Manage SSL/TLS certificates

MySQL | PostgreSQL | SQL Server

This page describes how to manage your client and server certificate authority (CA)certificates.

Manage client certificates

Use the following procedures to manage client certificates in Cloud SQL.

Retrieve a client certificate

You can retrieve the public key portion of a client certificate. You cannotretrieve the private key, however. If you have lost your private key, you mustcreate a new certificate.

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
InManage client certificates, click a certificate name.
TheSSL Client Certificate page opens and shows the client certificate (client-cert.pem) with a link to download the certificate.

gcloud

Retrieve the client certificate public key with thessl client-certs describe command:

gcloudsqlsslclient-certsdescribeCERT_NAME\--instance=INSTANCE_NAME\--format="value(cert)">client-cert.pem

REST v1

List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
```
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
Response
```
{  "kind": "sql#sslCertsList",  "items": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint"      "instance": "instance-id",      "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",      "createTime": "2020-02-13T00:10:20.595Z",      "expirationTime": "2030-02-10T00:11:20.595Z"    }  ]}
```
Record thesha1Fingerprint field for the certificate you wantto retrieve. Don't include the quotation marks.

Retrieve the certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID
sha1FingerPrint: The cert's sha1FingerPrint

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"

PowerShell (Windows)

Note: The following command assumes that you have logged in to thegcloud CLI with your user account by running gcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#sslCert",  "certSerialNumber": "cert-serial-number",  "cert": "cert-value",  "commonName": "ca-server-name",  "sha1Fingerprint": "sha1Fingerprint"  "instance": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",  "createTime": "2020-02-13T00:10:20.595Z",  "expirationTime": "2030-02-10T00:11:20.595Z"}

Copy all of the certificate data contained by the quotation marks to a file, for exampleclient-cert.pem. Don't copy the quotation marks themselves.

REST v1beta4

List the certificates on the instance to get the fingerprint of the certificate you want to retrieve:
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
```
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
Response
```
{  "kind": "sql#sslCertsList",  "items": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint"      "instance": "instance-id",      "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",      "createTime": "2020-02-13T00:10:20.595Z",      "expirationTime": "2030-02-10T00:11:20.595Z"    }  ]}
```
Record thesha1Fingerprint field for the certificate you wantto retrieve. Don't include the quotation marks.

Retrieve the certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID
sha1FingerPrint: The cert's sha1FingerPrint

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#sslCert",  "certSerialNumber": "cert-serial-number",  "cert": "cert-value",  "commonName": "ca-server-name",  "sha1Fingerprint": "sha1Fingerprint"  "instance": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",  "createTime": "2020-02-13T00:10:20.595Z",  "expirationTime": "2030-02-10T00:11:20.595Z"}

Copy all of the certificate data contained by the quotation marks to a file, for exampleclient-cert.pem. Don't copy the quotation marks themselves.

Delete a client certificate

When you delete a client certificate, the database server is updated and doesn't need to be restarted.

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
InManage client certificates, find the certificate you want to delete and click.
In theDelete client certificate pane, clickOk.

gcloud

Delete the client certificate using the ssl client-certs delete command:

gcloudsqlsslclient-certsdeleteCERT_NAME\--instance=INSTANCE_NAME

REST v1

List the certificates on the instance to get the fingerprint of the certificate you want to delete:
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
```
GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
Response
```
{  "kind": "sql#sslCertsList",  "items": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint"      "instance": "instance-id",      "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",      "createTime": "2020-02-13T00:10:20.595Z",      "expirationTime": "2030-02-10T00:11:20.595Z"    }  ]}
```
Record thesha1Fingerprint field for the certificate you wantto delete. Don't include the quotation marks.

Delete the certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID
sha1FingerPrint: The cert's sha1FingerPrint

HTTP method and URL:

DELETE https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

List the certificates on the instance to get the fingerprint of the certificate you want to delete:
Before using any of the request data, make the following replacements:
- project-id: The project ID
- instance-id: The instance ID
HTTP method and URL:
```
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts
```
To send your request, expand one of these options:
curl (Linux, macOS, or Cloud Shell)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login , or by usingCloud Shell, which automatically logs you into thegcloud CLI . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts"
```
PowerShell (Windows)
Note: The following command assumes that you have logged in to thegcloud CLI with your user account by runninggcloud init orgcloud auth login . You can check the currently active account by runninggcloud auth list.
Execute the following command:
```
$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts" | Select-Object -Expand Content
```
You should receive a JSON response similar to the following:
Response
```
{  "kind": "sql#sslCertsList",  "items": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint"      "instance": "instance-id",      "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint",      "createTime": "2020-02-13T00:10:20.595Z",      "expirationTime": "2030-02-10T00:11:20.595Z"    }  ]}
```
Record thesha1Fingerprint field for the certificate you wantto delete. Don't include the quotation marks.

Delete the certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID
sha1FingerPrint: The cert's sha1FingerPrint

HTTP method and URL:

DELETE https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X DELETE \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method DELETE `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/sslCerts/sha1FingerPrint" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Manage server CA certificates (per-instance CA)

This section describes how to manage server CA certificates that are createdinternally by Cloud SQL. This is the default server CA mode inCloud SQL. In this certificate authority hierarchy, Cloud SQL creates aserver CA for each instance.

Rotate server CA certificates

If you've received a notice about your certificates expiring, or you want toinitiate a rotation, then take the following steps to complete therotation. Before you start the rotation, you must have a new server CAon the instance. If a new server CA has already beencreated, then you can skip the first step in the following procedure.

Create a new server CA.
Download the new server CA certificate information.
Update your clients to use the new server CA certificate information.
Complete the rotation, which moves the active certificate into the "previous" slot and updates the newly added certificate to be the active certificate.

After rotating the SSL certificate, your App Engine and Cloud SQL Auth Proxy connections will automatically receive a new certificate when they connect.

Console

Download the new server CA certificate, encoded as a PEM file, to your local environment:

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
Click to expandManage certificates.
SelectRotate CA certificate.
If there are no eligible certificates, then the rotate option is unavailable. You must create a newserver CA certificate.
ClickDownload Certificates.

Update all of your PostgreSQL clients to use the new information by copying the downloaded file to your client host machines, replacing the existingserver-ca.pem file.

After you have updated your clients, complete the rotation:

Return to theSecurity tab.
Click to expandManage certificates.
SelectRotate CA certificate.
Confirm that your clients are connecting properly.

If any clients are not connecting using the newly rotated certificate, then you can selectRollback CA certificate torollback to the previous configuration.

gcloud

Create a server CA certificate:

gcloud sql ssl server-ca-certs create \--instance=INSTANCE

Download the certificate information to a local PEM file:

gcloud sql ssl server-ca-certs list \--format="value(cert)" \--instance=INSTANCE_NAME > \FILE_PATH/FILE_NAME.pem

Update all of your clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem files.

After you have updated your clients, complete the rotation:

gcloud sql ssl server-ca-certs rotate \--instance=INSTANCE_NAME

Confirm that your clients are connecting properly.

If any clients are not connecting using the newly rotated certificate, then you canrollback to the previous configuration.

REST v1

Download your server CA certificates:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "certs": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2020-02-10T17:18:54.935Z",      "expirationTime": "2030-02-07T17:19:54.935Z"    },    {      "kind": "sql#sslCert",       certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2019-11-14T22:43:56.458Z",      "expirationTime": "2029-11-11T22:44:56.458Z"    }  ],  "activeVersion": "active-version",  "kind": "sql#instancesListServerCas"}

Complete the rotation:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

Download your server CA certificates:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "certs": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2020-02-10T17:18:54.935Z",      "expirationTime": "2030-02-07T17:19:54.935Z"    },    {      "kind": "sql#sslCert",       certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2019-11-14T22:43:56.458Z",      "expirationTime": "2029-11-11T22:44:56.458Z"    }  ],  "activeVersion": "active-version",  "kind": "sql#instancesListServerCas"}

Complete the rotation:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

If you receive an error when you try to rotate a certificate that saysNo upcoming/previous Server CA Certificate exists, then verify thatyou're running the command on an instance that uses the per-instance CA hierarchy.You can view which CA hierarchy is configured fora Cloud SQL instance by using thegcloud sql instances describe command.For more information, seeView instance information.

Roll back a certificate rotation operation

After you complete a certificate rotation, your clients must all use thenew certificate to connect to your Cloud SQL instance. If the clientsaren't updated properly to use the new certificate information, then they can'tconnect using SSL/TLS to your instance. If this happens, then you canroll back to the previous certificate configuration.

A rollback operation moves the active certificate into the "upcoming"slot (replacing any "upcoming" certificate). The "previous"certificate becomes the active certificate, returning yourcertificate configuration to the state it was in before you completedthe rotation.

Note: Certificate rollback is available only until the old certificate expires.

To roll back to the previous certificate configuration:

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
Click to expandManage certificates.
SelectRollback CA certificate.
If there are no eligible certificates, then the rollback option is unavailable. Otherwise, the rollback action completes after a few seconds.

gcloud

gcloud sql ssl server-ca-certs rollback \--instance=INSTANCE_NAME

REST v1

Download your server CA certificates:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "certs": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2020-02-10T17:18:54.935Z",      "expirationTime": "2030-02-07T17:19:54.935Z"    },    {      "kind": "sql#sslCert",       certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2019-11-14T22:43:56.458Z",      "expirationTime": "2029-11-11T22:44:56.458Z"    }  ],  "activeVersion": "active-version",  "kind": "sql#instancesListServerCas"}

Copy thesha1Fingerprint field for the version you want to roll back to.
Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown asactiveVersion.

Roll back the rotation:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

Request JSON body:

{  "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

REST v1beta4

Download your server CA certificates:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/listServerCas" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "certs": [    {      "kind": "sql#sslCert",      "certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2020-02-10T17:18:54.935Z",      "expirationTime": "2030-02-07T17:19:54.935Z"    },    {      "kind": "sql#sslCert",       certSerialNumber": "cert-serial-number",      "cert": "cert-value",      "commonName": "ca-server-name",      "sha1Fingerprint": "sha1Fingerprint",      "instance": "instance-id",      "createTime": "2019-11-14T22:43:56.458Z",      "expirationTime": "2029-11-11T22:44:56.458Z"    }  ],  "activeVersion": "active-version",  "kind": "sql#instancesListServerCas"}

Copy thesha1Fingerprint field for the version you want to roll back to.
Look for the version with a createTime value immediately earlier than the version with the sha1Fingerprint value shown asactiveVersion.

Roll back the rotation:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

Request JSON body:

{  "rotateServerCaContext": {"nextVersion": "sha1Fingerprint"}}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

If you receive an error when you try to roll back a certificate CA rotation that saysNo upcoming/previous Server CA Certificate exists, then verify thatyou're running the command on an instance that uses the per-instance CA hierarchy.You can view which CA hierarchy is configured fora Cloud SQL instance by using thegcloud sql instances describe command.For more information, seeView instance information.

Initiate a rotation

You don't need to wait for the email from Cloud SQL to start a rotation.You can start one at any time. When you start a rotation, a new certificateis created and placed into the "upcoming" slot. If a certificate is already presentin the "upcoming" slot at the time of your request, then that certificate is deleted.There can be only one upcoming certificate.

To initiate a rotation:

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
Click to expandManage certificates.
ClickCreate new CA certificate.
SelectRotate CA certificate.
If there are no eligible certificates, then the rotate option is unavailable.
Complete the rotation as described inRotate server CA certificates.

gcloud

Initiate the rotation:

gcloud sql ssl server-ca-certs create \--instance=INSTANCE_NAME

Complete the rotation as described inRotate server CA certificates.

REST v1

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Complete the rotation as described inRotate server CA certificates.

REST v1beta4

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/rotateServerCa" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Complete the rotation as described inRotate server CA certificates.

Get information about a server CA certificate

You can get information about your server CA certificate, such as when it expiresor what level of encryption it provides.

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
InManage server CA certificates, you can see the expiration date of your server CA certificate in the table.
To see the certificate type, use thegcloud sql ssl server-ca-certs list--instance=INSTANCE_NAME command.

gcloud

gcloudsqlsslserver-ca-certslist\--instance=INSTANCE_NAME

REST v1

When you describe your instance, you can see details about the server CA certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "serverCaCert":  {    "kind": "sql#sslCert",    "certSerialNumber": "cert-serial-number",    "cert": "cert-value-",    "commonName": "ca-server-name",    "sha1Fingerprint": "sha1Fingerprint",    "instance": "instance-id",    "createTime": "2020-02-10T17:18:54.935Z",    "expirationTime": "2030-02-07T17:19:54.935Z"  }}

REST v1beta4

When you describe your instance, you can see details about the server CA certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id?fields=serverCaCert" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "serverCaCert":  {    "kind": "sql#sslCert",    "certSerialNumber": "cert-serial-number",    "cert": "cert-value-",    "commonName": "ca-server-name",    "sha1Fingerprint": "sha1Fingerprint",    "instance": "instance-id",    "createTime": "2020-02-10T17:18:54.935Z",    "expirationTime": "2030-02-07T17:19:54.935Z"  }}

View the content of CA certificates

You can useopenssl storeutlto view the content of CA certificates.

When you run thesql ssl server-ca-certs listcommand, you might get multiple CA certificates from previousrotation-related operations.

gcloud

Run the following command:

gcloudsqlsslserver-ca-certslist\--instance=INSTANCE_NAME\--format='value(cert)'>temp_cert.pem

ReplaceINSTANCE_NAME with the name of the instance.

Useopenssl to examine the contents of the CA certificates.

opensslstoreutl-noout-texttemp_cert.pem

View the content of a server certificate

You can useopenssl s_clientto view the content of server certificates.

gcloud

To view the server certificate content, run the following command:

openssls_client-starttlspostgres-connectINSTANCE_IP_ADDRESS:5432

ReplaceINSTANCE_IP_ADDRESS with the IP address of the instance.

External server SSL expiry notification

If the external server's server CA certificate is expiring, thenrotate the SSL certificates, including the server CA certificate on the on-premises instance. This step depends on how the on-premises instance is managed. Steps can vary if, for example, you're using an RDS server CA certificate, Cloud SQL server CA certificate, or database-generic server CA certificate.
If the client certificate is expiring, then you need to generate a new certificate and key. This applies to both Google Cloud-managed SSL certificates and self-signed certificates.
Update the Cloud SQL source representation instance with the new SSL certificates.

Manage server certificates (shared CA)

This section describes how to manage server certificates on instances thatuse shared CAs or customer-managed CAs.

You can opt in to using shared CAs as theserver CA mode for your instance by specifyingGOOGLE_MANAGED_CAS_CA fortheserverCaMode setting (Cloud SQL Admin API) or the--server-ca-mode flag (gcloud CLI) when youcreate your instance.

To use customer-managed CA as the server CA mode for your instance, you mustspecifyCUSTOMER_MANAGED_CAS_CA for theserverCaModesetting (Cloud SQL Admin API) or the--server-ca-mode flag (gcloud CLI)when youcreate your instance, and youmust have a valid CA pool and CA. For more information, seeUse customer-managed CA.

Rotate server certificates

If you've received a notice about your server certificates expiring, or you want toinitiate a rotation, then take the following steps to complete the rotation.Before you start the rotation, there must be a new server certificate created forthe upcoming rotation. If there is already a new server certificate created forthe upcoming rotation, then you can skip the first step in the following procedure.

To rotate the server certificate on your instance, perform the following steps:

If you need a new server certificate, thencreate one.
If your clients already trust the root CA, then this step is optional. However, if you need to update your clients withserver CA information, then do the following:
1. Download the latest server CA information.
2. Update your clients to use the latest server CA information.
Complete the rotation by moving the active certificate to the previous slot,and updating the new certificate to be the active certificate.

Console

Download the server CA certificate information, encoded as a PEM file, to your local environment:

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
Click to expandManage certificates.
Confirm that theRotate server certificate option appears as an available option; however, don't select it yet.
If there are no eligible certificates, then the rotate option is unavailable. You must create a newserver certificate.
ClickDownload certificates.

Update all of your PostgreSQL clients to use the new information by copying the downloaded file to your client host machines, replacing theexistingserver-ca.pem file.

After you have updated your clients, complete the rotation:

Return to theSecurity tab.
Click to expandManage certificates.
SelectRotate certificate.
In theConfirm certificate rotation dialog, clickRotate.
Confirm that your clients are connecting properly.
If any clients are not connecting using the newly rotated certificate, then you can selectRollback certificate torollback to the previous configuration.

gcloud

To create a server certificate, use the following command:
```
gcloud sql ssl server-certs create \--instance=INSTANCE
```

INSTANCE

Make sure that you're using thelatest CA bundle. If you aren't using the latest CA bundle, then run the following command to download the latest server CA information for the instance to a local PEM file:
```
gcloud sql ssl server-certs list \--format="value(ca_cert.cert)" \--instance=INSTANCE_NAME > \FILE_PATH/server-ca.pem
```
Or download the CA bundles from theroot and regional CA certificate bundle table on this page.
Then update all of your clients to use new server CA information by copying the downloaded file to your client host machines, replacing the existingserver-ca.pem files.
After you update all your clients (if client updates are required), complete the rotation:
```
gcloud sql ssl server-certs rotate \--instance=INSTANCE_NAME
```
Confirm that your clients are connecting properly.
If any clients aren't connecting using the newly rotated server certificate, thenroll back to the previous configuration.

REST v1

Create a server certificate.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

If you need to download server CA certificate information, then you can use the following command.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "caCerts": [    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-10T17:18:54.935Z",      "expirationTime": "2034-07-10T17:19:54.935Z"    },    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-14T22:43:56.458Z",      "expirationTime": "2034-11-11T22:44:56.458Z"    }  ],  "serverCerts": [  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-16T18:11:39Z",    "expirationTime": "2025-09-16T18:11:38Z"  },  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-10T20:56:06Z",    "expirationTime": "2025-09-10T20:56:05Z"  }],  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO",  "kind": "sql#instancesListServerCertificates"}

Complete the rotation.

Before using any of the request data, make the following replacements:

PROJECT_ID: The project ID
INSTANCE_ID: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-09-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/operation-id",  "targetProject": "PROJECT_ID"}

REST v1beta4

Create a server certificate.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/addServerCertificate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

If you need to download server CA certificate information, then you can use the following command.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "caCerts": [    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-10T17:18:54.935Z",      "expirationTime": "2034-07-10T17:19:54.935Z"    },    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-14T22:43:56.458Z",      "expirationTime": "2034-11-11T22:44:56.458Z"    }  ],  "serverCerts": [  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-16T18:11:39Z",    "expirationTime": "2025-09-16T18:11:38Z"  },  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-10T20:56:06Z",    "expirationTime": "2025-09-10T20:56:05Z"  }],  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO",  "kind": "sql#instancesListServerCertificates"}

Complete the rotation.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2024-09-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

Roll back a certificate rotation

After you complete a server certificate rotation, all your clients must use thenew certificate to connect to your Cloud SQL instance. If the clientsaren't updated properly to use the new certificate information, then they can'tconnect using SSL/TLS to your instance. If this happens, then you can roll backto the previous certificate configuration.

A rollback operation moves the active certificate into the "upcoming" slot,which replaces any "upcoming" certificate. The "previous" certificate becomesthe active certificate and returns your certificate configuration to its previousstate before you completed the rotation.

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Select theSecurity tab.
Click to expandManage certificates.
SelectRollback server certificate.
If there are no eligible certificates, then the rollback option is unavailable.
In theConfirm certificate rollback dialog, selectRollback.
The rollback might take a few seconds to complete.

gcloud

gcloud sql ssl server-certs rollback \--instance=INSTANCE_NAME

REST v1

List your server certificates.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "caCerts": [    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-10T17:18:54.935Z",      "expirationTime": "2034-07-10T17:19:54.935Z"    },    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-14T22:43:56.458Z",      "expirationTime": "2034-11-11T22:44:56.458Z"    }  ],  "serverCerts": [  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-16T18:11:39Z",    "expirationTime": "2025-09-16T18:11:38Z"  },  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-10T20:56:06Z",    "expirationTime": "2025-09-10T20:56:05Z"  }],  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO",  "kind": "sql#instancesListServerCertificates"}

Copy thesha1Fingerprint field for the version you want to roll back to.
Look for the version with acreateTime value immediately earlier than the version with thesha1Fingerprint value shown asactiveVersion.

Roll back the rotation.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

Request JSON body:

{  "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint"}}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

REST v1beta4

List your server certificates.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X GET \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method GET `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/listServerCertificates" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "caCerts": [    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-10T17:18:54.935Z",      "expirationTime": "2034-07-10T17:19:54.935Z"    },    {      "kind": "sql#sslCert",      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO",      "cert": "CERT_VALUE",      "commonName": "CA_SERVER_NAME",      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO",      "instance": "INSTANCE_NAME",      "createTime": "2024-07-14T22:43:56.458Z",      "expirationTime": "2034-11-11T22:44:56.458Z"    }  ],  "serverCerts": [  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-16T18:11:39Z",    "expirationTime": "2025-09-16T18:11:38Z"  },  {    "kind": "sql#sslCert",    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO",    "cert": "CERT_VALUE"    "commonName": "SUBJECT_VALUE",    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO",    "instance": "INSTANCE_NAME",    "createTime": "2024-09-10T20:56:06Z",    "expirationTime": "2025-09-10T20:56:05Z"  }],  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO",  "kind": "sql#instancesListServerCertificates"}

Copy thesha1Fingerprint field for the version you want to roll back to.
Look for the version with acreateTime value immediately earlier than the version with thesha1Fingerprint value shown asactiveVersion.

Roll back the rotation.

Before using any of the request data, make the following replacements:

PROJECT_ID: the project ID
INSTANCE_ID: the instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate

Request JSON body:

{  "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint"}}

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Save the request body in a file namedrequest.json, and execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d @request.json \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate"

PowerShell (Windows)

Save the request body in a file namedrequest.json, and execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -ContentType: "application/json; charset=utf-8" `
    -InFile request.json `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID/rotateServerCertificate" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/instances/INSTANCE_ID",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "OPERATION_ID",  "targetId": "INSTANCE_ID",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID/operations/OPERATION_ID",  "targetProject": "PROJECT_ID"}

View the content of CA certificates

You can use theopenssl storeutl utilityto view the content of CA certificates.

When you run thesql ssl server-certs list command, you always getmultiple CA certificates due to the trust chain.You might also get multiple CA certificates from previousrotation-related operations.

gcloud

Run the following command:

gcloudsqlsslserver-certslist\--instance=INSTANCE_NAME\--format='value(cert)'>temp_cert.pem

ReplaceINSTANCE_NAME with the name of the instance.

Useopenssl to examine the contents of the CA certificates.

opensslstoreutl-noout-texttemp_cert.pem

View the content of a server certificate

You can useopenssl utilities and thesql ssl server-certs list commandto view the content of a server certificate.

When you run thegcloud CLI command, you always getmultiple CA certificates due to the trust chain. You alsomight get multiple CA certificates from previousrotation-related operations.

gcloud

Usingopenssl s_client only:

openssls_client-starttlspostgres-connectINSTANCE_IP_ADDRESS:5432

ReplaceINSTANCE_IP_ADDRESS with the IP address of the instance.

Using thegcloud CLI andopenssl storeutl:

Run the following command:

gcloudsqlsslserver-certslist\--instance=INSTANCE_NAME\--format='value(ssl_cert.cert)'>temp_cert.pem

ReplaceINSTANCE_NAME with the name of the instance.

Useopenssl to examine the contents of the server certificates.

opensslstoreutl-noout-texttemp_cert.pem

Download root and regional CA certificate bundles for a shared CA

If you're using a Google-managed shared CA configuration, then you can downloadthe root and regional CA certificate bundles from the following table.

These certificate bundles don't apply to instances that use theper-instance or customer-managed CA options.

	Region name	Location	Certificate bundle
Global
	CA for all regions	All locations	`global.pem`
Asia
	`asia-east1`	Taiwan	`asia-east1.pem`
	`asia-east2`	Hong Kong	`asia-east2.pem`
	`asia-northeast1`	Tokyo	`asia-northeast1.pem`
	`asia-northeast2`	Osaka	`asia-northeast2.pem`
	`asia-northeast3`	Seoul	`asia-northeast3.pem`
	`asia-south1`	Mumbai	`asia-south1.pem`
	`asia-south2`	Delhi	`asia-south2.pem`
	`asia-southeast1`	Singapore	`asia-southeast1.pem`
	`asia-southeast2`	Jakarta	`asia-southeast2.pem`
Africa
	`africa-south1`	Johannesburg	`africa-south1.pem`
Australia
	`australia-southeast1`	Sydney	`australia-southeast1.pem`
	`australia-southeast2`	Melbourne	`australia-southeast2.pem`
Europe
	`europe-central2`	Warsaw	`europe-central2.pem`
	`europe-north1`	Finland	`europe-north1.pem`
	`europe-north2`	Stockholm	`europe-north2.pem`
	`europe-southwest1`	Madrid	`europe-southwest1.pem`
	`europe-west1`	Belgium	`europe-west1.pem`
	`europe-west2`	London	`europe-west2.pem`
	`europe-west3`	Frankfurt	`europe-west3.pem`
	`europe-west4`	Netherlands	`europe-west4.pem`
	`europe-west6`	Zürich	`europe-west6.pem`
	`europe-west8`	Milan	`europe-west8.pem`
	`europe-west9`	Paris	`europe-west9.pem`
	`europe-west10`	Berlin	`europe-west10.pem`
	`europe-west12`	Turin	`europe-west12.pem`
Middle East
	`me-central1`	Doha	`me-central1.pem`
	`me-central2`	Dammam	`me-central2.pem`
	`me-west1`	Tel Aviv	`me-west1.pem`
North America
	`northamerica-northeast1`	Montréal	`northamerica-northeast1.pem`
	`northamerica-northeast2`	Toronto	`northamerica-northeast2.pem`
	`northamerica-south1`	Mexico	`northamerica-south1.pem`
	`us-central1`	Iowa	`us-central1.pem`
	`us-east1`	South Carolina	`us-east1.pem`
	`us-east4`	Northern Virginia	`us-east4.pem`
	`us-east5`	Columbus	`us-east5.pem`
	`us-south1`	Dallas	`us-south1.pem`
	`us-west1`	Oregon	`us-west1.pem`
	`us-west2`	Los Angeles	`us-west2.pem`
	`us-west3`	Salt Lake City	`us-west3.pem`
	`us-west4`	Las Vegas	`us-west4.pem`
South America
	`southamerica-east1`	São Paulo	`southamerica-east1.pem`
	`southamerica-west1`	Santiago	`southamerica-west1.pem`

Reset the SSL/TLS configuration

You can completely reset your SSL/TLS configuration.

Caution: Performing this action removes the ability to connect to your instanceusing SSL/TLS until you create new client certificates to replace anythat were previously in use.

Console

In the Google Cloud console, go to theCloud SQL Instances page.
Go to Cloud SQL Instances
To open theOverview page of an instance, click the instance name.
SelectConnections from the SQL navigation menu.
Go to theReset SSL configuration section.
ClickReset SSL Configuration.

gcloud

Refresh the certificate:

gcloudsqlinstancesreset-ssl-configINSTANCE_NAME

Create new client certificates.

REST v1beta4

Refresh the certificate:

Before using any of the request data, make the following replacements:

project-id: The project ID
instance-id: The instance ID

HTTP method and URL:

POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig

To send your request, expand one of these options:

curl (Linux, macOS, or Cloud Shell)

Execute the following command:

curl -X POST \
     -H "Authorization: Bearer $(gcloud auth print-access-token)" \
     -H "Content-Type: application/json; charset=utf-8" \
     -d "" \
     "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig"

PowerShell (Windows)

Execute the following command:

$cred = gcloud auth print-access-token
$headers = @{ "Authorization" = "Bearer $cred" }

Invoke-WebRequest `
    -Method POST `
    -Headers $headers `
    -Uri "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id/resetSslConfig" | Select-Object -Expand Content

You should receive a JSON response similar to the following:

Response

{  "kind": "sql#operation",  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/instances/instance-id",  "status": "PENDING",  "user": "user@example.com",  "insertTime": "2020-01-20T21:30:35.667Z",  "operationType": "UPDATE",  "name": "operation-id",  "targetId": "instance-id",  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id/operations/operation-id",  "targetProject": "project-id"}

Create new client certificates.

What's next

Learn more aboutSSL/TLS in Cloud SQL.
Configure SSL/TLS on yourCloud SQL instance.
Connect using SSL/TLSto your Cloud SQL instance.
Learn more abouthow PostgreSQL uses SSL/TLS.
View all theGoogle Cloud services available in locations worldwide.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-07-18 UTC.

Movatterモバイル変換

Manage SSL/TLS certificates Stay organized with collections Save and categorize content based on your preferences.

Manage client certificates

Retrieve a client certificate

Console

gcloud

REST v1

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

REST v1beta4

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

Delete a client certificate

Console

gcloud

REST v1

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

REST v1beta4

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

Manage server CA certificates (per-instance CA)

Rotate server CA certificates

Console

gcloud

REST v1

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

REST v1beta4

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

Roll back a certificate rotation operation

Console

gcloud

REST v1

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

REST v1beta4

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

Initiate a rotation

Console

gcloud

REST v1

curl (Linux, macOS, or Cloud Shell)

PowerShell (Windows)

Response

REST v1beta4

Manage SSL/TLS certificates