This page describes how to configure an instance to use SSL/TLS. Learn more about using SSL/TLS with Cloud SQL.
Overview
Cloud SQL creates a server certificate (server-ca.pem) automatically when you create your instance.
To use SSL/TLS you need to create a client certificate and download the certificates to your PostgreSQL client host machine.If you plan to connect using SSL/TLS, we recommend that you enforce all connections to use SSL/TLS.
Requiring SSL/TLS
When requiring SSL/TLS is enabled, you can either use the Cloud SQL Proxy or SSL/TLS certificates to connect to your Cloud SQL instance. If you do not require SSL/TLS, clients without a valid certificate are allowed to connect.
To enable requiring SSL/TLS:
Console
- Go to the Cloud SQL Instances page in the Google Cloud Console.
Go to the Cloud SQL Instances page - Click the instance name to open its Instance details page.
- Click the Connections link in the left navigation pane.
- Scroll down to the SSL connections section.
- Click Allow only SSL connections.
gcloud
gcloud sql instances patch [INSTANCE_NAME] --require-ssl
REST v1beta4
-
Before using any of the request data below, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id
Request JSON body:
{ "settings": { "ipConfiguration": {"requireSsl": "true"} } }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
Server certificates
Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate. You are notified when the server certificate is nearing expiration.
In the console you can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.
Console
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Click the instance name to open its Instance details page.
- Click the Connections link in the left navigation pane.
- Scroll down to the Server SSL configurations section.
You can see the expiration date of your server certificate in the table.
Client certificates
Creating a new client certificate
You can create up to 10 client certificates for each instance. If you lose the private key for a certificate, you must create a new one; the private key cannot be recovered. By default, the client certificate has an expiration date of 10 years. You are not notified when client certificates are nearing expiration.
Console
- Go to the Cloud SQL Instances page in the Google Cloud Console.
- Click the instance name to open its Instance details page.
- Click the Connections link in the left navigation pane.
- Scroll down to the Client SSL configuration section.
- Click Create a client certificate.
- In the Create a client certificate dialog box, add a unique name.
- Click Create.
- In the first section of the New SSL certificate created
dialog box, click Download client-key.pem to download the private
key to a file named
client-key.pem
. - In the second section, click Download client-cert.pem to download
the client certificate to a file named
client-cert.pem
. - In the third section, click Download server-ca.pem to download
the server certificate to a file named
server-ca.pem
. - Click Close.
gcloud
Create a client certificate using the
ssl client-certs create
command:gcloud sql ssl client-certs create [CERT_NAME] client-key.pem --instance=[INSTANCE_NAME]
Retrieve the public key for the certificate you just created and copy it into the
client-cert.pem
file with thessl client-certs describe
command:gcloud sql ssl client-certs describe [CERT_NAME] --instance=[INSTANCE_NAME] --format="value(cert)" > client-cert.pem
Copy the server certificate into the
server-ca.pem
file using theinstances describe
command:gcloud sql instances describe [INSTANCE_NAME] --format="value(serverCaCert.cert)" > server-ca.pem
REST v1beta4
Create an SSL/TLS certificate, giving it a unique name for this instance:
Before using any of the request data below, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
- client-cert-name: The client cert name
HTTP method and URL:
POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts
Request JSON body:
{ "commonName" : "client-cert-name" }
To send your request, expand one of these options:
You should receive a JSON response similar to the following:
-
Copy all of the certificate contents within the quotation marks (but not the
quotation marks themselves) from the response into local files as follows:
- Copy
serverCaCert.cert
intoserver-ca.pem
. - Copy
clientCert.cert
intoclient-cert.pem
. - Copy
certPrivateKey
intoclient-key.pem
.
- Copy
At this point, you have:
- A server certificate saved as
server-ca.pem
. - A client public key certificate saved as
client-cert.pem
. - A client private key saved as
client-key.pem
.
sslrootcert
,
sslcert
, and sslkey
parameters in the psql
connection string. For an example connection using psql client and SSL/TLS, see
Connecting with psql Client.
What's next
- Connect using SSL/TLS to your Cloud SQL instance.
- Manage SSL/TLS on your Cloud SQL instance.
Learn more about how PostgreSQL uses SSL/TLS.