Configuring SSL/TLS certificates

This page describes how to configure an instance to use SSL/TLS. Learn more about using SSL/TLS with Cloud SQL.

Overview

Cloud SQL creates a server certificate automatically when you create your instance. If you plan to connect using SSL/TLS, we recommend that you enforce all connections to use SSL/TLS.

Enforcing SSL/TLS

To enforce SSL/TLS for all connections to your instance:

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.
    Go to the Cloud SQL Instances page
  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the SSL connections section.
  5. Click Allow only SSL connections.

gcloud

gcloud sql instances patch [INSTANCE_NAME] --require-ssl
  

REST

  1. Before using any of the request data below, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    PATCH https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

    Request JSON body:

    {
      "settings": {
        "ipConfiguration": {"requireSsl": "true"}
      }
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Server certificates

Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate.

In the console you can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.

Console

  1. Go to the Cloud SQL Instances page in the Google Cloud Console.

    Go to the Cloud SQL Instances page

  2. Click the instance name to open its Instance details page.
  3. Click the Connections link in the left navigation pane.
  4. Scroll down to the Configure SSL server certificates section.

    You can see the expiration date of your server certificate in the table.

Using encrypted connections

Learn more about how SQL Server uses encrypted connections.

What's next