diff --git a/modules/google_sql_database_instance/main.tf b/modules/google_sql_database_instance/main.tf
index 71c3d2b..4427adf 100644
--- a/modules/google_sql_database_instance/main.tf
+++ b/modules/google_sql_database_instance/main.tf
@@ -34,6 +34,12 @@ locals {
 
   tmp_database_flags    = local.is_postgres ? local.postgres_database_flags : local.mysql_database_flags
   custom_database_flags = merge(var.settings_database_flags, local.tmp_database_flags)
+
+  primary_db_server_ca_furthest_expiration_time = reverse(sort([for k, v in google_sql_database_instance.instance.server_ca_cert : v.expiration_time]))[0]
+  primary_db_server_ca                          = [for v in google_sql_database_instance.instance.server_ca_cert : v.cert if v.expiration_time == local.primary_db_server_ca_furthest_expiration_time][0]
+
+  read_replica_db_server_ca_furthest_expiration_time = var.enable_read_replica ? reverse(sort([for k, v in google_sql_database_instance.read_replica[0].server_ca_cert : v.expiration_time]))[0] : ""
+  read_replica_db_server_ca                          = var.enable_read_replica ? [for v in google_sql_database_instance.read_replica[0].server_ca_cert : v.cert if v.expiration_time == local.read_replica_db_server_ca_furthest_expiration_time][0] : ""
 }
 
 #These setting will override from code
diff --git a/modules/google_sql_database_instance/outputs.tf b/modules/google_sql_database_instance/outputs.tf
index 2ead60f..4c05503 100644
--- a/modules/google_sql_database_instance/outputs.tf
+++ b/modules/google_sql_database_instance/outputs.tf
@@ -42,3 +42,9 @@ output "database_version" {
   description = "Database version, such as MYSQL_8_0 or POSTGRES_*"
   value       = google_sql_database_instance.instance.database_version
 }
+
+output "primary_db_server_ca" {
+  description = "Latest CA certificate used by the primary database server"
+  value       = local.primary_db_server_ca
+  sensitive   = true
+}
diff --git a/modules/google_sql_database_instance/read_replica_outputs.tf b/modules/google_sql_database_instance/read_replica_outputs.tf
index dab47ef..4d63504 100644
--- a/modules/google_sql_database_instance/read_replica_outputs.tf
+++ b/modules/google_sql_database_instance/read_replica_outputs.tf
@@ -37,3 +37,9 @@ output "read_replica_private_ip_address" {
   description = "The first private (`PRIVATE`) IPv4 address assigned. This is a workaround for an issue fixed in Terraform 0.12 but also provides a convenient way to access an IP of a specific type without performing filtering in a Terraform config."
   value       = try(google_sql_database_instance.read_replica[0].private_ip_address, "")
 }
+
+output "read_replica_db_server_ca" {
+  description = "Latest CA certificate used by the read replica database server"
+  value       = local.read_replica_db_server_ca
+  sensitive   = true
+}