Configuring SSL for Instances

This page describes how to configure an instance to use SSL, and how to manage your server and client certificates.

For more information about using SSL with PostgreSQL, see SSL Support in the PostgreSQL documentation.

Introduction

Cloud SQL supports connecting to an instance using the Secure Socket Layer (SSL) protocol. If you are not connecting to an instance by using the Cloud SQL Proxy, you should use SSL, so that the data you send to and receive from Google Cloud SQL is secure.

Cloud SQL uses a self-signed server certificate and a certificate (public/private key pair) on the client (for example, an external application accessing the Cloud SQL instance). These certificates work together to enable the server (instance) and client (application) to encrypt their communication. You must have both a valid server certificate and a valid client certificate (key pair) to support encrypted communication.

Managing your server certificates

Google Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance.

Getting information about your server certificate

You can get information about your server certificate, such as when it expires or what level of encryption it provides.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control > SSL.

    You can see the expiration date of your server certificate under SSL Configuration. To see the certificate type, use the Cloud SDK.

gcloud

You can see details about the server certificate when you describe your instance:

gcloud sql instances describe [INSTANCE_NAME]

The server certificate information is listed under serverCaCert.

cURL

You can see details about the server certificate when you describe your instance:

ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
     --header 'Content-Type: application/json' \
     -X GET \
     https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]?fields=serverCaCert

Refreshing your server certificate

When your server cerficate expires, you must create a new one. You should refresh your server certificate before it expires to ensure that your clients can connect to the instance securely.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the name of the instance to open its Instance details page.
  3. Click Access Control > SSL.
  4. Click Reset SSL Configuration.
  5. Click Revoke Certificates.
  6. Create new client certificates.

gcloud

  1. Refresh the certificate:
    gcloud sql instances reset-ssl-config [INSTANCE_NAME]
    
  2. Create new client certificates.

cURL

  1. Refresh the certificate:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Type: application/json' \
         --header 'Content-Length: 0' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/resetSslConfig
    
  2. Create new client certificates.

Managing your client certificates

Creating a new client certificate

You can create up to 10 client certificates for each instance. If you lose the private key for a certificate, you must create a new one; the private key cannot be recovered.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control > SSL.
  4. In the Client Certificates section, click Create a Client Certificate.
  5. In the New client certificate dialog box, give the certificate a name unique for this instance and click Add.
  6. In the first section of the New SSL certificate created dialog box, click the link to download the private key to a file named client-key.pem.
  7. In the second section, click the link to download the client certificate to a file named client-cert.pem.
  8. In the third section, click the link to download the server certificate to a file named server-ca.pem.
  9. Click Close.

gcloud

  1. Create an SSL certificate using the ssl-certs create command:
    gcloud sql ssl-certs create [CERT_NAME] client-key.pem --instance [INSTANCE_NAME]
    
  2. Retrieve the public key you just created with the ssl-certs describe command:
    gcloud sql ssl-certs describe [CERT_NAME] --instance [INSTANCE_NAME] --format text
    
  3. Copy all of the certificate, from the first line "-----BEGIN CERTIFICATE-----" to the last line "-----END CERTIFICATE-----" to a file named client-cert.pem.
  4. Get the server certificate using the instances describe command:
    gcloud sql instances describe [INSTANCE_NAME] --format text
    
  5. Copy all of the certificate, from the first line "-----BEGIN CERTIFICATE-----" to the last line "-----END CERTIFICATE-----" to a file named server-ca.pem.

cURL

  1. Create an SSL certificate, giving it a unique name for this instance:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         --header 'Content-Type: application/json' \
         --data '{"commonName" : "[CERT_NAME]"}' \
         -X POST \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts
    
  2. Copy all of the certificate contents within the quotation marks (but not the quotation marks themselves) from the response into local files as follows:
    1. Copy serverCaCert.cert into server-ca.pem.
    2. Copy clientCert.cert into client-cert.pem.
    3. Copy certPrivateKey into client-key.pem.

At this point, you have:

  • A server certificate saved as server-ca.pem.
  • A client public key certificate saved as client-cert.pem.
  • A client private key saved as client-key.pem.
Depending on which tool you use to connect, these three items are specified in different ways. For example, when connecting using psql command-line client, these three files are the values for the sslrootcert, sslcert, and sslkey parameters in the psql connection string. For an example connection using psql client and SSL, see Connecting with psql Client.

Retrieving a client certificate

You can retrieve the public key portion of a client certificate. You cannot retrieve the private key, however. If you have lost your private key, you must create a new certificate.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control > SSL.
  4. In the Client Certificates section, click a certificate name to see the client certificate (client-cert.pem).

gcloud

  1. Retrieve a client public key certificate with the ssl-certs describe command:
    gcloud sql ssl-certs describe [CERT_NAME] --instance [INSTANCE_NAME] --format text
    
  2. Copy all of the certificate, from the first line "-----BEGIN CERTIFICATE-----" to the last line "-----END CERTIFICATE-----" to a file, for example client-cert.pem.

cURL

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X GET \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]sslCerts
    

    Record the sha1Fingerprint field for the certificate you want to retrieve. Do not include the quotation marks.

  2. Retrieve the certificate:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X GET \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts/[FINGERPRINT]
    
  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Do not copy the quotation marks themselves.

Deleting a client certificate

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Platform Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click Access Control > SSL.
  4. In the Client Certificates section, find the certificate you want to delete and click delete Delete..
  5. In the Delete client certificate dialog box, click OK.

gcloud

  1. Delete the SSL certificate using the ssl-certs delete command:
    gcloud sql ssl-certs delete [CERT_NAME] --instance [INSTANCE_NAME]
    

cURL

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:
    ACCESS_TOKEN="$(gcloud auth application-default print-access-token)"
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X GET \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts
    

    Record the sha1Fingerprint field for the certificate you want to delete. Do not include the quotation marks.

  2. Delete the certificate:
    curl --header "Authorization: Bearer ${ACCESS_TOKEN}" \
         -X DELETE \
         https://www.googleapis.com/sql/v1beta4/projects/[PROJECT-ID]/instances/[INSTANCE_NAME]/sslCerts/[FINGERPRINT]
    

What's next

Send feedback about...

Cloud SQL for PostgreSQL