We can connect to a Cloud SQL instance using SSL. This comes in handy when we don't want to manually access it, but want our application to access the SQL automatically. Cloud SQL uses two certificates; self-signed on server side and public/private key pair on client side for authentication. This enables encryption on the communication between Server and Client. You must have both a valid server certificate and a valid client certificate (key pair) to support encrypted communication. Use the following steps to interact with certificates:
- Configure the instance to mandate SSL connection:
gcloud sql instances patch bank-balance --require-ssl
- Create an SSL certificate and store the key securely on your system or bucket if you trust the role owners:
gcloud sql ssl-certs create bank-balance-cert client-key.pem --instance bank-balance
- To retrieve the public key of your certificate:
gcloud sql ssl-certs describe bank-balance-cert --instance bank-balance --format='value(cert)'
- Create a file named client-cert.pem and copy the certificate completely (then paste it on it). This will be your public key:
- To get the server certificate:
gcloud sql instances describe bank-balance --format='value(serverCaCert.cert)'
- Again, copy the certificate in a file named server-ca.pem.
- To make these configurations active, restart the instance.
- Now, to retrieve the client certificate:
gcloud sql ssl-certs describe bank-balance-cert --instance bank-balance --format='value(cert)'
- And finally, to delete the certificate:
gcloud sql ssl-certs delete bank-balance-cert --instance bank-balance
- Restart the instance for changes to take place.