Configure SSL/TLS certificates

MySQL | PostgreSQL | SQL Server

This page describes how to configure an instance to use SSL/TLS. You can also learn more about how Cloud SQL uses self-managed SSL/TLS certificates to securely connect to Cloud SQL instances.

Overview

Cloud SQL creates a server certificate (server-ca.pem) automatically when you create your instance. We recommend that you enforce all connections to use SSL/TLS.

SQL Server only performs certificate verification when the client request explicitly specifies that it requires an encrypted connection. In this case the server certificate must be installed on the client machine. Otherwise, clients are able to freely connect with no additional changes to their connection strings or certificates (even if 'Require SSL' is enabled on the Cloud SQL instance).

For more information, see the Enable encrypted connections to the Database Engine section in the SQL Server documentation.

You must restart an instance after enforcing SSL for the instance. However, you don't need to restart the instance after changing SSL/TLS certificates. If a restart is required, then this is done automatically during the SSL update event.

Enforce SSL/TLS encryption

Enforcing SSL ensures that all connections are encrypted.

To enable requiring SSL/TLS:

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Click Connections from the SQL navigation menu.
Select the Security tab.
Click Allow only SSL connections.

gcloud

gcloud sql instances patch INSTANCE_NAME
--require-ssl

Terraform

To enforce SSL/TLS encryption, use a Terraform resource:

cloud_sql/sqlserver_instance_ssl_cert/main.tf

View on GitHub Feedback

resource "google_sql_database_instance" "sqlserver_instance" {
  name             = "sqlserver-instance"
  region           = "asia-northeast1"
  database_version = "SQLSERVER_2019_STANDARD"
  root_password    = "INSERT-PASSWORD-HERE"
  settings {
    tier = "db-custom-2-7680"
    ip_configuration {
      require_ssl = "true"
    }
  }
  # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by
  # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.
  deletion_protection = false
}

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

Launch Cloud Shell.
Set the default Google Cloud project where you want to apply your Terraform configurations.

You only need to run this command once per project, and you can run it in any directory.
```
export GOOGLE_CLOUD_PROJECT=PROJECT_ID
```
Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (also called a root module).

In Cloud Shell, create a directory and a new file within that directory. The filename must have the .tf extension—for example main.tf. In this tutorial, the file is referred to as main.tf.
```
mkdir DIRECTORY && cd DIRECTORY && touch main.tf
```
If you are following a tutorial, you can copy the sample code in each section or step.

Copy the sample code into the newly created main.tf.

Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.
Review and modify the sample parameters to apply to your environment.
Save your changes.
Initialize Terraform. You only need to do this once per directory.
```
terraform init
```
Optionally, to use the latest Google provider version, include the -upgrade option:
```
terraform init -upgrade
```

Apply the changes

Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
```
terraform plan
```
Make corrections to the configuration as necessary.
Apply the Terraform configuration by running the following command and entering yes at the prompt:
```
terraform apply
```
Wait until Terraform displays the "Apply complete!" message.
Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.

Delete the changes

To delete your changes, do the following:

To disable deletion protection, in your Terraform configuration file set the deletion_protection argument to false.
```
deletion_protection =  "false"
```
Apply the updated Terraform configuration by running the following command and entering yes at the prompt:
```
terraform apply
```

Remove resources previously applied with your Terraform configuration by running the following command and entering yes at the prompt:
```
terraform destroy
```

REST v1

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings": {
    "ipConfiguration": {"requireSsl": "true"}
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to the gcloud CLI with your user account by running gcloud init or gcloud auth login, or by using Cloud Shell, which automatically logs you into the gcloud CLI. You can check the currently active account by running gcloud auth list.

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

REST v1beta4

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

Request JSON body:

{
  "settings": {
    "ipConfiguration": {"requireSsl": "true"}
  }
}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file named request.json, and execute the following command:

curl -X PATCH \
    -H "Authorization: Bearer $(gcloud auth print-access-token)" \
    -H "Content-Type: application/json; charset=utf-8" \
    -d @request.json \
    "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id"

PowerShell (Windows)

Save the request body in a file named request.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

Server certificates

Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate. You're periodically notified that the server certificate is nearing expiration. The notifications are sent the following number of days before the expiration date: 90, 30, 10, 2, and 1.

You can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Click Connections from the SQL navigation menu.
Select the Security tab.
Scroll down to the Manage server certificates section.
You can see the expiration date of your server certificate in the table.

gcloud

Get information about the service certificate:

gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME

Create a server certificate:

gcloud beta sql ssl server-ca-certs create \
--instance=INSTANCE_NAME

Download the certificate information to a local PEM file:

gcloud beta sql ssl server-ca-certs list \
--format="value(cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH/FILE_NAME.pem

Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.

Terraform

To provide server certificate information as an output, use a Terraform data source:

Add the following to your Terraform configuration file:

   data "google_sql_ca_certs" "ca_certs" {
     instance = google_sql_database_instance.default.name
   }

   locals {
     furthest_expiration_time = reverse(sort([for k, v in data.google_sql_ca_certs.ca_certs.certs : v.expiration_time]))[0]
     latest_ca_cert           = [for v in data.google_sql_ca_certs.ca_certs.certs : v.cert if v.expiration_time == local.furthest_expiration_time]
   }

   output "db_latest_ca_cert" {
     description = "Latest CA certificate used by the primary database server"
     value       = local.latest_ca_cert
     sensitive   = true
   }

To create the server-ca.pem file, run the following command:

   terraform output db_latest_ca_cert > server-ca.pem

Use encrypted connections

Learn more about how SQL Server uses encrypted connections.

What's next

Manage SSL/TLS certificates on your Cloud SQL instance.
Learn more about how encryption is handled in Google Cloud.