Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Rotate Server Certificates for Cloud SQL Database Instances

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that all the server certificates configured for your Cloud SQL database instances are rotated before they are about expire. This will ensure that all incoming connections to your Cloud SQL database instances remain secure and the web clients use valid SSL certificates to connect to your databases.

Security

If the SSL/TLS protocol is enforced for all incoming connections made to the Cloud SQL database instances, only authenticated clients with valid SSL certificates can access the SQL databases. When SSL certificates are not renewed (rotated) prior to their expiration date, they become invalid and the communication between the clients and the database instances is no longer secure and may become interrupted. Receiving notifications from Google Cloud about your server certificates expiring may help but this method does not guarantee success, therefore to reduce the chances of an interruption or to prevent insecure communication between your databases and their clients, it is strongly recommended to rotate the database server certificates before they expire.

Note: As example, this conformity rule demonstrates how to rotate (renew) the Cloud SQL server certificates within 30 days before expiration.

Audit

To determine if your server certificates are about to expire, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name (ID) of the Cloud SQL database instance that you want to examine.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 In the SSL section, under Configure SSL server certificates, check the expiration date of the active SSL certificate, available in the Expires column. If the active server certificate configured for the selected database instance is about to expire soon (in less than 30 days), follow the instructions outlined in the Remediation/Resolution section to rotate the SSL certificate as quickly as possible.

07 Repeat step no. 4 – 6 to check the server certificate expiration date for other Cloud SQL database instances available within the selected project.

08 Repeat steps no. 2 – 8 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) using custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your Google Cloud account: 

gcloud projects list
	--format="table(projectId)"

02 The command output should return the requested GCP project identifiers: 

PROJECT_ID
cc-ms-web-project-123123
cc-mobile-project-123123

03 Run sql instances list command (Windows/macOS/Linux) using custom filtering to describe the name of each Cloud SQL database instance provisioned for the selected Google Cloud project: 

gcloud sql instances list
	--project cc-ms-web-project-123123
	--format="(NAME)"

04 The command output should return the requested database instance name(s): 

NAME
cc-web-sql-server-instance
cc-app-sql-server-instance

05 Run sql ssl server-ca-certs list command (Windows/macOS/Linux) using the name of the SQL database instance that you want to examine as identifier parameter and custom query filters to describe the expiration date of the active server certificate configured for the selected database instance: 

gcloud beta sql ssl server-ca-certs list
	--instance=cc-web-sql-server-instance
	--format="value(expirationTime)"

06 The command output should return the requested certificate information: 

2020-07-15T10:55:20.000Z

Check the expiration date of the active SSL certificate, returned by the sql ssl server-ca-certs list command output. If two expiration dates are returned, the date that represents the active certificate is the most recent one. If the active server certificate configured for the selected Cloud SQL database instance is about to expire soon (in less than 30 days), follow the instructions outlined in the Remediation/Resolution section to rotate the SSL certificate as soon as possible.

07 Repeat step no. 5 and 6 to check the server certificate expiration date for other SQL database instances created for the selected project.

08 Repeat steps no. 3 – 7 for each project available within your Google Cloud account.

Remediation / Resolution

To rotate an SSL server certificate that is about to expire in less than 30 days, configured for your Cloud SQL database instance, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Cloud SQL Instances dashboard at https://console.cloud.google.com/sql/instances.

04 Click on the name/ID of the database instance that you want to reconfigure.

05 In the navigation panel, select Connections to access the connectivity configuration details available for the selected instance.

06 In the SSL section, under Configure SSL server certificates, click Create new certificate to generate a new SSL server certificate.

07 Under Download SSL server certificates, click on Download to download the newly created certificate (i.e. server-ca.pem), encoded as a PEM file, to your local environment.

08 Update all of your database clients to use the new information by copying the downloaded file to your client host machines, replacing the existing server-ca.pem file.

09 Once you have updated your database clients, return to the Connections page, and click on the Rotate certificate button, available in the Configure SSL server certificates section, to complete the certificate rotation process. In the Confirm certificate rotation confirmation box, click ROTATE to confirm your action. If you encounter any issues with the newly rotated server certificate, you can click on Rollback certificate to rollback to the previous SSL configuration.

10 Repeat step no. 4 – 9 to rotate the SSL server certificate for other Cloud SQL database instances available within the selected project.

11 Repeat steps no. 2 – 10 for each project deployed in your Google Cloud account.

Using GCP CLI

01 Run sql ssl server-ca-certs create command (Windows/macOS/Linux) using the name of the Cloud SQL database instance that you want to reconfigure as identifier parameter (see Audit section part II to identify the right resource), to generate a new SSL server certificate for the selected instance: 

gcloud beta sql ssl server-ca-certs create
	--instance=cc-web-sql-server-instance

02 The output should return the sql ssl server-ca-certs create command request status: 

Creating Server CA Certificate...done.
Created [https://sqladmin.googleapis.com/sql/v1beta4/projects/cc-web-sql-server-instance/instances/cc-web-sql-server-instance/sslCerts/abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd].
SHA1_FINGERPRINT                          EXPIRATION
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd  2030-07-15T12:03:15.377Z

03 Run sql ssl server-ca-certs list command (Windows/macOS/Linux) to download the newly created server certificate (encoded as a PEM file) to your working environment, and save it to a file named server-ca.pem (the command does not produce an output): 

cloud beta sql ssl server-ca-certs list
	--format="value(cert)"
	--instance=cc-web-sql-server-instance > server-ca.pem

04 Update all of your database clients to use the new certificate information by copying the downloaded file to your client host machines and replace the existing server-ca.pem file.

05 Once you have updated your database clients, execute sql ssl server-ca-certs rotate command (Windows/macOS/Linux) to complete the server certificate rotation process for the selected Cloud SQL database instance: 

gcloud beta sql ssl server-ca-certs rotate
	--instance=cc-web-sql-server-instance

06 If successful, the output should return the sql ssl server-ca-certs rotate command request status: 

Rotating to upcoming Server CA Certificate...done.
SHA1_FINGERPRINT                          EXPIRATION
abcdabcdabcdabcdabcdabcdabcdabcdabcdabcd  2030-07-15T12:03:15.377Z

07 (Optional) If you encounter any problems with the newly rotated server certificate, run sql ssl server-ca-certs rollback command (Windows/macOS/Linux) to rollback the selected instance to the previous SSL configuration: 

gcloud beta sql ssl server-ca-certs rollback
	--instance=cc-web-sql-server-instance

08 The output should return the sql ssl server-ca-certs rollback command request status: 

Rolling back to previous Server CA Certificate...done.
SHA1_FINGERPRINT                          EXPIRATION
abcd1234abcd1234abcd1234abcd1234abcd1234  2020-07-15T10:55:20.000Z

09 Repeat step no. 1 – 8 to rotate the SSL server certificate for other Cloud SQL database instances provisioned for the selected project.

10 Repeat steps no. 1 – 9 for each project created within your Google Cloud account.

References

Publication date Apr 21, 2021

Related CloudSQL rules