This page describes how to manage your server CA certificates.
Use encrypted connections
Learn more about how SQL Server uses encrypted connections .
Manage server CA certificates (per-instance CA)
This section describes how to manage server CA certificates that are created
internally by Cloud SQL. This is the default server CA mode in
Cloud SQL. In this certificate authority hierarchy, Cloud SQL creates a
server CA for each instance.
Rotate server CA certificates
If you've received a notice about your certificates expiring, or you want to
initiate a rotation, then take the following steps to complete the
rotation. Before you start the rotation, you must have a new server CA
on the instance. If a new server CA has already been
created, then you can skip the first step in the following procedure.
Create a new server CA.
Download the new server CA certificate information.
Update your clients to use the new server CA certificate information.
Complete the rotation, which moves the active certificate into
the "previous" slot and updates the newly added certificate to be the
active certificate.
After rotating the SSL certificate, your App Engine and
Cloud SQL Auth Proxy connections will automatically receive a new certificate
when they connect.
Console
Download the new server CA certificate information:
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Select the Security tab.
Click to expand Manage certificates .
Select Rotate CA certificate .
If there are no eligible certificates, then the
rotate option is unavailable.
Click Download Certificates .
The server CA certificate information, encoded as a PEM file, is downloaded
to your local environment:
Update all of your SQL Server clients to use the new information by
copying the downloaded file to your client host machines, replacing the
existing server-ca.pem
file.
After you have updated your clients, complete the rotation:
Return to the Security tab.
Click to expand Manage certificates .
Select Rotate CA certificate .
Confirm that your clients are connecting properly.
If any clients are not connecting using the newly rotated certificate,
then you can select Rollback CA certificate to
rollback to the previous configuration.
gcloud
Create a server CA certificate:
gcloud beta sql ssl server-ca-certs create \
--instance=INSTANCE
Download the certificate information to a local PEM file:
gcloud sql ssl server-ca-certs list \
--format="value(cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH /FILE_NAME .pem
Update all of your clients to use the new information by
copying the downloaded file to your client host machines, replacing the
existing server-ca.pem files.
After you have updated your clients, complete the rotation:
gcloud sql ssl server-ca-certs rotate \
--instance=INSTANCE_NAME
Confirm that your clients are connecting properly.
If any clients are not connecting using the newly rotated certificate,
then you can rollback to the previous configuration.
REST v1
Download your server CA certificates:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version ",
"kind": "sql#instancesListServerCas"
}
Complete the rotation:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
REST v1beta4
Download your server CA certificates:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version ",
"kind": "sql#instancesListServerCas"
}
Complete the rotation:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
Roll back a certificate rotation operation
After you complete a certificate rotation, your clients must all use the
new certificate to connect to your Cloud SQL instance. If the clients
aren't updated properly to use the new certificate information, then they can't
connect using SSL/TLS to your instance. If this happens, then you can
roll back to the previous certificate configuration.
A rollback operation moves the active certificate into the "upcoming"
slot (replacing any "upcoming" certificate). The "previous"
certificate becomes the active certificate, returning your
certificate configuration to the state it was in before you completed
the rotation.
Note: Certificate rollback is available only until the old certificate expires.
To roll back to the previous certificate configuration:
Console
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Select the Security tab.
Click to expand Manage certificates .
Select Rollback CA certificate . If there are no eligible certificates,
then the rollback option is unavailable. Otherwise, the rollback
action completes after a few seconds.
gcloud
gcloud sql ssl server-ca-certs rollback \
--instance=INSTANCE_NAME
REST v1
Download your server CA certificates:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version ",
"kind": "sql#instancesListServerCas"
}
Copy the sha1Fingerprint
field for the version you want to roll back to.
Look for the version with a createTime value immediately earlier
than the version with the sha1Fingerprint value shown as
activeVersion
.
Roll back the rotation:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa
Request JSON body:
{
"rotateServerCaContext": {"nextVersion": "sha1Fingerprint "}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa"
PowerShell (Windows)
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
REST v1beta4
Download your server CA certificates:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"certs": [
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
certSerialNumber": "cert-serial-number ",
"cert": "cert-value ",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2019-11-14T22:43:56.458Z",
"expirationTime": "2029-11-11T22:44:56.458Z"
}
],
"activeVersion": "active-version ",
"kind": "sql#instancesListServerCas"
}
Copy the sha1Fingerprint
field for the version you want to roll back to.
Look for the version with a createTime value immediately earlier
than the version with the sha1Fingerprint value shown as
activeVersion
.
Roll back the rotation:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa
Request JSON body:
{
"rotateServerCaContext": {"nextVersion": "sha1Fingerprint "}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa"
PowerShell (Windows)
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
Initiate a rotation
You don't need to wait for the email from Cloud SQL to start a rotation.
You can start one at any time. When you start a rotation, a new certificate
is created and placed into the "upcoming" slot. If a certificate is already present
in the "upcoming" slot at the time of your request, then that certificate is deleted.
There can be only one upcoming certificate.
To initiate a rotation:
Console
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Select the Security tab.
Click Create new CA certificate .
Click to expand Manage certificates .
Select Rotate CA certificate .
If there are no eligible certificates,
then the rotate option is unavailable.
Complete the rotation as described in
Rotate server CA certificates .
gcloud
Initiate the rotation:
gcloud sql ssl server-ca-certs create \
--instance=INSTANCE_NAME
Complete the rotation as described in
Rotate server CA certificates .
REST v1
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
Complete the rotation as described in
Rotate server CA certificates .
REST v1beta4
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
Complete the rotation as described in
Rotate server CA certificates .
Get information about a server CA certificate
You can get information about your server CA certificate, such as when it expires
or what level of encryption it provides.
Console
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Select the Security tab.
In Manage server CA certificates , you can see the expiration date
of your server CA certificate in the table.
To see the certificate type, use the
gcloud sql ssl server-ca-certs list --instance=INSTANCE_NAME
command.
gcloud
gcloud sql ssl server-ca-certs list \
--instance=INSTANCE_NAME
REST v1
When you describe your instance, you can see details about the server CA
certificate:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ?fields=serverCaCert
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ?fields=serverCaCert"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ?fields=serverCaCert" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"serverCaCert":
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number ",
"cert": "cert-value -",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
}
}
REST v1beta4
When you describe your instance, you can see details about the server
CA certificate:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ?fields=serverCaCert
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ?fields=serverCaCert"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ?fields=serverCaCert" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"serverCaCert":
{
"kind": "sql#sslCert",
"certSerialNumber": "cert-serial-number ",
"cert": "cert-value -",
"commonName": "ca-server-name ",
"sha1Fingerprint": "sha1Fingerprint ",
"instance": "instance-id ",
"createTime": "2020-02-10T17:18:54.935Z",
"expirationTime": "2030-02-07T17:19:54.935Z"
}
}
View the content of CA certificates
You can use openssl storeutl
to view the content of CA certificates.
When you run the beta sql ssl server-ca-certs list
command, you might get multiple CA certificates from previous
rotation-related operations.
gcloud
Run the following command:
gcloud beta sql ssl server-ca-certs list \
--instance=INSTANCE_NAME \
--format='value(cert)' > temp_cert.pem
Replace INSTANCE_NAME with the name of the instance.
Use openssl
to examine the contents of the CA certificates.
openssl storeutl -noout -text temp_cert.pem
View the content of a server certificate
You can use
nmap
to view the content of server certificates. To download and install
nmap
,
visit
https://nmap.org/ .
gcloud
To view the server certificate content, run the following command:
nmap -sV -p 1433 --script ssl-cert INSTANCE_IP_ADDRESS -Pn
Replace INSTANCE_IP_ADDRESS with the IP address of the instance.
Manage server certificates (shared CA)
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section
of the Service Specific Terms .
Pre-GA features are available "as is" and might have limited support.
For more information, see the
launch stage descriptions .
This section describes how to manage server certificates on instances that
use shared CAs.
You can opt in to using shared CAs as the
server CA mode for your instance by specifying GOOGLE_MANAGED_CAS_CA
for
the serverCaMode
setting (Cloud SQL Admin API) or the --server-ca-mode
flag (gcloud CLI ) when you
create your instance .
Rotate server certificates
If you've received a notice about your certificates expiring, or you want to
initiate a rotation, then take the following steps to complete the rotation.
Before you start the rotation, there must be a new server certificate created for
the upcoming rotation. If there is already a new server certificate created for
the upcoming rotation, then you can skip the first step in the following procedure.
To rotate the server certificate on your instance, perform the following steps:
If you need a new server certificate, then create one.
If your clients already trust the latest regional CA bundle, then this step
is optional. However, if you need to update your clients with
server CA information, then do the following:
Download the latest server CA information.
Update your clients to use the latest server CA information.
Complete the rotation by moving the active certificate to the previous slot,
and updating the new certificate to be the active certificate.
Console
You can't use the Google Cloud console to rotate server certificates
on instances that use CA Service during
Preview .
Use the gcloud beta sql ssl server-certs rotate
command or the Cloud SQL Admin API commands instead.
gcloud
To create a server certificate, use the following command:
gcloud beta sql ssl server-certs create \
--instance=INSTANCE
Replace INSTANCE with the name of the instance.
Make sure that you're using the latest CA bundle .
If you aren't using the latest CA bundle, then run the following
command to download the latest server CA information for the
instance to a local PEM file:
gcloud beta sql ssl server-certs list \
--format="value(ca_cert.cert)" \
--instance=INSTANCE_NAME > \
FILE_PATH /server-ca.pem
Or download the CA bundles from the
root and regional CA certificate bundle table
on this page.
Then update all of your clients to use new server CA information by
copying the downloaded file to your client host machines, replacing the
existing server-ca.pem
files.
After you update all your clients (if client updates are required),
complete the rotation:
gcloud beta sql ssl server-certs rotate \
--instance=INSTANCE_NAME
Confirm that your clients are connecting properly.
If any clients aren't connecting using the newly rotated server certificate,
then roll back to the previous configuration.
REST v1
Create a server certificate.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2024-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "OPERATION_ID ",
"targetId": "INSTANCE_ID ",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /operations/OPERATION_ID ",
"targetProject": "PROJECT_ID "
}
If you need to download server CA certificate information, then you can use the following command.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"caCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-10T17:18:54.935Z",
"expirationTime": "2034-07-10T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-14T22:43:56.458Z",
"expirationTime": "2034-11-11T22:44:56.458Z"
}
],
"serverCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-16T18:11:39Z",
"expirationTime": "2025-09-16T18:11:38Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-10T20:56:06Z",
"expirationTime": "2025-09-10T20:56:05Z"
}
],
"activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
"kind": "sql#instancesListServerCertificates"
}
Complete the rotation.
Before using any of the request data,
make the following replacements:
PROJECT_ID : The project ID
INSTANCE_ID : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2024-09-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "INSTANCE_ID ",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /operations/operation-id ",
"targetProject": "PROJECT_ID "
}
REST v1beta4
Create a server certificate.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2024-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "OPERATION_ID ",
"targetId": "INSTANCE_ID ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /operations/OPERATION_ID ",
"targetProject": "PROJECT_ID "
}
If you need to download server CA certificate information, then you can use the following command.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"caCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-10T17:18:54.935Z",
"expirationTime": "2034-07-10T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-14T22:43:56.458Z",
"expirationTime": "2034-11-11T22:44:56.458Z"
}
],
"serverCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-16T18:11:39Z",
"expirationTime": "2025-09-16T18:11:38Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-10T20:56:06Z",
"expirationTime": "2025-09-10T20:56:05Z"
}
],
"activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
"kind": "sql#instancesListServerCertificates"
}
Complete the rotation.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2024-09-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "OPERATION_ID ",
"targetId": "INSTANCE_ID ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /operations/OPERATION_ID ",
"targetProject": "PROJECT_ID "
}
Roll back a certificate rotation
After you complete a server certificate rotation, all your clients must use the
new certificate to connect to your Cloud SQL instance. If the clients
aren't updated properly to use the new certificate information, then they can't
connect using SSL/TLS to your instance. If this happens, then you can roll back
to the previous certificate configuration.
A rollback operation moves the active certificate into the "upcoming" slot,
which replaces any "upcoming" certificate. The "previous" certificate becomes
the active certificate and returns your certificate configuration to its previous
state before you completed the rotation.
Console
You can't use the Google Cloud console to roll back server certificates
on instances that use CA Service during
Preview .
Use the gcloud beta sql ssl server-certs rollback
command or the Cloud SQL Admin API commands instead.
gcloud
gcloud beta sql ssl server-certs rollback \
--instance=INSTANCE_NAME
REST v1
List your server certificates.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"caCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-10T17:18:54.935Z",
"expirationTime": "2034-07-10T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-14T22:43:56.458Z",
"expirationTime": "2034-11-11T22:44:56.458Z"
}
],
"serverCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-16T18:11:39Z",
"expirationTime": "2025-09-16T18:11:38Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-10T20:56:06Z",
"expirationTime": "2025-09-10T20:56:05Z"
}
],
"activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
"kind": "sql#instancesListServerCertificates"
}
Copy the sha1Fingerprint
field for the version you want to roll back to.
Look for the version with a createTime
value immediately earlier
than the version with the sha1Fingerprint
value shown as
activeVersion
.
Roll back the rotation.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate
Request JSON body:
{
"rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint "}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"
PowerShell (Windows)
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "OPERATION_ID ",
"targetId": "INSTANCE_ID ",
"selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /operations/OPERATION_ID ",
"targetProject": "PROJECT_ID "
}
REST v1beta4
List your server certificates.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X GET \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method GET ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"caCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-10T17:18:54.935Z",
"expirationTime": "2034-07-10T17:19:54.935Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
"cert": "CERT_VALUE ",
"commonName": "CA_SERVER_NAME ",
"sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-07-14T22:43:56.458Z",
"expirationTime": "2034-11-11T22:44:56.458Z"
}
],
"serverCerts": [
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-16T18:11:39Z",
"expirationTime": "2025-09-16T18:11:38Z"
},
{
"kind": "sql#sslCert",
"certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
"cert": "CERT_VALUE "
"commonName": "SUBJECT_VALUE ",
"sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
"instance": "INSTANCE_NAME ",
"createTime": "2024-09-10T20:56:06Z",
"expirationTime": "2025-09-10T20:56:05Z"
}
],
"activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
"kind": "sql#instancesListServerCertificates"
}
Copy the sha1Fingerprint
field for the version you want to roll back to.
Look for the version with a createTime
value immediately earlier
than the version with the sha1Fingerprint
value shown as
activeVersion
.
Roll back the rotation.
Before using any of the request data,
make the following replacements:
PROJECT_ID : the project ID
INSTANCE_ID : the instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate
Request JSON body:
{
"rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint "}
}
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Save the request body in a file named request.json
,
and execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d @request.json \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"
PowerShell (Windows)
Save the request body in a file named request.json
,
and execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -ContentType: "application/json; charset=utf-8" ` -InFile request.json ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "OPERATION_ID ",
"targetId": "INSTANCE_ID ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /operations/OPERATION_ID ",
"targetProject": "PROJECT_ID "
}
View the content of CA certificates
You can use the openssl storeutl
utility
to view the content of CA certificates.
When you run the beta sql ssl server-certs list command, you always get
multiple CA certificates due to the trust chain.
You also might get multiple CA certificates from previous
rotation-related operations.
gcloud
Run the following command:
gcloud beta sql ssl server-certs list \
--instance=INSTANCE_NAME \
--format='value(cert)' > temp_cert.pem
Replace INSTANCE_NAME with the name of the instance.
Use openssl
to examine the contents of the CA certificates.
openssl storeutl -noout -text temp_cert.pem
Download root and regional CA certificate bundles
You can download the root and regional CA certificate bundles from the following
table.
Reset the SSL/TLS configuration
You can completely reset your SSL/TLS configuration.
Caution: Performing this action removes the ability to connect to your instance
using SSL/TLS until you create new client certificates to replace any
that were previously in use.
Console
In the Google Cloud console, go to the Cloud SQL Instances page.
Go to Cloud SQL Instances
To open the Overview page of an instance, click the instance name.
Select Connections from the SQL navigation menu.
Go to the Reset SSL configuration section.
Click Reset SSL Configuration .
gcloud
Refresh the certificate:
gcloud sql instances reset-ssl-config INSTANCE_NAME
REST v1beta4
Refresh the certificate:
Before using any of the request data,
make the following replacements:
project-id : The project ID
instance-id : The instance ID
HTTP method and URL:
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /resetSslConfig
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note:
The following command assumes that you have logged in to
the gcloud
CLI with your user account by running
gcloud init
or
gcloud auth login
, or by using Cloud Shell ,
which automatically logs you into the gcloud
CLI
.
You can check the currently active account by running
gcloud auth list
.
Execute the following command:
curl -X POST \ -H "Authorization: Bearer $(gcloud auth print-access-token)" \ -H "Content-Type: application/json; charset=utf-8" \ -d "" \ "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /resetSslConfig"
PowerShell (Windows)
Execute the following command:
$cred = gcloud auth print-access-token $headers = @{ "Authorization" = "Bearer $cred" } Invoke-WebRequest ` -Method POST ` -Headers $headers ` -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /resetSslConfig" | Select-Object -Expand Content
You should receive a JSON response similar to the following:
Response
{
"kind": "sql#operation",
"targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
"status": "PENDING",
"user": "user@example.com",
"insertTime": "2020-01-20T21:30:35.667Z",
"operationType": "UPDATE",
"name": "operation-id ",
"targetId": "instance-id ",
"selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
"targetProject": "project-id "
}
What's next