Configure SSL/TLS certificates

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to enforce SSL/TLS encryption for an instance to ensurethat all connections are encrypted. You can alsolearn more abouthow Cloud SQL uses self-managed SSL/TLS certificatesto connect to Cloud SQL instances securely.

Overview

Cloud SQL creates a server certificateautomatically when you create your instance. We recommend that youenforce all connections to use SSL/TLS.

To validate client/server identity using SSL/TLS certs, you need to create aclient certificate and download the certificates to your PostgreSQL clienthost machine.

Note: Cloud SQL recommends mutualauthentication, which involves using certificates to authenticate both theclient and server. Enforcing SSL/TLS encryption with valid client certificatesmakes mutual TLS required for all clients. However, if SSL/TLS is notenforced with valid client certificates, then connecting with non-mutual TLS usingthe server certificate is still possible.

For more information, consultthe documentation for your database engine.

When you enforce SSL for an instance, the instance does not require a restart.However, changes to SSL/TLS certificates might result in an automatic restartof the instance and can incur downtime.

A change to SSL mode configuration applies only to new connections.If you enforce SSL and your instance has existing unencrypted connections,then the connections stay connected and unencrypted. Toclose any unencrypted connections and enforce SSL on all connections,you must restart your instance.

Enforce SSL/TLS encryption

You can use theSSL modesetting to enforce SSL encryption in the following ways:

  • Allow both non-SSL/non-TLSand SSL/TLS connections.The client certificateisn't verified for SSL/TLS connections. This is the default.

  • Only allow connections encrypted with SSL/TLS. The client certificate isn'tverified for SSL connections.

  • Only allow connections encrypted with SSL/TLS and with validclient certificates.

If you selectAllow non-SSL/non-TLS and SSL/TLS connections for yourCloud SQL instance, SSL/TLS connections areaccepted, as well as unencrypted and unsecure connections.If you do not require SSL/TLS for all connections, unencryptedconnections are still allowed. For this reason, if you are accessingyour instance using public IP, we strongly recommend that you enforce SSLfor all connections.

You can connect either directly to instances by using SSL/TLS certificates, oryou can connect by using theCloud SQL Auth ProxyorCloud SQL Connectors.If you connect by using Cloud SQL Auth Proxy or Cloud SQL Connectors, then the connectionsare automatically encrypted with SSL/TLS. With Cloud SQL Auth Proxy and Cloud SQL Connectors,client and server identities are also automatically verified regardless of theSSL mode setting.

Note: We recommend that you update instances usingSSL mode instead of using the legacyrequire-ssl parameter.If you update the SSL enforcement configuration on an existing instance,make sure that the values don't conflict with therequire-ssl parameter.

To enable requiring SSL/TLS, do the following:

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. ClickConnections from the SQL navigation menu.
  4. Select theSecurity tab.
  5. Select one of the following:
    • Allow unencrypted network traffic (not recommended)
    • Allow only SSL connections. This option only allows connections using SSL/TLS encryption. Certificates aren't validated.
    • Require trusted client certificates. This option only allows connections from clients that use a valid client certificate and are SSL encrypted. If a client or user connects usingIAM database authentication, then they must use either the Cloud SQL Auth Proxy or Cloud SQL Connectors to enforce client identity verification.

gcloud

   gcloud sql instances patchINSTANCE_NAME \   --ssl-mode=SSL_ENFORCEMENT_MODE

ReplaceSSL_ENFORCEMENT_MODE with one of the following options:

  • ALLOW_UNENCRYPTED_AND_ENCRYPTED allows non-SSL/non-TLS and SSL/TLS connections. For SSL connections, the client certificate is not verified. This is the default value.
  • ENCRYPTED_ONLY only allows connections encrypted with SSL/TLS. The client certificate isn't verified for SSL connections.
  • TRUSTED_CLIENT_CERTIFICATE_REQUIRED only allows connections encrypted with SSL/TLS and with valid client certificates. If a client or user connects usingIAM database authentication, then they must use either the Cloud SQL Auth Proxy or Cloud SQL Connectors to enforce client identity verification.
    • For more information, see Settings for Cloud SQL for PostgreSQL.

Terraform

To enforce SSL/TLS encryption, use aTerraform resource:

resource "google_sql_database_instance" "postgres_instance" {  name             = "postgres-instance"  region           = "asia-northeast1"  database_version = "POSTGRES_14"  settings {    tier = "db-custom-2-7680"    ip_configuration {      # The following SSL enforcement options only allow connections encrypted with SSL/TLS and with      # valid client certificates. Please check the API reference for other SSL enforcement options:      # https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"    }  }  # set `deletion_protection` to true, will ensure that one cannot accidentally delete this instance by  # use of Terraform whereas `deletion_protection_enabled` flag protects this instance at the GCP level.  deletion_protection = false}

Apply the changes

To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.

Prepare Cloud Shell

  1. LaunchCloud Shell.

  2. Set the default Google Cloud project where you want to apply your Terraform configurations.

    You only need to run this command once per project, and you can run it in any directory.

    export GOOGLE_CLOUD_PROJECT=PROJECT_ID

    Environment variables are overridden if you set explicit values in the Terraform configuration file.

Prepare the directory

Each Terraform configuration file must have its own directory (alsocalled aroot module).

  1. InCloud Shell, create a directory and a new file within that directory. The filename must have the.tf extension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.
    mkdirDIRECTORY && cdDIRECTORY && touch main.tf

  2. If you are following a tutorial, you can copy the sample code in each section or step.

    Copy the sample code into the newly createdmain.tf.

    Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution.

  3. Review and modify the sample parameters to apply to your environment.
  4. Save your changes.
  5. Initialize Terraform. You only need to do this once per directory.
    terraform init

    Optionally, to use the latest Google provider version, include the-upgrade option:

    terraform init -upgrade

Apply the changes

  1. Review the configuration and verify that the resources that Terraform is going to create or update match your expectations:
    terraform plan

    Make corrections to the configuration as necessary.

  2. Apply the Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

    Wait until Terraform displays the "Apply complete!" message.

  3. Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
Note: Terraform samples typically assume that the required APIs are enabled in your Google Cloud project.

Delete the changes

To delete your changes, do the following:

  1. To disable deletion protection, in your Terraform configuration file set thedeletion_protection argument tofalse.
    deletion_protection =  "false"
  2. Apply the updated Terraform configuration by running the following command and enteringyes at the prompt:
    terraform apply

  1. Remove resources previously applied with your Terraform configuration by running the following command and enteringyes at the prompt:

    terraform destroy

REST v1

  1. Before using any of the request data, make the following replacements:

    HTTP method and URL:

    PATCH https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID

    Request JSON body:

    {  "settings": {    "ipConfiguration": {"sslMode": "SSL_ENFORCEMENT_MODE"}  }}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    curl -X PATCH \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         -H "Content-Type: application/json; charset=utf-8" \
         -d @request.json \
         "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method PATCH `
        -Headers $headers `
        -ContentType: "application/json; charset=utf-8" `
        -InFile request.json `
        -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    Response

    {  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

  1. Before using any of the request data, make the following replacements:

    • PROJECT_ID: The project ID
    • SSL_ENFORCEMENT_MODE: Use one of the following options:
      • ALLOW_UNENCRYPTED_AND_ENCRYPTED: allows non-SSL/non-TLS and SSL/TLS connections. For SSL connections, the client certificate isn't verified. This is the default value.
      • ENCRYPTED_ONLY: only allows connections encrypted with SSL/TLS.
      • TRUSTED_CLIENT_CERTIFICATE_REQUIRED: only allows connections encrypted with SSL/TLS and with valid client certificates. If a client or user connects usingIAM database authentication, then they must use either the Cloud SQL Auth Proxy or Cloud SQL Connectors to enforce client identity verification.
    • INSTANCE_ID: The instance ID

    HTTP method and URL:

    PATCH https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID

    Request JSON body:

    {  "settings": {    "ipConfiguration": {"sslMode": "SSL_ENFORCEMENT_MODE"}  }}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    curl -X PATCH \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         -H "Content-Type: application/json; charset=utf-8" \
         -d @request.json \
         "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method PATCH `
        -Headers $headers `
        -ContentType: "application/json; charset=utf-8" `
        -InFile request.json `
        -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    Response

    {  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Server certificates

Cloud SQL creates a server certificate automatically when you create yourinstance. As long as the server certificate is valid, you don't needto activelymanage your server certificate.Cloud SQL lets you select between three differentcertificate authority (CA) hierarchies.The CA hierarchy that you select becomes the server CA modeof the instance. If you're using per-instance CA as the server CA mode for yourinstance, then the server certificates have an expiration date of 10 years.If you're using shared CA or customer-managed CA as the server CA mode ofyour instance, then the server certificate has an expiration date of 1 year*.After the expiration date, the server certificate is no longer valid, and clientscan no longer establish a secure connection to your instance using that certificate.If a client is configured to verify the CA or verify the hostname in the servercertificate, then that client's connections to Cloud SQL instances withexpired server certificates will fail. To prevent disruption to client connections,rotate the server certificate before the certificate expires.You're periodically notified that the server certificate is nearing expiration.The notifications are sent the following number of days before the expirationdate: 90, 30, 10, 2, and 1.

* For customer-managed CA, the expiration date of your servercertificate might be shorter than 1 year if you selected ashorter expiration date for the validity period of your CA.

List and create server certificates

To view the details of your server certificates in the Google Cloud console,go to theConnections page and click theSecurity tab.

In the certificates table, you can see the following details:

  • Certificate Status:Upcoming, Active, or Previous
    • Upcoming: The certificate is available for use, but isn't active. To make the certificate active, use the rotate procedure.
    • Active: The certificate is in use.
    • Previous: The certificate is no longer in use. To make the certificate active, use the rollback procedure.
  • Created: The date and time the certificate was created
  • Expires: The date and time the certificate expires

Before the active certificate expires, you can create a new certificate manually.

Console

For instances that use self-signed server certificates (per-instance CA):

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. ClickConnections from the SQL navigation menu.
  4. Select theSecurity tab.
  5. Go to theManage server CA certificates section.
  6. Click to expandManage certificates.
  7. ClickCreate new CA certificate.

The new server CA certificate appears in theUpcoming slot. If you want to rotate to the new server CA certificate immediately, proceed withserver CA certificate rotation by updating your clients and completing the rotation.

For instances that use server certificates issued by a shared CA:

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. ClickConnections from the SQL navigation menu.
  4. Select theSecurity tab.
  5. Go to theManage server certificates section.
  6. Click to expandManage certificates.
  7. ClickCreate server certificate.

The new server certificate appears in theUpcoming slot. If you want to use the new server certificate immediately, proceed withserver certificate rotation by updating your clients and completing the rotation.

gcloud

For instances that use self-signed server certificates (per-instance CA):

  1. To get information about the server certificate, use thesql ssl server-ca-certs list command:
    gcloudsqlsslserver-ca-certslist\--instance=INSTANCE_NAME
  2. To create a server certificate, use thesql ssl server-ca-certs create command:
    gcloudsqlsslserver-ca-certscreate\--instance=INSTANCE_NAME
  3. Download the certificate information to a local PEM file:
    gcloudsqlsslserver-ca-certslist\--format="value(cert)"\--instance=INSTANCE_NAME>\FILE_PATH/FILE_NAME.pem
  4. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existingserver-ca.pem files.

For instances that use server certificates issued by a shared CA:

  1. To get information about the server certificate, use thesql ssl server-certs list command:
    gcloudsqlsslserver-certslist\--instance=INSTANCE_NAME
  2. To create a server certificate, use thesql ssl server-certs create command:
    gcloudsqlsslserver-certscreate\--instance=INSTANCE_NAME
  3. Download the certificate information to a local PEM file:
    gcloudsqlsslserver-certslist\--format="value(ca_cert.cert)"\--instance=INSTANCE_NAME>\FILE_PATH/FILE_NAME.pem
  4. Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existingserver-ca.pem files.

Terraform

To provide server certificate information as an output, use aTerraform data source:

  1. Add the following to your Terraform configuration file:
       data "google_sql_ca_certs" "ca_certs" {     instance = google_sql_database_instance.default.name   }   locals {     furthest_expiration_time = reverse(sort([for k, v in data.google_sql_ca_certs.ca_certs.certs : v.expiration_time]))[0]     latest_ca_cert           = [for v in data.google_sql_ca_certs.ca_certs.certs : v.cert if v.expiration_time == local.furthest_expiration_time]   }   output "db_latest_ca_cert" {     description = "Latest CA certificate used by the primary database server"     value       = local.latest_ca_cert     sensitive   = true   }
  2. To create theserver-ca.pem file, run the following command:
       terraform output db_latest_ca_cert > server-ca.pem

Client certificates

Create a new client certificate

You can create up to 10 client certificates for each instance. To create clientcertificates, you must have theCloud SQL Admin IAM role.

Here are some important things to know about client certificates:

  • If you lose the private key for a certificate, you must create a new one; the private key cannotbe recovered.
  • By default, the client certificate has an expiration date of 10 years.
  • You are not notified when client certificates are nearing expiration.
  • Your Cloud SQL instance must be in the running state to create a SSL certificate.

Console

  1. In the Google Cloud console, go to theCloud SQL Instances page.

    Go to Cloud SQL Instances

  2. To open theOverview page of an instance, click the instance name.
  3. ClickConnections from the SQL navigation menu.
  4. Select theSecurity tab.
  5. ClickCreate client certificate.
  6. In theCreate a client certificate dialog, add a unique name.
  7. ClickCreate.
  8. In the first section of theNew SSL certificate created dialog, clickDownload client-key.pem to download the private key to a file namedclient-key.pem.Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.
  9. In the second section, clickDownload client-cert.pem to download the client certificate to a file namedclient-cert.pem.
  10. In the third section, clickDownload server-ca.pem to download the server certificate to a file namedserver-ca.pem.
  11. ClickClose.

gcloud

  1. Create a client certificate using thessl client-certs create command:

    gcloudsqlsslclient-certscreateCERT_NAMEclient-key.pem\--instance=INSTANCE_NAME
    Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

  2. Retrieve the public key for the certificate you just created and copy it into theclient-cert.pem file with thessl client-certs describe command:

    gcloudsqlsslclient-certsdescribeCERT_NAME\--instance=INSTANCE_NAME\--format="value(cert)">client-cert.pem

  3. Copy the server certificate into theserver-ca.pem file using theinstances describe command:

    gcloudsqlinstancesdescribeINSTANCE_NAME\--format="value(serverCaCert.cert)">server-ca.pem

Terraform

To create a client certificate, use aTerraform resource:

resource "google_sql_ssl_cert" "postgres_client_cert" {  common_name = "postgres_common_name"  instance    = google_sql_database_instance.postgres_instance.name}

REST v1

  1. Create an SSL/TLS certificate, giving it a unique name for this instance:

    Before using any of the request data, make the following replacements:

    • project-id: The project ID
    • instance-id: The instance ID
    • client-cert-name: The client cert name

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts

    Request JSON body:

    {  "commonName" : "client-cert-name"}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    curl -X POST \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         -H "Content-Type: application/json; charset=utf-8" \
         -d @request.json \
         "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method POST `
        -Headers $headers `
        -ContentType: "application/json; charset=utf-8" `
        -InFile request.json `
        -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    Response

    {  "kind": "sql#sslCertsInsert",  "operation": {    "kind": "sql#operation",    "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",    "status": "PENDING",    "user": "user@example.com",    "operationType": "UPDATE",    "name": "operation-id",    "targetId": "instance-id",    "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",    "targetProject": "doc-test-01",    "insertTime": "2020-02-13T00:11:20.677Z"  },  "serverCaCert": {    "kind": "sql#sslCert",    "certSerialNumber": "server-cert-serial-number",    "cert": "server-cert-value",    "commonName": "server-cert-name,    "sha1Fingerprint": "server-cert-sha1Fingerprint",    "instance": "instance-id",    "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/operation-id",    "createTime": "2019-11-25T20:12:06.764Z",    "expirationTime": "2029-11-22T20:13:06.764Z"  },  "clientCert": {    "certInfo": {      "kind": "sql#sslCert",      "certSerialNumber": "client-cert-serial-number-2",      "cert": "client-cert-value",      "commonName": "client-cert-name",      "sha1Fingerprint": "client-cert-sha1Fingerprint-2",      "instance": "instance-id",      "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/operation-id",      "createTime": "2020-02-13T00:10:20.595Z",      "expirationTime": "2030-02-10T00:11:20.595Z"    },    "certPrivateKey": "private-key-value"  }}
  2. Copy all of the certificate contents within the quotation marks (but not thequotation marks themselves) from the response into local files as follows:
    1. CopyserverCaCert.cert intoserver-ca.pem.
    2. CopyclientCert.cert intoclient-cert.pem.
    3. CopycertPrivateKey intoclient-key.pem.
    Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

REST v1beta4

  1. Create an SSL/TLS certificate, giving it a unique name for this instance:

    Before using any of the request data, make the following replacements:

    HTTP method and URL:

    POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts

    Request JSON body:

    {  "commonName" : "client-cert-name"}

    To send your request, expand one of these options:

    curl (Linux, macOS, or Cloud Shell)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    curl -X POST \
         -H "Authorization: Bearer $(gcloud auth print-access-token)" \
         -H "Content-Type: application/json; charset=utf-8" \
         -d @request.json \
         "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts"

    PowerShell (Windows)

    Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

    Save the request body in a file namedrequest.json, and execute the following command:

    $cred = gcloud auth print-access-token
    $headers = @{ "Authorization" = "Bearer $cred" }

    Invoke-WebRequest `
        -Method POST `
        -Headers $headers `
        -ContentType: "application/json; charset=utf-8" `
        -InFile request.json `
        -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content

    You should receive a JSON response similar to the following:

    Response

    {  "kind": "sql#sslCertsInsert",  "operation": {    "kind": "sql#operation",    "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",    "status": "PENDING",    "user": "user@example.com",    "operationType": "UPDATE",    "name": "operation-id",    "targetId": "instance-id",    "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",    "targetProject": "doc-test-01",    "insertTime": "2020-02-13T00:11:20.677Z"  },  "serverCaCert": {    "kind": "sql#sslCert",    "certSerialNumber": "server-cert-serial-number",    "cert": "server-cert-value",    "commonName": "server-cert-name,    "sha1Fingerprint": "server-cert-sha1Fingerprint",    "instance": "instance-id",    "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/operation-id",    "createTime": "2019-11-25T20:12:06.764Z",    "expirationTime": "2029-11-22T20:13:06.764Z"  },  "clientCert": {    "certInfo": {      "kind": "sql#sslCert",      "certSerialNumber": "client-cert-serial-number-2",      "cert": "client-cert-value",      "commonName": "client-cert-name",      "sha1Fingerprint": "client-cert-sha1Fingerprint-2",      "instance": "instance-id",      "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/operation-id",      "createTime": "2020-02-13T00:10:20.595Z",      "expirationTime": "2030-02-10T00:11:20.595Z"    },    "certPrivateKey": "private-key-value"  }}
  2. Copy all of the certificate contents within the quotation marks (but not thequotation marks themselves) from the response into local files as follows:
    1. CopyserverCaCert.cert intoserver-ca.pem.
    2. CopyclientCert.cert intoclient-cert.pem.
    3. CopycertPrivateKey intoclient-key.pem.
    Important: Store this private key securely. If you lose it, you mustcreate a new client certificate.

At this point, you have:

Depending on which tool you use to connect, these three items are specifiedin different ways. For example, when connecting using psql command-line client,these three files are the values for thesslrootcert,sslcert, andsslkey parameters in the psqlconnection string. For an example connection using psql client and SSL/TLS, seeConnecting with psql client.

Server identity verification

Server identity verification depends on the servercertificate authority (CA) hierarchyconfiguration of your Cloud SQL instance.

For instances that use a per-instance CA, verifying the CA alsoverifies the server identity since each instance has a unique CA.For instances that use a shared CA,verifying the hostname along with verifying the CA is required for serveridentity verification since server CAs are shared across instances.

If you have per-instance CA, then you can perform DNS name-based serveridentity verification only for instances that are configured withPrivate Service Connect.If you have a shared CA, then you canperform DNS name-based server identity verification for all types of instances,namelyPrivate Service Connect,private service access,and public IP instances.

If you're using a customer-managed CA, then you can verify theCA trust chain and perform DNS name-based server identity verificationfor any type of instance that usescustomer-managed CA for itsserverCAmode.

When you select the customer-managed CA option for your instance, youcan insert custom DNS names in the SAN field ofthe server certificate. For more information,seeEdit a custom SAN field.

You can view which CA hierarchy is configured for a Cloud SQL instance byviewing instance details. For more information, seeView instance information.

Enable server identity verification

If you select shared CA as the server CA mode of your Cloud SQLinstance or if youset up custom DNS names using custom SAN values, then we recommend thatyou also enable server identity verification.

Instances that use shared CA asthe server CA mode contain the instance DNS name in theSubject Alternative Name (SAN) field of the server certificate. You can get thisDNS name by using the instance lookup API and using the response as a hostnamefor server identity verification. You need to set up DNS resolution for the DNSname.

To enable server identity verification for an instance that uses a shared CA,complete the following steps:

  1. Retrieve the DNS name.

    1. To view summary information about a Cloud SQL instance,including the DNS name of the instance, use thegcloud sql instances describecommand:

      gcloudsqlinstancesdescribeINSTANCE_NAME\--project=PROJECT_ID

      Make the following replacements:

      • INSTANCE_NAME: the name of the Cloud SQL instance
      • PROJECT_ID: the ID orproject numberof the Google Cloud project that contains the instance

    2. In the response, look for thednsNames: field.This field can return multiple DNS names, which have the following formats:

      Network configurationDNS name formatName level
      Private Service Connect orPublic IP addressINSTANCE_UID.PROJECT_DNS_LABEL.REGION_NAME.sql.goog.

      Example:
      1a23b4cd5e67.1a2b345c6d27.us-central1.sql.goog.      		Instance
      Private services accessINSTANCE_UID.PROJECT_DNS_LABEL.REGION_NAME.sql-psa.goog.

      Example:
      1a23b4cd5e67.1a2b345c6d27.us-central1.sql-psa.goog.      		Instance

  2. Create the DNS record in a DNS zone.If you are connecting privately, thencreate the DNS record in aprivate DNS zonein the corresponding Virtual Private Cloud (VPC) network.

  3. When you connect to the Cloud SQL for PostgreSQL instance, configure the DNS name asthe hostname. Then enable server identityverification in your client.

    For example, when using thepsql client, specify the flagsslmode=verify-full. Other PostgreSQL client drivers have similarconfiguration flags.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-16 UTC.