL.

Overview

Cloud SQL creates a server certificate (server-ca.pem) automatically when you create your instance.

To use SSL/TLS you need to create a client certificate and download the certificates to your PostgreSQL client host machine.

If you plan to connect using SSL/TLS, we recommend that you enforce all connections to use SSL/TLS.

You do not need to restart the instance after changing SSL/TLS certificates. If a restart is required, this will be done automatically during the SSL update event.

Requiring SSL/TLS

When requiring SSL/TLS is enabled, you can either use the Cloud SQL Auth proxy or SSL/TLS certificates to connect to your Cloud SQL instance. If you do not require SSL/TLS, clients without a valid certificate are allowed to connect.

To enable requiring SSL/TLS:

Console

In the Google Cloud Console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the instance name to open its Overview page.
Click Connections from the SQL navigation menu.
Scroll down to the Security section.
Click Allow only SSL connections.

gcloud

gcloud sql instances patch INSTANCE_NAME
--require-ssl

REST v1beta4

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings": {
    "ipConfiguration": {"requireSsl": "true"}
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The command below assumes that you have used either gcloud init or gcloud auth login to authenticate gcloud with your user account. You can check the currently active account by executing gcloud auth list.

Save the request body in a file called request.json, and execute the following command:

curl -X PATCH \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method PATCH `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Server certificates

Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate. You're periodically notified that the server certificate is nearing expiration. The notifications are sent the following number of days before the expiration date: 90, 30, 10, 2, and 1.

You can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.

Console

In the Google Cloud Console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the instance name to open its Overview page.
Click Connections from the SQL navigation menu.
Scroll down to the Manage server certificates section.
You can see the expiration date of your server certificate in the table.

gcloud

Get information about the service certificate:

gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME

Create a server certificate:

gcloud beta sql ssl server-ca-certs create \
--instance=INSTANCE_NAME

Download the certificate information to a local PEM file:

gcloud beta sql ssl server-ca-certs list \
--format="value(cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH/FILE_NAME.pem

Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.

Client certificates

Creating a new client certificate

You can create up to 10 client certificates for each instance. If you lose the private key for a certificate, you must create a new one; the private key cannot be recovered. By default, the client certificate has an expiration date of 10 years. You are not notified when client certificates are nearing expiration.

Console

In the Google Cloud Console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
Click the instance name to open its Overview page.
Click Connections from the SQL navigation menu.
Scroll down to the Security section.
Click Create client certificate.
In the Create a client certificate dialog box, add a unique name.
Click Create.
In the first section of the New SSL certificate created dialog box, click Download client-key.pem to download the private key to a file named client-key.pem.
Important: Store this private key securely. If you lose it, you must create a new client certificate.
In the second section, click Download client-cert.pem to download the client certificate to a file named client-cert.pem.
In the third section, click Download server-ca.pem to download the server certificate to a file named server-ca.pem.
Click Close.

gcloud

Create a client certificate using the ssl client-certs create command:
```
gcloud sql ssl client-certs create CERT_NAME client-key.pem \
--instance=INSTANCE_NAME
```
Important: Store this private key securely. If you lose it, you must create a new client certificate.
Retrieve the public key for the certificate you just created and copy it into the client-cert.pem file with the ssl client-certs describe command:
```
gcloud sql ssl client-certs describe CERT_NAME \
--instance=INSTANCE_NAME \
--format="value(cert)" > client-cert.pem
```

Copy the server certificate into the server-ca.pem file using the instances describe command:

gcloud sql instances describe INSTANCE_NAME \
--format="value(serverCaCert.cert)" > server-ca.pem

REST v1beta4

Create an SSL/TLS certificate, giving it a unique name for this instance:

Before using any of the request data below, make the following replacements:

project-id: The project ID
instance-id: The instance ID
client-cert-name: The client cert name

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

Request JSON body:

{
  "commonName" : "client-cert-name"
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file called request.json, and execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

PowerShell (Windows)

Save the request body in a file called request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method POST `
  -Headers $headers `
  -ContentType: "application/json; charset=utf-8" `
  -InFile request.json `
  -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#sslCertsInsert",
  "operation": {
    "kind": "sql#operation",
    "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
    "status": "PENDING",
    "user": "user@example.com",
    "operationType": "UPDATE",
    "name": "operation-id",
    "targetId": "instance-id",
    "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
    "targetProject": "doc-test-01",
    "insertTime": "2020-02-13T00:11:20.677Z"
  },
  "serverCaCert": {
    "kind": "sql#sslCert",
    "certSerialNumber": "server-cert-serial-number",
    "cert": "server-cert-value",
    "commonName": "server-cert-name,
    "sha1Fingerprint": "server-cert-sha1Fingerprint",
    "instance": "instance-id",
    "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/operation-id",
    "createTime": "2019-11-25T20:12:06.764Z",
    "expirationTime": "2029-11-22T20:13:06.764Z"
  },
  "clientCert": {
    "certInfo": {
      "kind": "sql#sslCert",
      "certSerialNumber": "client-cert-serial-number-2",
      "cert": "client-cert-value",
      "commonName": "client-cert-name",
      "sha1Fingerprint": "client-cert-sha1Fingerprint-2",
      "instance": "instance-id",
      "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/operation-id",
      "createTime": "2020-02-13T00:10:20.595Z",
      "expirationTime": "2030-02-10T00:11:20.595Z"
    },
    "certPrivateKey": "private-key-value"
  }
}

Copy all of the certificate contents within the quotation marks (but not the quotation marks themselves) from the response into local files as follows:
1. Copy serverCaCert.cert into server-ca.pem.
2. Copy clientCert.cert into client-cert.pem.
3. Copy certPrivateKey into client-key.pem.
Important: Store this private key securely. If you lose it, you must create a new client certificate.

At this point, you have:

A server certificate saved as server-ca.pem.
A client public key certificate saved as client-cert.pem.
A client private key saved as client-key.pem.

Depending on which tool you use to connect, these three items are specified in different ways. For example, when connecting using psql command-line client, these three files are the values for the sslrootcert, sslcert, and sslkey parameters in the psql connection string. For an example connection using psql client and SSL/TLS, see Connecting with psql client.

What's next

Manage SSL/TLS certificates on your Cloud SQL instance.
Connect to your Cloud SQL instance using SSL/TLS certificates.
Learn more about how PostgreSQL uses SSL/TLS certificates.