This page describes how to manage your server certificate authority (CA)
certificates.
Use encrypted connections 
Learn more about how SQL Server uses encrypted connections .
Manage server CA certificates (per-instance CA) 
This section describes how to manage server CA certificates that are created
internally by Cloud SQL. This is the default server CA mode in
Cloud SQL. In this certificate authority hierarchy, Cloud SQL creates a
server CA for each instance.
Rotate server CA certificates 
If you've received a notice about your certificates expiring, or you want to
initiate a rotation, then take the following steps to complete the
rotation. Before you start the rotation, you must have a new server CA
on the instance. If a new server CA has already been
created, then you can skip the first step in the following procedure.
  Create a new server CA. 
  Download the new server CA certificate information. 
  Update your clients to use the new server CA certificate information. 
  Complete the rotation, which moves the active certificate into
   the "previous" slot and updates the newly added certificate to be the
   active certificate. 
 
 After rotating the SSL certificate, your App Engine and
  Cloud SQL Auth Proxy connections will automatically receive a new certificate
  when they connect. 
  Console 
   Download the new server CA certificate, encoded as a PEM file,
    to your local environment:
  
    
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
    
To open the Overview  page of an instance, click the instance name.
 
    Select Connections  from the SQL navigation menu. 
    Select the Security  tab. 
    Click to expand Manage certificates . 
    Select Rotate CA certificate .
      If there are no eligible certificates, then the
      rotate option is unavailable. You must create a new server CA certificate .
 
    Click Download Certificates . 
   
  Update all of your SQL Server clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.
  After you have updated your clients, complete the rotation:
   
     Return to the Security  tab. 
    Click to expand Manage certificates . 
    Select Rotate CA certificate . 
    Confirm that your clients are connecting properly. 
    If any clients are not connecting using the newly rotated certificate,
      then you can select Rollback CA certificate  to
      rollback  to the previous configuration.
    
 
  
    gcloud 
    
      Create a server CA certificate:
       
gcloud sql ssl server-ca-certs create \
--instance=INSTANCE   
      Download the certificate information to a local PEM file:
        
gcloud sql ssl server-ca-certs list \
--format="value(cert)" \
--instance=INSTANCE_NAME  > \
FILE_PATH /FILE_NAME .pem  
      Update all of your clients to use the new information by
       copying the downloaded file to your client host machines, replacing the
       existing server-ca.pem files. 
      After you have updated your clients, complete the rotation:
      
gcloud sql ssl server-ca-certs rotate \
--instance=INSTANCE_NAME 
        
      Confirm that your clients are connecting properly. 
      If any clients are not connecting using the newly rotated certificate,
        then you can rollback  to the previous configuration.
        
     
   
  
    REST v1 
    
      Download your server CA certificates:
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \project-id /instances/instance-id /listServerCas"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /listServerCas" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "certs": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2020-02-10T17:18:54.935Z",
      "expirationTime": "2030-02-07T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
       certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2019-11-14T22:43:56.458Z",
      "expirationTime": "2029-11-11T22:44:56.458Z"
    }
  ],
  "activeVersion": "active-version ",
  "kind": "sql#instancesListServerCas"
}
  
      Complete the rotation:
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /rotateServerCa"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
     
   
  
    REST v1beta4 
    
      Download your server CA certificates:
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \project-id /instances/instance-id /listServerCas"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /listServerCas" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "certs": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2020-02-10T17:18:54.935Z",
      "expirationTime": "2030-02-07T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
       certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2019-11-14T22:43:56.458Z",
      "expirationTime": "2029-11-11T22:44:56.458Z"
    }
  ],
  "activeVersion": "active-version ",
  "kind": "sql#instancesListServerCas"
}
  
      Complete the rotation:
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /rotateServerCa"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
     
   
 
If you receive an error when you try to rotate a certificate that says
No upcoming/previous Server CA Certificate exists, then verify that
you're running the command on an instance that uses the per-instance CA hierarchy.
You can view which CA hierarchy is configured for
a Cloud SQL instance by using the gcloud sql instances describe command.
For more information, see View instance information .
Roll back a certificate rotation operation 
After you complete a certificate rotation, your clients must all use the
new certificate to connect to your Cloud SQL instance. If the clients
aren't updated properly to use the new certificate information, then they can't
connect using SSL/TLS to your instance. If this happens, then you can
roll back to the previous certificate configuration.
A rollback operation moves the active certificate into the "upcoming"
slot (replacing any "upcoming" certificate). The "previous"
certificate becomes the active certificate, returning your
certificate configuration to the state it was in before you completed
the rotation.
Note:  Certificate rollback is available only until the old certificate expires. To roll back to the previous certificate configuration:
  Console 
  
    
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
    
To open the Overview  page of an instance, click the instance name.
 
    Select Connections  from the SQL navigation menu. 
    Select the Security  tab. 
    Click to expand Manage certificates . 
    Select Rollback CA certificate . If there are no eligible certificates,
      then the rollback option is unavailable. Otherwise, the rollback
      action completes after a few seconds.
 
   
  
 
  gcloud 
   
gcloud sql ssl server-ca-certs rollback \
--instance=INSTANCE_NAME 
     
 
  REST v1 
   
   Download your server CA certificates:
     
     
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /listServerCas  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \project-id /instances/instance-id /listServerCas"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /listServerCas" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "certs": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2020-02-10T17:18:54.935Z",
      "expirationTime": "2030-02-07T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
       certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2019-11-14T22:43:56.458Z",
      "expirationTime": "2029-11-11T22:44:56.458Z"
    }
  ],
  "activeVersion": "active-version ",
  "kind": "sql#instancesListServerCas"
}
  
  Copy the sha1Fingerprint field for the version you want to roll back to.
     Look for the version with a createTime value immediately earlier
        than the version with the sha1Fingerprint value shown as
        activeVersion.
 
     Roll back the rotation:
     
     
  
  
  
    
    
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa  
  Request JSON body:
  
{
  "rotateServerCaContext": {"nextVersion": "sha1Fingerprint "}
}
  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /rotateServerCa"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
    
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
    
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
    
  
 
  REST v1beta4 
   
   Download your server CA certificates:
     
     
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /listServerCas  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \project-id /instances/instance-id /listServerCas"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /listServerCas" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "certs": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2020-02-10T17:18:54.935Z",
      "expirationTime": "2030-02-07T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
       certSerialNumber": "cert-serial-number ",
      "cert": "cert-value ",
      "commonName": "ca-server-name ",
      "sha1Fingerprint": "sha1Fingerprint ",
      "instance": "instance-id ",
      "createTime": "2019-11-14T22:43:56.458Z",
      "expirationTime": "2029-11-11T22:44:56.458Z"
    }
  ],
  "activeVersion": "active-version ",
  "kind": "sql#instancesListServerCas"
}
  
  Copy the sha1Fingerprint field for the version you want to roll back to.
     Look for the version with a createTime value immediately earlier
        than the version with the sha1Fingerprint value shown as
        activeVersion.
 
     Roll back the rotation:
     
     
  
  
  
    
    
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa  
  Request JSON body:
  
{
  "rotateServerCaContext": {"nextVersion": "sha1Fingerprint "}
}
  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /rotateServerCa"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
    
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
    
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
    
  
 
If you receive an error when you try to roll back a certificate CA rotation that says
No upcoming/previous Server CA Certificate exists, then verify that
you're running the command on an instance that uses the per-instance CA hierarchy.
You can view which CA hierarchy is configured for
a Cloud SQL instance by using the gcloud sql instances describe command.
For more information, see View instance information .
Initiate a rotation 
You don't need to wait for the email from Cloud SQL to start a rotation.
You can start one at any time. When you start a rotation, a new certificate
is created and placed into the "upcoming" slot. If a certificate is already present
in the "upcoming" slot at the time of your request, then that certificate is deleted.
There can be only one upcoming certificate.
To initiate a rotation:
  Console 
  
    
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
    
To open the Overview  page of an instance, click the instance name.
 
    Select Connections  from the SQL navigation menu. 
    Select the Security  tab. 
    Click to expand Manage certificates . 
    Click Create new CA certificate . 
    Select Rotate CA certificate .
      If there are no eligible certificates,
      then the rotate option is unavailable.
 
    Complete the rotation as described in
       Rotate server CA certificates . 
   
  
 
  gcloud 
   
     Initiate the rotation:
     
gcloud sql ssl server-ca-certs create \
--instance=INSTANCE_NAME 
       
     Complete the rotation as described in
        Rotate server CA certificates . 
    
  
 
  REST v1 
   
   
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id /rotateServerCa  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /rotateServerCa"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
   Complete the rotation as described in
      Rotate server CA certificates . 
    
  
 
  REST v1beta4 
   
   
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /rotateServerCa  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /rotateServerCa"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /rotateServerCa" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
   Complete the rotation as described in
      Rotate server CA certificates . 
    
  
 
Get information about a server CA certificate 
You can get information about your server CA certificate, such as when it expires
or what level of encryption it provides.
Console 
  
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
  
To open the Overview  page of an instance, click the instance name.
 
  Select Connections  from the SQL navigation menu. 
  Select the Security  tab.
    In Manage server CA certificates , you can see the expiration date
      of your server CA certificate in the table.
     To see the certificate type, use the
     gcloud sql ssl server-ca-certs list --instance=INSTANCE_NAME   command.
 
    
    
gcloud 
gcloud  sql  ssl  server-ca-certs  list  \ 
--instance= INSTANCE_NAME   
REST v1 
  When you describe your instance, you can see details about the server CA
  certificate:
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/v1/projects/project-id /instances/instance-id ?fields=serverCaCert  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \project-id /instances/instance-id ?fields=serverCaCert"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id ?fields=serverCaCert" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "serverCaCert":
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "cert-serial-number ",
    "cert": "cert-value -",
    "commonName": "ca-server-name ",
    "sha1Fingerprint": "sha1Fingerprint ",
    "instance": "instance-id ",
    "createTime": "2020-02-10T17:18:54.935Z",
    "expirationTime": "2030-02-07T17:19:54.935Z"
  }
}
  
REST v1beta4 
  When you describe your instance, you can see details about the server
  CA certificate:
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ?fields=serverCaCert  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \project-id /instances/instance-id ?fields=serverCaCert"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id ?fields=serverCaCert" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "serverCaCert":
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "cert-serial-number ",
    "cert": "cert-value -",
    "commonName": "ca-server-name ",
    "sha1Fingerprint": "sha1Fingerprint ",
    "instance": "instance-id ",
    "createTime": "2020-02-10T17:18:54.935Z",
    "expirationTime": "2030-02-07T17:19:54.935Z"
  }
}
  
 
View the content of CA certificates 
You can use openssl storeutl
to view the content of CA certificates.
When you run the sql ssl server-ca-certs list 
command, you might get multiple CA certificates from previous
rotation-related operations.
 
 gcloud 
 
 Run the following command:
gcloud  sql  ssl  server-ca-certs  list  \ 
   --instance= INSTANCE_NAME   \ 
   --format= 'value(cert)'   >  temp_cert.pem Replace INSTANCE_NAME  with the name of the instance.
 
 Use openssl to examine the contents of the CA certificates. 
   
openssl  storeutl  -noout  -text  temp_cert.pem
      
 
 
View the content of a server certificate 
You can use 
nmap
to view the content of server certificates. To download and install 
nmap,
visit 
https://nmap.org/ .
 
 gcloud 
 To view the server certificate content, run the following command:
nmap -sV -p 1433 --script ssl-cert INSTANCE_IP_ADDRESS  -Pn
Replace INSTANCE_IP_ADDRESS  with the IP address of the instance.
  
 
External server SSL expiry notification 
  If the external server's server CA certificate is expiring, then
  rotate the SSL certificates ,
  including the server CA certificate on the on-premises instance. This step
  depends on how the on-premises instance is managed. Steps can vary if, for
  example, you're using an RDS server CA certificate, Cloud SQL server CA
  certificate, or database-generic server CA certificate. 
  If the client certificate is expiring, then you need to generate a new
  certificate and key. This applies to both Google Cloud-managed SSL
  certificates and self-signed certificates. 
  Update the Cloud SQL source representation instance with the new SSL
  certificates. 
 
Manage server certificates (shared CA) 
This section describes how to manage server certificates on instances that
use shared CAs or customer-managed CAs.
You can opt in to using shared CAs as the
server CA mode for your instance by specifying GOOGLE_MANAGED_CAS_CA for
the serverCaMode setting (Cloud SQL Admin API) or the --server-ca-mode flag (gcloud CLI ) when you
create your instance .
To use customer-managed CA as the server CA mode for your instance, you must
specify CUSTOMER_MANAGED_CAS_CA for the serverCaMode
setting (Cloud SQL Admin API) or the --server-ca-mode flag (gcloud CLI )
when you create your instance , and you
must have a valid CA pool and CA. For more information, see
Use customer-managed CA .
Rotate server certificates 
If you've received a notice about your server certificates expiring, or you want to
initiate a rotation, then take the following steps to complete the rotation.
Before you start the rotation, there must be a new server certificate created for
the upcoming rotation. If there is already a new server certificate created for
the upcoming rotation, then you can skip the first step in the following procedure.
To rotate the server certificate on your instance, perform the following steps:
If you need a new server certificate, then create one . 
  
If your clients already trust the latest regional CA bundle, then this step
is optional. However, if you need to update your clients with
server CA information, then do the following:
Download the latest server CA information. 
Update your clients to use the latest server CA information. 
 Complete the rotation by moving the active certificate to the previous slot,
and updating the new certificate to be the active certificate.
 
   
     Console 
Download the server CA certificate information, encoded as a PEM file, to your local environment:
  
    
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
    
To open the Overview  page of an instance, click the instance name.
 
    Select Connections  from the SQL navigation menu. 
    Select the Security  tab. 
    Click to expand Manage certificates . 
    Confirm that the Rotate server certificate  option appears
      as an available option; however, don't select it yet.
      If there are no eligible certificates, then the
      rotate option is unavailable. You must create a new server certificate .
 
    Click Download certificates . 
   
Update all of your SQL Server clients to use the new information by copying the downloaded file to your client host machines, replacing the
existing server-ca.pem file.
After you have updated your clients, complete the rotation:
   
    Return to the Security  tab. 
    Click to expand Manage certificates . 
    Select Rotate certificate . 
    In the Confirm certificate rotation  dialog, click Rotate . 
    Confirm that your clients are connecting properly.
    If any clients are not connecting using the newly rotated certificate,
      then you can select Rollback certificate  to
      rollback  to the previous configuration.
 
 
  
    gcloud 
    
      To create a server certificate, use the following command:
       
gcloud sql ssl server-certs create \
--instance=INSTANCE   
Replace INSTANCE  with the name of the instance.
      Make sure that you're using the latest CA bundle .
       If you aren't using the latest CA bundle, then run the following
       command to download the latest server CA information for the
       instance to a local PEM file:
        
gcloud sql ssl server-certs list \
--format="value(ca_cert.cert)" \
--instance=INSTANCE_NAME  > \
FILE_PATH /server-ca.pem Or download the CA bundles from the
      root and regional CA certificate bundle table 
       on this page.
       Then update all of your clients to use new server CA information by
       copying the downloaded file to your client host machines, replacing the
       existing server-ca.pem files.
 
      After you update all your clients (if client updates are required),
      complete the rotation:
      
gcloud sql ssl server-certs rotate \
--instance=INSTANCE_NAME 
        
      Confirm that your clients are connecting properly.
      If any clients aren't connecting using the newly rotated server certificate,
        then roll back  to the previous configuration.
        
 
   
  
    REST v1 
    
      Create a server certificate.
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \PROJECT_ID /instances/INSTANCE_ID /addServerCertificate"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /addServerCertificate" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2024-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "OPERATION_ID ",
  "targetId": "INSTANCE_ID ",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /operations/OPERATION_ID ",
  "targetProject": "PROJECT_ID "
}
 If you need to download server CA certificate information, then you can use the following command.
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "caCerts": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-10T17:18:54.935Z",
      "expirationTime": "2034-07-10T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-14T22:43:56.458Z",
      "expirationTime": "2034-11-11T22:44:56.458Z"
    }
  ],
  "serverCerts": [
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-16T18:11:39Z",
    "expirationTime": "2025-09-16T18:11:38Z"
  },
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-10T20:56:06Z",
    "expirationTime": "2025-09-10T20:56:05Z"
  }
],
  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
  "kind": "sql#instancesListServerCertificates"
}
 Complete the rotation.
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : The project IDINSTANCE_ID : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2024-09-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "INSTANCE_ID ",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /operations/operation-id ",
  "targetProject": "PROJECT_ID "
}
  
   
  
    REST v1beta4 
    
      Create a server certificate.
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /addServerCertificate  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \PROJECT_ID /instances/INSTANCE_ID /addServerCertificate"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /addServerCertificate" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2024-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "OPERATION_ID ",
  "targetId": "INSTANCE_ID ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /operations/OPERATION_ID ",
  "targetProject": "PROJECT_ID "
}
 If you need to download server CA certificate information, then you can use the following command.
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "caCerts": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-10T17:18:54.935Z",
      "expirationTime": "2034-07-10T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-14T22:43:56.458Z",
      "expirationTime": "2034-11-11T22:44:56.458Z"
    }
  ],
  "serverCerts": [
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-16T18:11:39Z",
    "expirationTime": "2025-09-16T18:11:38Z"
  },
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-10T20:56:06Z",
    "expirationTime": "2025-09-10T20:56:05Z"
  }
],
  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
  "kind": "sql#instancesListServerCertificates"
}
 Complete the rotation.
      
      
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2024-09-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "OPERATION_ID ",
  "targetId": "INSTANCE_ID ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /operations/OPERATION_ID ",
  "targetProject": "PROJECT_ID "
}
  
   
 
Roll back a certificate rotation 
After you complete a server certificate rotation, all your clients must use the
new certificate to connect to your Cloud SQL instance. If the clients
aren't updated properly to use the new certificate information, then they can't
connect using SSL/TLS to your instance. If this happens, then you can roll back
to the previous certificate configuration.
A rollback operation moves the active certificate into the "upcoming" slot,
which replaces any "upcoming" certificate. The "previous" certificate becomes
the active certificate and returns your certificate configuration to its previous
state before you completed the rotation.
 
  Console 
 
    
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
    
To open the Overview  page of an instance, click the instance name.
 
    Select Connections  from the SQL navigation menu. 
    Select the Security  tab. 
    Click to expand Manage certificates . 
    Select Rollback server certificate .
    If there are no eligible certificates,
      then the rollback option is unavailable.
 
    In the Confirm certificate rollback  dialog, select Rollback .
    The rollback
      might take a few seconds to complete.
 
   
   
  
  gcloud 
   
gcloud sql ssl server-certs rollback \
--instance=INSTANCE_NAME 
     
 
  REST v1 
   
   List your server certificates.
     
     
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "caCerts": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-10T17:18:54.935Z",
      "expirationTime": "2034-07-10T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-14T22:43:56.458Z",
      "expirationTime": "2034-11-11T22:44:56.458Z"
    }
  ],
  "serverCerts": [
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-16T18:11:39Z",
    "expirationTime": "2025-09-16T18:11:38Z"
  },
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-10T20:56:06Z",
    "expirationTime": "2025-09-10T20:56:05Z"
  }
],
  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
  "kind": "sql#instancesListServerCertificates"
}
 Copy the sha1Fingerprint field for the version you want to roll back to.
     Look for the version with a createTime value immediately earlier
        than the version with the sha1Fingerprint value shown as
        activeVersion.
Roll back the rotation.
     
     
  
  
  
    
    
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate  
  Request JSON body:
  
{
  "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint "}
}
  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
  
  
curl -X POST \PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
    
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
    
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /instances/INSTANCE_ID ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "OPERATION_ID ",
  "targetId": "INSTANCE_ID ",
  "selfLink": "https://sqladmin.googleapis.com/v1/projects/PROJECT_ID /operations/OPERATION_ID ",
  "targetProject": "PROJECT_ID "
}
  
   
 
  REST v1beta4 
   
   List your server certificates.
     
     
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
GET https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /listServerCertificates  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
curl -X GET \PROJECT_ID /instances/INSTANCE_ID /listServerCertificates"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /listServerCertificates" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "caCerts": [
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_ONE ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_ONE ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-10T17:18:54.935Z",
      "expirationTime": "2034-07-10T17:19:54.935Z"
    },
    {
      "kind": "sql#sslCert",
      "certSerialNumber": "CERT_SERIAL_NUMBER_CA_CERT_TWO ",
      "cert": "CERT_VALUE ",
      "commonName": "CA_SERVER_NAME ",
      "sha1Fingerprint": "sha1Fingerprint_CA_CERT_TWO ",
      "instance": "INSTANCE_NAME ",
      "createTime": "2024-07-14T22:43:56.458Z",
      "expirationTime": "2034-11-11T22:44:56.458Z"
    }
  ],
  "serverCerts": [
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_ONE ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_ONE ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-16T18:11:39Z",
    "expirationTime": "2025-09-16T18:11:38Z"
  },
  {
    "kind": "sql#sslCert",
    "certSerialNumber": "CERT_SERIAL_NUMBER_SERVER_CERT_TWO ",
    "cert": "CERT_VALUE "
    "commonName": "SUBJECT_VALUE ",
    "sha1Fingerprint": "sha1Fingerprint_SERVER_CERT_TWO ",
    "instance": "INSTANCE_NAME ",
    "createTime": "2024-09-10T20:56:06Z",
    "expirationTime": "2025-09-10T20:56:05Z"
  }
],
  "activeVersion": "sha1Fingerprint_SERVER_CERT_TWO ",
  "kind": "sql#instancesListServerCertificates"
}
 Copy the sha1Fingerprint field for the version you want to roll back to.
     Look for the version with a createTime value immediately earlier
        than the version with the sha1Fingerprint value shown as
        activeVersion.
Roll back the rotation.
     
     
  
  
  
    
    
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  PROJECT_ID : the project IDINSTANCE_ID : the instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate  
  Request JSON body:
  
{
  "rotateServerCertificateContext": {"nextVersion": "sha1Fingerprint "}
}
  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
  
  
curl -X POST \PROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
    
      Save the request body in a file named request.json,
      and execute the following command:
    
    
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
  
  
  
    
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenPROJECT_ID /instances/INSTANCE_ID /rotateServerCertificate" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /instances/INSTANCE_ID ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "OPERATION_ID ",
  "targetId": "INSTANCE_ID ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/PROJECT_ID /operations/OPERATION_ID ",
  "targetProject": "PROJECT_ID "
}
  
   
  
View the content of CA certificates 
You can use the openssl storeutl utility
to view the content of CA certificates.
When you run the sql ssl server-certs list  command, you always get
multiple CA certificates due to the trust chain.
You might also get multiple CA certificates from previous
rotation-related operations.
 
 gcloud 
 
 Run the following command:
gcloud  sql  ssl  server-certs  list  \ 
   --instance= INSTANCE_NAME   \ 
   --format= 'value(cert)'   >  temp_cert.pem Replace INSTANCE_NAME  with the name of the instance.
 
 Use openssl to examine the contents of the CA certificates. 
   
openssl  storeutl  -noout  -text  temp_cert.pem
      
 
 
Download root and regional CA certificate bundles for a shared CA 
If you're using a Google-managed shared CA configuration, then you can download
the root and regional CA certificate bundles from the following table.
These certificate bundles don't apply to instances that use the
per-instance or customer-managed CA options.
Reset the SSL/TLS configuration 
You can completely reset your SSL/TLS configuration.
Caution:  Performing this action removes the ability to connect to your instance
using SSL/TLS until you create new client certificates to replace any
that were previously in use. 
Console   
  
    
In the Google Cloud console, go to the Cloud SQL Instances  page.
Go to Cloud SQL Instances 
 
    
To open the Overview  page of an instance, click the instance name.
 
    Select Connections  from the SQL navigation menu. 
    Go to the Reset SSL configuration  section. 
    Click Reset SSL Configuration . 
     
 
gcloud 
  Refresh the certificate:
gcloud  sql  instances  reset-ssl-config  INSTANCE_NAME   
 
REST v1beta4 
  Refresh the certificate:
    
    
  
  
  
  
  
  
    
  
  Before using any of the request data,
  make the following replacements:
  project-id : The project IDinstance-id : The instance ID 
  HTTP method and URL:
  
POST https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id /resetSslConfig  
To send your request, expand one of these options:
  curl (Linux, macOS, or Cloud Shell) 
  
  
    
      Note: 
        
          The following command assumes that you have logged in to
          the gcloud CLI with your user account by running
          gcloud initgcloud auth loginCloud Shell ,
            which automatically logs you into the gcloud CLI
            .
          You can check the currently active account by running
          gcloud auth list
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
    
    
  
  
  
  
  
curl -X POST \project-id /instances/instance-id /resetSslConfig"  
  PowerShell (Windows) 
  
  
    
      
    
  
  
  
    Execute the following command:
  
  
  
  
  
    
  
  
  
  
  
    
    
  
  
  
  
  
  
  
  
  
  
  
  
    
  
  
  
  
  
  
  
  
    
  
  
$cred = gcloud auth print-access-tokenproject-id /instances/instance-id /resetSslConfig" | Select-Object -Expand Content  
    You should receive a JSON response similar to the following:
    
Response 
  
{
  "kind": "sql#operation",
  "targetLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /instances/instance-id ",
  "status": "PENDING",
  "user": "user@example.com",
  "insertTime": "2020-01-20T21:30:35.667Z",
  "operationType": "UPDATE",
  "name": "operation-id ",
  "targetId": "instance-id ",
  "selfLink": "https://sqladmin.googleapis.com/sql/v1beta4/projects/project-id /operations/operation-id ",
  "targetProject": "project-id "
}
  
 
 
What's next