Use a customer-managed certificate authority (CA)

MySQL  |  PostgreSQL  |  SQL Server

This page describes how to use the customer-managed certificate authority (CA)option as the server CA mode for your Cloud SQL instance.

Overview

With the customer-managed CA option, you set up your own CA pool and CA inCertificate Authority Service (CA Service).When you select the customer-managed CA option, you set up the CA hierarchyand manage the rotation of CA certificates for your Cloud SQL instances.

Before you can configure a Cloud SQL instance to use the customer-managedCA option, you must create a CA pool in thesame region as your instance and at least one CA in that pool using CA Service.The CA can be aroot CAor asubordinate CA.You also have the option to create a subordinate CA in CA Serviceand then chain the subordinate CA to an external root CA.When you configure your instance, you specify the CA pool.Your request is delegated to a project-specific service account,which has the permission to use the CA pool.The service account requests a CA from the pool and Cloud SQL usesthat CA to sign the server certificate for the instance.

For the server CA mode for your instance in Cloud SQL,you can choose from the following three options:

  • internal per-instance CA
  • Google-managed shared CA
  • customer-managed CA

You might choose the customer-managed CA optionif you need to manage your own CA for compliance reasons.For more information about using the other options,seeAuthorize with SSL/TLS certificates.

Workflow

To use the customer-managed CA option, the workflow is asfollows:

  1. Create a service account for your Cloud SQL project.
  2. Create a CA pool in CA Service.
  3. Create a CA in CA Service.
  4. Configure the Cloud SQL instance to use the CA. When you configureyour instance, you delegate the permission to the service account to signthe server certificate with the CA poolthat you created.

Before you begin

Before you use the customer-managed CA option, make sure you meetthe following requirements.

Required roles

To get the permissions that you need to create a Cloud SQL-specific service account, ask your administrator to grant you theService Account Creator (roles/iam.serviceAccountCreator) IAM role on for each individual project. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

To get the permissions that you need to create a CA pool and CA, ask your administrator to grant you the CA Service Operation Manager(roles/privateca.caManager) IAM role on CA Service. For more information about granting roles, seeManage access to projects, folders, and organizations.

You might also be able to get the required permissions throughcustom roles or otherpredefined roles.

Create a project-specific service account

In the project where you plan to create your Cloud SQL instances,create a dedicated service account that will handle the request to create andsign the server certificates for your Cloud SQL instances.

gcloud

Run the following command to create a service account for your Cloud SQLproject:

gcloudbetaservicesidentitycreate\--service=sqladmin.googleapis.com\--project=PROJECT_ID

ReplacePROJECT_ID with the ID of the project where youplan to create your Cloud SQL instances.

The command creates a service account namedservice-PROJECT_ID@gcp-sa-cloud-sql.iam.gserviceaccount.comin the project. Make a note of theCA Service Certificate Requesterservice account name.

Create a CA pool

Create a CA pool in CA Service.

You can create a CA pool inthe same project where you plan to create your Cloud SQL instances, oryou can create the CA pool in a different project. However, if you create theCA pool in a different project, then VPC Service Controls might block you fromcreating any Cloud SQL instances depending on organization policy.To fix the issue, make sure that the project that hosts the CA pool and CAand the project that hosts Cloud SQL belong to the same service perimeter.For more information, seeService perimetersandManage service perimeters.

To create a CA pool, follow the instructions inCreate a CA pool.You can accept the default values for the CA pool, with the followingrequired configuration settings:

  • Create the CA pool in thesame region where you plan to create your Cloud SQL instance. For a list of regions that are supported by Cloud SQL, seeRegions.
  • Allow configuration based certificate requests.
  • Allow DNS names in subject alternative names (SAN). When you configure the identity constraints of the CA pool, don't set any restrictions on the format for the DNS names that might conflict with what Cloud SQL might add to the SAN.

Provide the service account with access to the CA pool

To make sure the service account has the permissions to request and signcertificates for your Cloud SQL instances, grant the following roleto the service account for the CA pool that you created:

  • roles/privateca.certificateRequester

gcloud

Run thegcloud privateca pools command to grant the service account access to the CA pool:

gcloudprivatecapoolsadd-iam-policy-bindingCA_POOL_ID\--project=PROJECT_ID\--location=REGION\--memberserviceAccount:SERVICE_ACCOUNT_NAME\--role=roles/privateca.certificateRequester

Make the following replacements:

  • CA_POOL_ID with the ID of the CA pool that you created.
  • PROJECT_ID with the ID of the project where you plan to create your Cloud SQL instances.
  • REGION with the region where you created the CA pool.
  • SERVICE_ACCOUNT_NAME with the name of theCA Service Certificate Requester service account that youcreated for the project previously.

Create a CA in the CA pool

Create at least one CA in the CA pool that you created.

You can create a root CA or a subordinate CA.

To create a root CA, follow the instructions inCreate a root CA.You can accept the default values for the CA, but make sure that you create theCA in theEnabled state.

When you configure theCA key size and algorithm, you can select any key size and algorithm. Cloud SQL generates its server certificates usingEC P-384 (SHA-384) elliptic curve keys, but your CA cryptographic keys don't have to match.

If you create asubordinate CA, then you needto create and configure your root CA first.

Configure a Cloud SQL instance to use a customer-managed CA

You can configure a Cloud SQL instance to use the customer-managed CAoption when you create the instance. You can also update the server CA modeof an existing an instance from using the per-instance CA or shared CA optionto use a customer-managed CA instead.

Create an instance

To create a Cloud SQL instance that uses the customer-managed CA option,do the following.

Console

You can't use the Google Cloud console to create instances that use thecustomer-managed CA option. If you create an instance using theGoogle Cloud console, then the default is per-instance CA(GOOGLE_MANAGED_INTERNAL_CA) mode.

To select a customer-managed CA mode, usethegcloud sql instances create command instead.

gcloud

gcloudsqlinstancescreate"INSTANCE_NAME"\--database-version=DATABASE_VERSION\--project=PROJECT_ID\--region=REGION\--server-ca-mode=CUSTOMER_MANAGED_CAS_CA\--server-ca-pool=projects/PROJECT_ID_CAS/locations/REGION/caPools/CA_POOL_ID

Make the following replacements:

  • INSTANCE_NAME with the name of the Cloud SQL instance that you want to create.
  • DATABASE_VERSION with theenum of the version of the Cloud SQL instance that you want to create.
  • PROJECT_ID with the ID of the project where you plan to create your Cloud SQL instances.
  • PROJECT_ID_CAS with the ID of the project where you created yourCA_POOL_ID. This project might be the same or different from where you want to create your Cloud SQL instance.
  • REGION with the region where you created the CA pool. You must create your instance in the same region as the CA pool.
  • CA_POOL_ID with the ID of the CA pool that you created.

REST

To create a Cloud SQL instance that uses the customer-managed CA option,use theinstances.insertmethod and specify the following properties:

Before using any of the request data, make the following replacements:

  • PROJECT_ID the ID of the project where you plan to create your Cloud SQL instances.
  • PROJECT_ID_CAS the ID of the project where you created yourCA_POOL_ID. This project might be the same or different from where you want to create your Cloud SQL instance.
  • INSTANCE_ID the name of the Cloud SQL instance that you want to create.
  • REGION the region where you created the CA pool. You must create your instance in the same region as the CA pool.
  • CA_POOL_ID with the ID of the CA pool that you created.

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances

Request JSON body:

{  "name":"INSTANCE_ID",  "region":"REGION",  "databaseVersion": "DATABASE_VERSION",  "settings":{     "ipConfiguration":      {         "serverCaPool": "projects/PROJECT_ID_CAS/locations/REGION/caPools/CA_POOL_ID",         "serverCaMode": "CUSTOMER_MANAGED_CAS_CA"      }   }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2025-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID_CSQL/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Update an instance to use a customer-managed CA

Before you update an instance to use a customer-managed CA, do the following:

  • Review the list of Google Cloud services that don't support connectionsto Cloud SQL instances that are configured to use a customer-managed CA. If your deployment is required to use the service, then you might need to delay the update.
  • If you're using the Cloud SQL Auth Proxy or any of the Cloud SQL Language Connectorsto connectto the instance, then make sure that they're running the minimum required versions.For the Cloud SQL Auth Proxy, make sure you're using version 2.14.3 or later.For the minimum required versions of the Cloud SQL Language Connectors,seeCloud SQL Language Connectors requirements.
  • Make sure that you've already created aCA pool and you'veprovided the service account with access to the CA pool.
  • Make sure there's at least one CA in the CA pool.
  • To avoid any interruptions after the update, download the certificatesfrom your customer-managed CA and set up your database clients to trust your CA.
Caution: If you're using PostgreSQL 9.6, then your primary instance and replicasrequire a restart when you switch to the customer-managed CA option. As a result,database services might be temporarily unavailable for up to a minutefor each instance during the update. For example, if you have two instances, thenyour total downtime might be up to two minutes.

Use the following procedure to update a Cloud SQL instance to use thecustomer-managed CA option.

Note: You can also use the same commands in the following procedureto update the CA pool for a Cloud SQL instance that's alreadybeen configured to use the customer-managed CA option.

Console

You can't use the Google Cloud console to edit the server CA mode of an instance.

To update the server CA mode of your instance to use a customer-managed CA, usethegcloud sql instances patch command instead. After you make thechange, that configuration will appear in the Google Cloud console when you view yourinstance.

gcloud

To update your instance, run the following command:

gcloudsqlinstancespatchINSTANCE_NAME\--server-ca-mode=CUSTOMER_MANAGED_CAS_CA\--server-ca-pool=projects/PROJECT_ID_CAS/locations/REGION/caPools/CA_POOL_ID

For the--server-ca-mode flag, make sure that you specifyCUSTOMER_MANAGED_CAS_CA.

Replace the following:

  • INSTANCE_NAME: the name of the Cloud SQL instance you want to patch.
  • PROJECT_ID_CAS with the ID of the project where yourCA_POOL_ID is. This project might be the same or different from where your Cloud SQL instance is.
  • REGION with the region where you created the CA pool. Your instance must be in the same region as the CA pool.
  • CA_POOL_ID: the ID of the CA pool that you want to assign to the instance. You can also use this command to change the CA pool for an instance that's already configured to useCUSTOMER_MANAGED_CAS_CA

REST

To update a Cloud SQL instance to use the customer-managed CA option,use theinstances.patchmethod and specify the following properties:

Before using any of the request data, make the following replacements:

  • PROJECT_ID the ID of the project where your Cloud SQL instance is.
  • INSTANCE_ID the name of the Cloud SQL instance that you want to patch.
  • PROJECT_ID_CAS the ID of the project where you created yourCA_POOL_ID. This project might be the same or different from where your Cloud SQL instance is.
  • REGION the region where you created the CA pool. You must create your instance in the same region as the CA pool.
  • CA_POOL_ID the ID of the CA pool that you want to assign to the instance. You can also use this command to change the CA pool for an instance that's already configured to useCUSTOMER_MANAGED_CAS_CA.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID

Request JSON body:

{  "settings":{     "ipConfiguration":      {         "serverCaPool": "projects/PROJECT_ID_CAS/locations/REGION/caPools/CA_POOL_ID",         "serverCaMode": "CUSTOMER_MANAGED_CAS_CA"      }   }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2025-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Switch an instance from customer-managed CA to shared CA

You can update an instance that uses customer-managed CA to use ashared CA(GOOGLE_MANAGED_CAS_CA). However, you can't update an instance that'sconfigured to use a customer-managed CA to usetheper-instance CA (GOOGLE_MANAGED_INTERNAL_CA).

Before you update an instance to use a shared CA,download the global and regional CA bundles,copy them to your database clients, and let them trust these CAs.Setting up the certificates before switching server CA mode configuration can help avoid potential interruption for your database clients.

To switch the server CA mode of your instance to use the shared CA,use the following procedure.

Console

You can't use the Google Cloud console to edit the server CA mode of an instance.

To update the server CA mode of your instance to use a shared CAinstead of a customer-managed CA, usethegcloud sql instances patch command instead. After you make thechange, that configuration will appear in the Google Cloud console when you view yourinstance.

gcloud

To update your instance, run the following command:

gcloudsqlinstancespatchINSTANCE_NAME\--server-ca-mode=GOOGLE_MANAGED_CAS_CA\--server-ca-pool=""

In the command, do the following:

  • ReplaceINSTANCE_NAME following with the name of the Cloud SQLinstance you want to patch.
  • For the--server-ca-mode flag, specifyGOOGLE_MANAGED_CAS_CA.
  • For the--server-ca-pool flag, you must specify an empty string, or"".

REST

To update a Cloud SQL instance that uses the customer-managed CAto use the shared CA option,use theinstances.patchmethod and specify the following properties:

Before using any of the request data, make the following replacements:

  • PROJECT_ID the ID of the project where your Cloud SQL instance is.
  • INSTANCE_ID the name of the Cloud SQL instance that you want to patch.

HTTP method and URL:

PATCH https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID

Request JSON body:

{  "settings":{     "ipConfiguration":      {         "serverCaPool": "",         "serverCaMode": "GOOGLE_MANAGED_CAS_CA"      }   }}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

curl -X PATCH \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method PATCH `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2025-01-16T02:32:12.281Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Troubleshoot

IssueTroubleshooting

You receive the following error message:

PERMISSION_DENIED: Permissionprivateca.certificates.create denied onCA_POOL_ID.		 Make sure that you granted theroles/privateca.certificateRequester role to the service account that you created for your Cloud SQL project. For more information, seeProvide the service account with access to the CA pool.

You receive the following error message:

PERMISSION_DENIED: Request is prohibited by organization's policy vpcServiceControlsUniqueIdentifierVPC_SERVICE_CONTROLS_UNIQUE_IDENTIFIER.		 Make sure that you configure VPC Service Controls so that the project that hosts the CA Service CA pool and CA and the project that hosts Cloud SQL belong to the same service perimeter. For more information, seeService perimeters andManage service perimeters.

You receive one of the followingINVALID ARGUMENT error messages:

  • Public key algorithm is not permitted by the CaPool's issuance policy.
  • This CaPool's issuance policy does not permit passthrough subjects and/or subject alternative names, and thus can only be used with the REFLECTED_SPIFFE subject mode.
  • Config issuance mode is not permitted by the CaPool's issuance policy.

Check the configuration settings of your CA pool and your CA. Make sure that you meet all the requirements listed inCreate a CA pool andCreate a CA in the CA pool.

You receive the following error message:

RESOURCE_EXHAUSTED

 This represents quota issues with CA Service. Verify the quota for CA Service in your project. Check whether you might be using requests in your CA pool outside of Cloud SQL. For more information, seeQuotas and limits.

You receive the following error message:

NOT FOUND: parent resourceCA_POOL_ID not found.		Check the project ID, location, and name of the CA pool that you specified when you created your Cloud SQL instance. Make sure that you didn't make any typos.

You receive the following error message:

FAILED_PRECONDITION: There are no enabled CAs in the CaPool. Please ensure that there is at least one enabled Certificate Authority to issue a certificate.		Make sure that you have created at least one CA in the CA pool that you specified when you created your Cloud SQL instance, and that the CA is in the enabled state.

You receive the following error message:

FAILED_PRECONDITION: Per-Product Per-Project Service Account (P4 SA)SERVICE_ACCOUNT_NAME not found for projectPROJECT_ID.		Make sure that you have created the service account for your Cloud SQL project. For more information, seeCreate a project-specific service account.

You receive the following error message:

INVALID ARGUMENT: Invalid format for server CA pool.

Make sure that you specified the CA pool in the correct format:

projects/PROJECT_ID/locations/REGION/caPools/CA_POOL_ID

You receive the following error message:

INVALID ARGUMENT: The instance's server CA pool must be in the same region as the instance.

Make sure that you the CA pool is in the same region as the Cloud SQL instance that you want to create.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.