Managing SSL/TLS certificates

Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console.

   Go to the Cloud SQL Instances page

2. Click the instance name to open its Instance details page.
3. Click the Connections link in the left navigation pane.
4. Scroll down to the Configure SSL server certificates section.

   You can see the expiration date of your server certificate in the table.

   To see the certificate type, use the gcloud beta sql ssl server-ca-certs list --instance=[INSTANCE_NAME] command.

gcloud

gcloud beta sql ssl server-ca-certs list --instance=[INSTANCE_NAME]

REST v1beta4

You can see details about the server certificate when you describe your instance:

Before using any of the request data below, make the following replacements:

• project-id: The project ID
• instance-id: The instance ID

HTTP method and URL:

GET https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

curl -X GET \
-H "Authorization: Bearer "$(gcloud auth print-access-token) \
https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
  -Method GET `
  -Headers $headers `
  -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{
  "serverCaCert":
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "cert-serial-number",
    "cert": "cert-value-",
    "commonName": "ca-server-name",
    "sha1Fingerprint": "sha1Fingerprint",
    "instance": "instance-id",
    "createTime": "2020-02-10T17:18:54.935Z",
    "expirationTime": "2030-02-07T17:19:54.935Z"
  }
}

Console

1. Go to the Cloud SQL Instances page in the Google Cloud Console.

   Go to the Cloud SQL Instances page

2. Click the instance name to open its Instance details page.
3. Click the Connections link in the left navigation pane.
4. Scroll down to the Reset SSL configuration section.
5. Click RESET SSL CONFIGURATION.

gcloud

1. Refresh the certificate:

   gcloud sql instances reset-ssl-config [INSTANCE_NAME]
   

REST v1beta4

1. Refresh the certificate:

   Before using any of the request data below, make the following replacements:

   • project-id: The project ID
   • instance-id: The instance ID

   HTTP method and URL:

   POST https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

   To send your request, expand one of these options:

   curl (Linux, macOS, or Cloud Shell)

   Execute the following command:

   curl -X POST \
   -H "Authorization: Bearer "$(gcloud auth print-access-token) \
   -H "Content-Type: application/json; charset=utf-8" \
   -d "" \
   https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

   PowerShell (Windows)

   Execute the following command:

   $cred = gcloud auth print-access-token
   $headers = @{ "Authorization" = "Bearer $cred" }
   
   Invoke-WebRequest `
     -Method POST `
     -Headers $headers `
     -Uri "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig" | Select-Object -Expand Content

   You should receive a JSON response similar to the following:

   Response

   {
     "kind": "sql#operation",
     "targetLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
     "status": "PENDING",
     "user": "user@example.com",
     "insertTime": "2020-01-20T21:30:35.667Z",
     "operationType": "UPDATE",
     "name": "operation-id",
     "targetId": "instance-id",
     "selfLink": "https://www.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
     "targetProject": "project-id"
   }