Managing SSL/TLS certificates

This page describes how to manage your client and server certificates.

Managing client certificates

Retrieving a client certificate

You can retrieve the public key portion of a client certificate. You cannot retrieve the private key, however. If you have lost your private key, you must create a new certificate.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL client certificates section.
  5. Click a certificate name. The SSL Client Certificate dialog box opens and shows the client certificate (client-cert.pem).

gcloud

Retrieve the client certificate public key with the ssl client-certs describe command:

gcloud sql ssl client-certs describe [CERT_NAME] --instance=[INSTANCE_NAME] --format="value(cert)" > client-cert.pem

REST

  1. List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to retrieve. Do not include the quotation marks.

  2. Retrieve the certificate:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL:

    GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Copy all of the certificate data contained by the quotation marks to a file, for example client-cert.pem. Do not copy the quotation marks themselves.

Deleting a client certificate

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL client certificates section.
  5. Find the certificate you want to delete and click Delete..
  6. In the Delete client certificate dialog box, click OK.

gcloud

Delete the client certificate using the ssl client-certs delete command:

gcloud sql ssl client-certs delete [CERT_NAME] --instance=[INSTANCE_NAME]

REST

  1. List the certificates on the instance to get the fingerprint of the certificate you want to delete:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

    Record the sha1Fingerprint field for the certificate you want to delete. Do not include the quotation marks.

  2. Delete the certificate:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • sha1FingerPrint: The cert's sha1FingerPrint

    HTTP method and URL:

    DELETE https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Managing server certificates

Rotating server certificates

If you've received a notice about your certificates expiring, or you have initiated a rotation, then you must take the following steps to complete the rotation:

  1. Download the new server certificate information.
  2. Update your clients to use the new server certificate information.
  3. Complete the rotation, which moves the currently active certificate into the "previous" slot and updates the newly added certificate to be the active certificate.

Console

Download the new server certificate information:

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL server certificates section.
  5. Click Create new certificate.
  6. Scroll down to Download SSL server certificates section.
  7. Click Download.

The server certificate information, encoded as a PEM file, is displayed and can be downloaded to your local environment:

  • Update all of your PostgreSQL clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.

After you have updated your clients, complete the rotation:

  1. Return to the Configure SSL server certificates section.
  2. Click Rotate certificate.
  3. Confirm that your clients are connecting properly.
  4. If any clients are not connecting using the newly rotated certificate, you can click Rollback certificate to rollback to the previous configuration.

gcloud

  1. Download the certificate information to a local PEM file:
    gcloud beta sql ssl server-ca-certs list --format="value(cert)" \
    --instance=[INSTANCE_NAME] > [FILE_PATH]/[FILE_NAME].pem
  2. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.
  3. After you have updated your clients, complete the rotation:
            gcloud beta sql ssl server-ca-certs rotate --instance=[INSTANCE_NAME]
          
  4. Confirm that your clients are connecting properly.

    If any clients are not connecting using the newly rotated certificate, you can rollback to the previous configuration.

REST

  1. Download your server certificates:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Rolling back a certificate rotation operation

After you complete a certificate rotation, your clients must all use the new certificate to connect to your Cloud SQL instance. If the clients were not updated properly to use the new certificate information, they will not be able to connect using SSL/TLS to your instance. If this happens, you can roll back to the previous certificate configuration.

A rollback operation moves the currently active certificate into the "upcoming" slot (replacing any current "upcoming" certificate). The "previous" certificate becomes the currently active certificate, returning your certificate configuration to the state it was in before you completed the rotation.

To roll back to the previous certificate configuration:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL server certificates section.
  5. Click Rotate certificate. It takes a few seconds for the action to complete.
  6. Click Rollback certificate.

gcloud

gcloud beta sql ssl server-ca-certs rollback --instance=[INSTANCE_NAME]
   

REST

  1. Download your server certificates:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body:

    {
      "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Initiating a rotation

You do not need to wait for the email from Cloud SQL to start a rotation. You can start one at any time. When you start a rotation, a new certificate is created and placed into the "upcoming" slot. If a certificate was already in the "upcoming" slot, it is deleted; there can be only one upcoming certificate.

To initiate a rotation:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Instance details page.
  3. Click the Connections linke in the left navigation pane.
  4. Scroll down to the Configure SSL server certificates section.
  5. Click Create new certificate.
  6. Complete the rotation as described in Rotating your server certificates.

gcloud

  1. Initiate the rotation:
         gcloud beta sql ssl server-ca-certs create --instance=[INSTANCE_NAME]
         
  2. Complete the rotation as described in Rotating your server certificates.

REST

  1. Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotating your server certificates.

Getting information about a server certificate

You can get information about your server certificate, such as when it expires or what level of encryption it provides.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL server certificates section.

    You can see the expiration date of your server certificate in the table.

    To see the certificate type, use the gcloud beta sql ssl server-ca-certs list --instance=[INSTANCE_NAME] command.

gcloud

gcloud beta sql ssl server-ca-certs list --instance=[INSTANCE_NAME]

REST

You can see details about the server certificate when you describe your instance:

Before using any of the request data below, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL:

GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

Resetting the SSL/TLS configuration

You can completely reset your SSL/TLS configuration.

gcloud

  1. Refresh the certificate:

    gcloud sql instances reset-ssl-config [INSTANCE_NAME]
    
  2. Create new client certificates.

REST

  1. Refresh the certificate:

    Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Create new client certificates.

What's next