管理 SSL/TLS 证书
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
本页面介绍了如何管理客户端和服务器 CA 证书。
管理客户端证书
按照以下过程在 Cloud SQL 中管理客户端证书。
检索客户端证书
您可以检索客户端证书的公钥部分,但不能检索私钥。如果私钥丢失,则必须创建一个新证书。
控制台
-
在 Google Cloud 控制台中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 选择安全标签页。
- 在管理客户端证书中,点击证书名称。
- 系统会打开 SSL 客户端证书页面,并显示客户端证书 (
client-cert.pem
),其中包含下载证书的链接。
gcloud
使用 ssl client-certs describe
命令检索客户端证书公钥:
gcloud sql ssl client-certs describe CERT_NAME \
--instance=INSTANCE_NAME \
--format="value(cert)" > client-cert.pem
REST v1
列出实例的证书,以获取待检索证书的指纹:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#sslCertsList",
"items": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint"
"instance": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",
"createTime": "2020-02-13T00:10:20.595Z",
"expirationTime": "2030-02-10T00:11:20.595Z"
}
]
}
记录待检索证书的 sha1Fingerprint
字段。请不要包含英文引号。
检索证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
- sha1FingerPrint:证书的 sha1FingerPrint
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint"
"instance": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",
"createTime": "2020-02-13T00:10:20.595Z",
"expirationTime": "2030-02-10T00:11:20.595Z"
}
-
将引号内包含的所有证书数据复制到一个文件中(例如
client-cert.pem
)。请不要复制英文引号本身。
REST v1beta4
列出实例的证书,以获取待检索证书的指纹:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#sslCertsList",
"items": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint"
"instance": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",
"createTime": "2020-02-13T00:10:20.595Z",
"expirationTime": "2030-02-10T00:11:20.595Z"
}
]
}
记录待检索证书的 sha1Fingerprint
字段。请不要包含英文引号。
检索证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
- sha1FingerPrint:证书的 sha1FingerPrint
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint"
"instance": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",
"createTime": "2020-02-13T00:10:20.595Z",
"expirationTime": "2030-02-10T00:11:20.595Z"
}
-
将引号内包含的所有证书数据复制到一个文件中(例如
client-cert.pem
)。请不要复制英文引号本身。
删除客户端证书
删除客户端证书后,数据库服务器将会更新,无需重启。
控制台
-
在 Google Cloud 控制台中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 选择安全标签页。
- 在管理客户端证书中,找到您要删除的证书,然后点击 。
- 在删除客户端证书窗格中,点击确定。
gcloud
使用 ssl client-certs delete 命令删除客户端证书:
gcloud sql ssl client-certs delete CERT_NAME \
--instance=INSTANCE_NAME
REST v1
列出实例的证书,以获取要删除的证书的指纹:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#sslCertsList",
"items": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint"
"instance": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",
"createTime": "2020-02-13T00:10:20.595Z",
"expirationTime": "2030-02-10T00:11:20.595Z"
}
]
}
记录待删除证书的 sha1Fingerprint
字段。请不要包含英文引号。
删除证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
- sha1FingerPrint:证书的 sha1FingerPrint
HTTP 方法和网址:
DELETE https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
列出实例的证书,以获取要删除的证书的指纹:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#sslCertsList",
"items": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint"
"instance": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",
"createTime": "2020-02-13T00:10:20.595Z",
"expirationTime": "2030-02-10T00:11:20.595Z"
}
]
}
记录待删除证书的 sha1Fingerprint
字段。请不要包含英文引号。
删除证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
- sha1FingerPrint:证书的 sha1FingerPrint
HTTP 方法和网址:
DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X DELETE \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method DELETE `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
管理服务器 CA 证书
轮替服务器 CA 证书
如果您收到了一封有关证书失效的通知,或者您已经发起了轮替,那么必须按照以下步骤执行操作,以完成轮替:
- 下载新服务器 CA 证书的信息。
- 更新客户端以使用新服务器 CA 证书的信息。
- 完成轮替,以将有效证书转入“上一个”空档,并将新添加的证书更新为有效证书。
控制台
下载新服务器 CA 证书的信息:
-
在 Google Cloud Console 中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 选择安全标签页。
- 点击展开管理证书。
- 选择轮替 CA 证书。
如果没有符合条件的证书,则轮替选项不可用。
- 点击下载证书。
编码为 PEM 文件的服务器 CA 证书信息会下载到您的本地环境中:
- 通过将下载的文件复制到客户端主机上并替换现有的
server-ca.pem
文件,将所有 PostgreSQL 客户端更新为使用新信息。
更新完各客户端后,完成轮替:
- 返回安全标签页。
- 点击展开管理证书。
- 选择轮替 CA 证书。
- 确认您的客户端连接正确。
如果有任何客户端未使用新轮替的证书进行连接,您可以选择回滚 CA 证书以回滚到先前的配置。
gcloud
- 创建服务器 CA 证书:
gcloud beta sql ssl server-ca-certs create \
--instance=INSTANCE
- 将证书信息下载到本地 PEM 文件中:
gcloud beta sql ssl server-ca-certs list \
--format="value(cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH/FILE_NAME.pem
- 通过将下载的文件复制到客户端主机上并替换现有的 server-ca.pem 文件,将所有客户端更新为使用新信息。
- 更新完客户端后,完成轮替:
gcloud beta sql ssl server-ca-certs rotate \
--instance=INSTANCE_NAME
- 确认您的客户端连接正确。
如果有任何客户端未使用新轮替的证书进行连接,您可以回滚到先前的配置。
REST v1
- 下载服务器 CA 证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version",
"kind": "sql#instancesListServerCas"
}
- 完成轮替:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
- 下载服务器 CA 证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version",
"kind": "sql#instancesListServerCas"
}
- 完成轮替:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
回滚证书轮替操作
完成证书轮替之后,您的客户端必须全部使用新证书连接到 Cloud SQL 实例。如果客户端未正确更新为使用新证书的信息,则它们无法使用 SSL/TLS 连接到实例。如果发生这种情况,您可以回滚到先前的证书配置。
回滚操作会将有效证书转入“即将生效”空档(取代任何“即将生效”证书)。“上一个”证书会成为有效证书,证书配置也会恢复到完成轮替之前的状态。
要回滚到先前的证书配置,请按如下所述操作:
控制台
-
在 Google Cloud 控制台中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 选择安全标签页。
- 点击展开管理证书。
- 选择回滚 CA 证书。
如果没有符合条件的证书,则回滚选项不可用。否则,回滚操作会在几秒钟后完成。
gcloud
gcloud beta sql ssl server-ca-certs rollback \
--instance=INSTANCE_NAME
REST v1
- 下载服务器 CA 证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version",
"kind": "sql#instancesListServerCas"
}
- 复制回滚目标版本的
sha1Fingerprint
字段。
先找出 sha1Fingerprint 值显示为 activeVersion
的版本,然后找到 createTime 值在该版本之前并且间隔最近的那个版本。
- 按如下方式回滚轮替:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa
请求 JSON 正文:
{
"rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
}
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
将请求正文保存在名为 request.json
的文件中,然后执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa"
PowerShell (Windows)
将请求正文保存在名为 request.json
的文件中,然后执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
REST v1beta4
- 下载服务器 CA 证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number",
"cert": "cert-value",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version",
"kind": "sql#instancesListServerCas"
}
- 复制回滚目标版本的
sha1Fingerprint
字段。
先找出 sha1Fingerprint 值显示为 activeVersion
的版本,然后找到 createTime 值在该版本之前并且间隔最近的那个版本。
- 按如下方式回滚轮替:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa
请求 JSON 正文:
{
"rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
}
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
将请求正文保存在名为 request.json
的文件中,然后执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d @request.json \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa"
PowerShell (Windows)
将请求正文保存在名为 request.json
的文件中,然后执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-ContentType: "application/json; charset=utf-8" `
-InFile request.json `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
启动轮替
您无需等收到 Cloud SQL 发来的电子邮件后再启动轮替,而是可以随时启动。启动轮替后,系统会创建一个新证书,并将其置于“即将生效”时隙中。如果在您发出请求时“即将生效”空档中已存在证书,则该证书会被删除。只能有一个即将生效的证书。
如需启动轮替,请按如下所述操作:
控制台
-
在 Google Cloud 控制台中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 选择安全标签页。
- 点击创建新的 CA 证书。
- 点击展开管理证书。
- 选择轮替 CA 证书。
如果没有符合条件的证书,则轮替选项不可用。
- 按照轮替服务器 CA 证书中所述完成轮替。
gcloud
- 启动轮替:
gcloud beta sql ssl server-ca-certs create \
--instance=INSTANCE_NAME
- 按照轮替服务器 CA 证书中所述完成轮替。
REST v1
-
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
- 按照轮替服务器 CA 证书中所述完成轮替。
REST v1beta4
-
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
- 按照轮替服务器 CA 证书中所述完成轮替。
获取有关服务器 CA 证书的信息
您可以获取有关服务器 CA 证书的信息,例如,该证书何时失效或者提供何种加密级别。
控制台
-
在 Google Cloud 控制台中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 选择安全标签页。
在管理服务器 CA 证书中,您可以查看表中服务器 CA 证书的失效日期。
如需查看证书类型,请使用 gcloud beta sql ssl server-ca-certs list --instance=INSTANCE_NAME
命令。
gcloud
gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME
REST v1
描述实例时,您可以查看有关服务器 CA 证书的详细信息:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"serverCaCert":
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value-",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
}
}
REST v1beta4
描述实例时,您可以查看有关服务器 CA 证书的详细信息:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"serverCaCert":
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value-",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
}
}
重置 SSL/TLS 配置
您可以完全重置 SSL/TLS 配置。
控制台
-
在 Google Cloud 控制台中,转到 Cloud SQL 实例页面。
转到“Cloud SQL 实例”
-
如需打开实例的概览页面,请点击实例名称。
- 从 SQL 导航菜单中选择连接。
- 前往重置 SSL 配置部分。
- 点击重置 SSL 配置。
gcloud
刷新证书:
gcloud sql instances reset-ssl-config INSTANCE_NAME
- 新建客户端证书。
REST v1beta4
刷新证书:
在使用任何请求数据之前,请先进行以下替换:
- project-id:项目 ID
- instance-id:实例 ID
HTTP 方法和网址:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig
如需发送您的请求,请展开以下选项之一:
curl(Linux、macOS 或 Cloud Shell)
执行以下命令:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig"
PowerShell (Windows)
执行以下命令:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig" | Select-Object -Expand Content
您应该收到类似以下内容的 JSON 响应:
响应
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
- 新建客户端证书。
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2024-06-28。
[{
"type": "thumb-down",
"id": "hardToUnderstand",
"label":"Hard to understand"
},{
"type": "thumb-down",
"id": "incorrectInformationOrSampleCode",
"label":"Incorrect information or sample code"
},{
"type": "thumb-down",
"id": "missingTheInformationSamplesINeed",
"label":"Missing the information/samples I need"
},{
"type": "thumb-down",
"id": "translationIssue",
"label":"翻译问题"
},{
"type": "thumb-down",
"id": "otherDown",
"label":"其他"
}]
[{
"type": "thumb-up",
"id": "easyToUnderstand",
"label":"易于理解"
},{
"type": "thumb-up",
"id": "solvedMyProblem",
"label":"解决了我的问题"
},{
"type": "thumb-up",
"id": "otherUp",
"label":"其他"
}]
{"lastModified": "\u6700\u540e\u66f4\u65b0\u65f6\u95f4 (UTC)\uff1a2024-06-28\u3002"}
[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2024-06-28。"]]