This page describes how to manage your server CA certificates.
Use encrypted connections
Learn more about how SQL Server uses encrypted connections.
Manage server CA certificates
Get information about a server CA certificate
You can get information about your server CA certificate, such as when it expires
or what level of encryption it provides.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
-
To open the Overview page of an instance, click the instance name.
- Select Connections from the SQL navigation menu.
- Select the Security tab.
In Manage server CA certificates, you can see the expiration date
of your server CA certificate in the table.
To see the certificate type, use the
gcloud beta sql ssl server-ca-certs list --instance=INSTANCE_NAME
command.
gcloud
gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME
REST v1
When you describe your instance, you can see details about the server CA
certificate:
Before using any of the request data,
make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"serverCaCert":
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value-",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
}
}
REST v1beta4
When you describe your instance, you can see details about the server
CA certificate:
Before using any of the request data,
make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X GET \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method GET `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"serverCaCert":
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number",
"cert": "cert-value-",
"commonName": "ca-server-name",
"sha1Fingerprint": "sha1Fingerprint",
"instance": "instance-id",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
}
}
Reset the SSL/TLS configuration
You can completely reset your SSL/TLS configuration.
Console
-
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
-
To open the Overview page of an instance, click the instance name.
- Select Connections from the SQL navigation menu.
- Go to the Reset SSL configuration section.
- Click Reset SSL Configuration.
gcloud
Refresh the certificate:
gcloud sql instances reset-ssl-config INSTANCE_NAME
REST v1beta4
Refresh the certificate:
Before using any of the request data,
make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Execute the following command:
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d "" \
"https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }
Invoke-WebRequest `
-Method POST `
-Headers $headers `
-Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id",
"targetId": "instance-id",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",
"targetProject": "project-id"
}
What's next