Configuring SSL/TLS certificates

This page describes how to configure an instance to use SSL/TLS. Learn more about using SSL/TLS with Cloud SQL.

Overview

Cloud SQL creates a server certificate (server-ca.pem) automatically when you create your instance.

SQL Server only performs certificate verification when the client request explicitly specifies that it requires an encrypted connection. In this case the server certificate must be installed on the client machine. Otherwise, clients are able to freely connect with no additional changes to their connection strings or certificates (even if 'Require SSL' is enabled on the Cloud SQL instance).

You do not need to restart the instance after changing SSL/TLS certificates.

For more information, see the Enable encrypted connections to the Database Engine section in the SQL Server documentation.

Requiring SSL/TLS

When requiring SSL/TLS is enabled, you can either use the Cloud SQL Auth proxy or SSL/TLS certificates to connect to your Cloud SQL instance. If you do not require SSL/TLS, clients without a valid certificate are allowed to connect.

To enable requiring SSL/TLS:

Console

  1. In the Google Cloud Console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Click the instance name to open its Overview page.
  3. Click Connections from the SQL navigation menu.
  4. Scroll down to the Security section.
  5. Click Allow only SSL connections.

gcloud

gcloud sql instances patch INSTANCE_NAME
--require-ssl
  

REST v1

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    PATCH https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id

    Request JSON body:

    {
      "settings": {
        "ipConfiguration": {"requireSsl": "true"}
      }
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id

    Request JSON body:

    {
      "settings": {
        "ipConfiguration": {"requireSsl": "true"}
      }
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Server certificates

Cloud SQL creates a server certificate automatically when you create your instance. As long as the server certificate is valid, you do not need to actively manage your server certificate. However, the certificate has an expiration date of 10 years; after that date, it is no longer valid, and clients are not able to establish a secure connection to your instance using that certificate. You're periodically notified that the server certificate is nearing expiration. The notifications are sent the following number of days before the expiration date: 90, 30, 10, 2, and 1.

You can get information about your server certificate, such as when it was created and when it expires, or manually create a new one.

Console

  1. In the Google Cloud Console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. Click the instance name to open its Overview page.
  3. Click Connections from the SQL navigation menu.
  4. Scroll down to the Manage server certificates section.

    You can see the expiration date of your server certificate in the table.

gcloud

  1. Get information about the service certificate:
    gcloud beta sql ssl server-ca-certs list \
    --instance=INSTANCE_NAME
    
  2. Create a server certificate:
    gcloud beta sql ssl server-ca-certs create \
    --instance=INSTANCE_NAME
    
  3. Download the certificate information to a local PEM file:
    gcloud beta sql ssl server-ca-certs list \
    --format="value(cert)" \
    --instance=INSTANCE_NAME > \
    FILE_PATH/FILE_NAME.pem
    
  4. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.

Using encrypted connections

Learn more about how SQL Server uses encrypted connections.

What's next

  • Manage SSL/TLS certificates on your Cloud SQL instance.