Manage SSL/TLS certificates

This page describes how to manage your server CA certificates.

Use encrypted connections

Learn more about how SQL Server uses encrypted connections.

Manage server CA certificates (per-instance CA)

This section describes how to manage server CA certificates that are created internally by Cloud SQL. This is the default server CA mode in Cloud SQL. In this certificate authority hierarchy, Cloud SQL creates a server CA for each instance.

Rotate server CA certificates

If you've received a notice about your certificates expiring, or you want to initiate a rotation, then take the following steps to complete the rotation. Before you start the rotation, you must have a new server CA on the instance. If a new server CA has already been created, then you can skip the first step in the following procedure.

  1. Create a new server CA.
  2. Download the new server CA certificate information.
  3. Update your clients to use the new server CA certificate information.
  4. Complete the rotation, which moves the active certificate into the "previous" slot and updates the newly added certificate to be the active certificate.

Console

Download the new server CA certificate information:

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rotate CA certificate.

    If there are no eligible certificates, then the rotate option is unavailable.

  7. Click Download Certificates.

The server CA certificate information, encoded as a PEM file, is downloaded to your local environment:

  • Update all of your SQL Server clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.

After you have updated your clients, complete the rotation:

  1. Return to the Security tab.
  2. Click to expand Manage certificates.
  3. Select Rotate CA certificate.
  4. Confirm that your clients are connecting properly.

    If any clients are not connecting using the newly rotated certificate, then you can select Rollback CA certificate to rollback to the previous configuration.

gcloud

  1. Create a server CA certificate:
    gcloud beta sql ssl server-ca-certs create \
    --instance=INSTANCE
    
  2. Download the certificate information to a local PEM file:
    gcloud sql ssl server-ca-certs list \
    --format="value(cert)" \
    --instance=INSTANCE_NAME > \
    FILE_PATH/FILE_NAME.pem
    
  3. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.
  4. After you have updated your clients, complete the rotation:
    gcloud sql ssl server-ca-certs rotate \
    --instance=INSTANCE_NAME
          
  5. Confirm that your clients are connecting properly.

    If any clients are not connecting using the newly rotated certificate, then you can rollback to the previous configuration.

REST v1

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Roll back a certificate rotation operation

After you complete a certificate rotation, your clients must all use the new certificate to connect to your Cloud SQL instance. If the clients aren't updated properly to use the new certificate information, then they can't connect using SSL/TLS to your instance. If this happens, then you can roll back to the previous certificate configuration.

A rollback operation moves the active certificate into the "upcoming" slot (replacing any "upcoming" certificate). The "previous" certificate becomes the active certificate, returning your certificate configuration to the state it was in before you completed the rotation.

To roll back to the previous certificate configuration:

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click to expand Manage certificates.
  6. Select Rollback CA certificate.

    If there are no eligible certificates, then the rollback option is unavailable. Otherwise, the rollback action completes after a few seconds.

gcloud

gcloud sql ssl server-ca-certs rollback \
--instance=INSTANCE_NAME
   

REST v1

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body:

    {
      "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Download your server CA certificates:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    Request JSON body:

    {
      "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Initiate a rotation

You don't need to wait for the email from Cloud SQL to start a rotation. You can start one at any time. When you start a rotation, a new certificate is created and placed into the "upcoming" slot. If a certificate is already present in the "upcoming" slot at the time of your request, then that certificate is deleted. There can be only one upcoming certificate.

To initiate a rotation:

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.
  5. Click Create new CA certificate.
  6. Click to expand Manage certificates.
  7. Select Rotate CA certificate.

    If there are no eligible certificates, then the rotate option is unavailable.

  8. Complete the rotation as described in Rotate server CA certificates.

gcloud

  1. Initiate the rotation:
    gcloud sql ssl server-ca-certs create \
    --instance=INSTANCE_NAME
         
  2. Complete the rotation as described in Rotate server CA certificates.

REST v1

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotate server CA certificates.

REST v1beta4

  1. Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Complete the rotation as described in Rotate server CA certificates.

Get information about a server CA certificate

You can get information about your server CA certificate, such as when it expires or what level of encryption it provides.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Select the Security tab.

    In Manage server CA certificates, you can see the expiration date of your server CA certificate in the table.

    To see the certificate type, use the gcloud sql ssl server-ca-certs list --instance=INSTANCE_NAME command.

gcloud

gcloud sql ssl server-ca-certs list \
--instance=INSTANCE_NAME

REST v1

When you describe your instance, you can see details about the server CA certificate:

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

REST v1beta4

When you describe your instance, you can see details about the server CA certificate:

Before using any of the request data, make the following replacements:

  • project-id: The project ID
  • instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

View the content of CA certificates

You can use openssl storeutl to view the content of CA certificates.

When you run the beta sql ssl server-ca-certs list command, you might get multiple CA certificates from previous rotation-related operations.

gcloud

  1. Run the following command:
    gcloud beta sql ssl server-ca-certs list \
      --instance=INSTANCE_NAME \
      --format='value(cert)' > temp_cert.pem
    

    Replace INSTANCE_NAME with the name of the instance.

  2. Use openssl to examine the contents of the CA certificates.
  3. openssl storeutl -noout -text temp_cert.pem
       

View the content of a server certificate

You can use nmap to view the content of server certificates. To download and install nmap, visit https://nmap.org/.

gcloud

To view the server certificate content, run the following command:

nmap -sV -p 1433 --script ssl-cert INSTANCE_IP_ADDRESS -Pn

Replace INSTANCE_IP_ADDRESS with the IP address of the instance.

Manage server certificates (shared CA)

This section describes how to manage server certificates on instances that use shared CAs. You can opt in to using shared CAs as the server CA mode for your instance by specifying GOOGLE_MANAGED_CAS_CA for the serverCaMode setting (Cloud SQL Admin API) or the --server-ca-mode flag (gcloud CLI) when you create your instance.

Rotate server certificates

If you've received a notice about your certificates expiring, or you want to initiate a rotation, then take the following steps to complete the rotation. Before you start the rotation, there must be a new server certificate created for the upcoming rotation. If there is already a new server certificate created for the upcoming rotation, then you can skip the first step in the following procedure.

To rotate the server certificate on your instance, perform the following steps:

  1. If you need a new server certificate, then create one.

  2. If your clients already trust the latest regional CA bundle, then this step is optional. However, if you need to update your clients with server CA information, then do the following:

    1. Download the latest server CA information.
    2. Update your clients to use the latest server CA information.
  3. Complete the rotation by moving the active certificate to the previous slot, and updating the new certificate to be the active certificate.

Console

You can't use the Google Cloud console to rotate server certificates on instances that use CA Service during Preview. Use the gcloud beta sql ssl server-certs rotate command or the Cloud SQL Admin API commands instead.

gcloud

  1. To create a server certificate, use the following command:
    gcloud beta sql ssl server-certs create \
    --instance=INSTANCE
    
  2. Replace INSTANCE with the name of the instance.
  3. Make sure that you're using the latest CA bundle. If you aren't using the latest CA bundle, then run the following command to download the latest server CA information for the instance to a local PEM file:
    gcloud beta sql ssl server-certs list \
    --format="value(ca_cert.cert)" \
    --instance=INSTANCE_NAME > \
    FILE_PATH/server-ca.pem
    

    Or download the CA bundles from the root and regional CA certificate bundle table on this page.

    Then update all of your clients to use new server CA information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.

  4. After you update all your clients (if client updates are required), complete the rotation:
    gcloud beta sql ssl server-certs rotate \
    --instance=INSTANCE_NAME
          
  5. Confirm that your clients are connecting properly.

    If any clients aren't connecting using the newly rotated server certificate, then roll back to the previous configuration.

REST v1

  1. Create a server certificate.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. If you need to download server CA certificate information, then you can use the following command.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Complete the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: The project ID
    • INSTANCE_ID: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. Create a server certificate.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. If you need to download server CA certificate information, then you can use the following command.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  3. Complete the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

Roll back a certificate rotation

After you complete a server certificate rotation, all your clients must use the new certificate to connect to your Cloud SQL instance. If the clients aren't updated properly to use the new certificate information, then they can't connect using SSL/TLS to your instance. If this happens, then you can roll back to the previous certificate configuration.

A rollback operation moves the active certificate into the "upcoming" slot, which replaces any "upcoming" certificate. The "previous" certificate becomes the active certificate and returns your certificate configuration to its previous state before you completed the rotation.

Console

You can't use the Google Cloud console to roll back server certificates on instances that use CA Service during Preview. Use the gcloud beta sql ssl server-certs rollback command or the Cloud SQL Admin API commands instead.

gcloud

gcloud beta sql ssl server-certs rollback \
--instance=INSTANCE_NAME
   

REST v1

  1. List your server certificates.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    Request JSON body:

    {
      "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

REST v1beta4

  1. List your server certificates.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

  2. Copy the sha1Fingerprint field for the version you want to roll back to.

    Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown as activeVersion.

  3. Roll back the rotation.

    Before using any of the request data, make the following replacements:

    • PROJECT_ID: the project ID
    • INSTANCE_ID: the instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

    Request JSON body:

    {
      "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint"}
    }
    

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

View the content of CA certificates

You can use the openssl storeutl utility to view the content of CA certificates.

When you run the beta sql ssl server-certs list command, you always get multiple CA certificates due to the trust chain. You also might get multiple CA certificates from previous rotation-related operations.

gcloud

  1. Run the following command:
    gcloud beta sql ssl server-certs list \
      --instance=INSTANCE_NAME \
      --format='value(cert)' > temp_cert.pem
    

    Replace INSTANCE_NAME with the name of the instance.

  2. Use openssl to examine the contents of the CA certificates.
  3. openssl storeutl -noout -text temp_cert.pem
       

Download root and regional CA certificate bundles

You can download the root and regional CA certificate bundles from the following table.

Region name Location Certificate bundle
Global
CA for all regions All locations global.pem
Asia
asia-east1 Taiwan asia-east1.pem
asia-east2 Hong Kong asia-east2.pem
asia-northeast1 Tokyo asia-northeast1.pem
asia-northeast2 Osaka asia-northeast2.pem
asia-northeast3 Seoul asia-northeast3.pem
asia-south1 Mumbai asia-south1.pem
asia-south2 Delhi asia-south2.pem
asia-southeast1 Singapore asia-southeast1.pem
asia-southeast2 Jakarta asia-southeast2.pem
Africa
africa-south1 Johannesburg africa-south1.pem
Australia
australia-southeast1 Sydney australia-southeast1.pem
australia-southeast2 Melbourne australia-southeast2.pem
Europe
europe-central2 Warsaw europe-central2.pem
europe-north1 Finland europe-north1.pem
europe-southwest1 Madrid europe-southwest1.pem
europe-west1 Belgium europe-west1.pem
europe-west2 London europe-west2.pem
europe-west3 Frankfurt europe-west3.pem
europe-west4 Netherlands europe-west4.pem
europe-west6 Zürich europe-west6.pem
europe-west8 Milan europe-west8.pem
europe-west9 Paris europe-west9.pem
europe-west10 Berlin europe-west10.pem
europe-west12 Turin europe-west12.pem
Middle East
me-central1 Doha me-central1.pem
me-central2 Dammam me-central2.pem
me-west1 Tel Aviv me-west1.pem
North America
northamerica-northeast1 Montréal northamerica-northeast1.pem
northamerica-northeast2 Toronto northamerica-northeast2.pem
northamerica-south1 Mexico northamerica-south1.pem
us-central1 Iowa us-central1.pem
us-east1 South Carolina us-east1.pem
us-east4 Northern Virginia us-east4.pem
us-east5 Columbus us-east5.pem
us-south1 Dallas us-south1.pem
us-west1 Oregon us-west1.pem
us-west2 Los Angeles us-west2.pem
us-west3 Salt Lake City us-west3.pem
us-west4 Las Vegas us-west4.pem
South America
southamerica-east1 São Paulo southamerica-east1.pem
southamerica-west1 Santiago southamerica-west1.pem

Reset the SSL/TLS configuration

You can completely reset your SSL/TLS configuration.

Console

  1. In the Google Cloud console, go to the Cloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open the Overview page of an instance, click the instance name.
  3. Select Connections from the SQL navigation menu.
  4. Go to the Reset SSL configuration section.
  5. Click Reset SSL Configuration.

gcloud

  1. Refresh the certificate:

    gcloud sql instances reset-ssl-config INSTANCE_NAME
    

REST v1beta4

  1. Refresh the certificate:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

    To send your request, expand one of these options:

    You should receive a JSON response similar to the following:

What's next