Manage SSL/TLS certificates

MySQL | PostgreSQL | SQL Server

This page describes how to manage your server certificates.

Use encrypted connections

Learn more about how SQLServer uses encrypted connections.

Manage server certificates

Get information about a server certificate

You can get information about your server certificate, such as when it expires or what level of encryption it provides.

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Select the Security tab.
Below Manage server certificates, you can see the expiration date of your server certificate in the table.

To see the certificate type, use the gcloud beta sql ssl server-ca-certs list --instance=INSTANCE_NAME command.

gcloud

gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME

REST v1

You can see details about the server certificate when you describe your instance:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have used either gcloud init or gcloud auth login to authenticate gcloud with your user account. You can check the currently active account by executing gcloud auth list.

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "serverCaCert":
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "cert-serial-number",
    "cert": "cert-value-",
    "commonName": "ca-server-name",
    "sha1Fingerprint": "sha1Fingerprint",
    "instance": "instance-id",
    "createTime": "2020-02-10T17:18:54.935Z",
    "expirationTime": "2030-02-07T17:19:54.935Z"
  }
}

REST v1beta4

You can see details about the server certificate when you describe your instance:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "serverCaCert":
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "cert-serial-number",
    "cert": "cert-value-",
    "commonName": "ca-server-name",
    "sha1Fingerprint": "sha1Fingerprint",
    "instance": "instance-id",
    "createTime": "2020-02-10T17:18:54.935Z",
    "expirationTime": "2030-02-07T17:19:54.935Z"
  }
}

Reset the SSL/TLS configuration

You can completely reset your SSL/TLS configuration.

Console

In the Google Cloud console, go to the Cloud SQL Instances page.

Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Scroll down to the Reset SSL configuration section.
Click Reset SSL Configuration.

gcloud

Refresh the certificate:

gcloud sql instances reset-ssl-config INSTANCE_NAME

REST v1beta4

Refresh the certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method POST `
  -Headers $headers `
  -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id",
  "targetId": "instance-id",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
  "targetProject": "project-id"
}

What's next

Learn more about SSL/TLS in Cloud SQL.
Configure SSL/TLS on your Cloud SQL instance.