how to set-up SSL on google app engine (custom domain name )

Question

Google just announced SSL support for custom domain but I can't understand how it can be set-up as there is no way to generate Certificate Signing Request (CSR) on GAE ?!

http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2644386 Am I missing something ?

Answer 1

This is reposted from my answer at: How to get .pem file from .key and .crt files?

I was trying to go from godaddy to app engine. What did the trick was using this line in the terminal (mac) to generate the the key and csr:

openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr

Exactly as is, but replacing name with my domain name (not that it really even mattered)

Also, what follows that is a bunch of questions and I answered all the questions pertaining to common name / organization as www.name.com , and I skipped the pass code and company name by just pressing enter

Then I opened the .csr file, copied it, pasted it in go daddy's csr form, waited for godaddy to approve it, then downloaded it, unzipped it, navigated to the unzipped folder in the terminal and entered:

cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt

Then I used these instructions from the post Trouble with Google Apps Custom Domain SSL, which were:

openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem

exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt

Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate",

and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..

.. And that finally worked.

Answer 2

To expand on the above:

The following three steps should be sufficient to generate a private key and a self-signed certificate suitable for testing SSL on GAE on a linux box:

• openssl genrsa -out yourdomain.com.key 1024
• openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
• openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt

Disclaimer: It works but I do not know what I'm doing

Answer 3

Various programs exist to create a Certificate Signing Request (CSR.) I used 'openssl' on a linux machine to generate the Key and CSR.

1) I generated an Unencrypted PEM encoded RSA private key as specified by Google's SSL for a Custom Domain (https://cloud.google.com/appengine/docs/ssl)

cd $HOME
openssl genrsa -out rsa_private_key.key 2048

2) Use the 'rsa_private_key.key' to generate the required Certificate Signing Request (CSR) file.

openssl req -new -key rsa_private_key.key -out request.csr 

You will be asked the following questions:

   Country Name (2 letter code) [AU]: US
   State or Province Name (full name) [Some-State]: Illinois
   Locality Name (eg, city) []: Chicago
   Organization Name (eg, company) [Internet Widgits Pty Ltd]: Chicago Company, Ltd.
   Organizational Unit Name (eg, section) []: IT
   Common Name (eg, YOUR name) []: checkout.customedomain.com
   Email Address []:

I ignored two additional questions and everything worked fine. The 'request.csr' located on your home directory ($HOME) is the CSR file needed by the Certificate Authority provider to generate your certificate(s). Again, it doesn't have to be openssl: Many tools for various platforms are supported by providers. Just keep in mind Google's requirements.

A side note regarding Custom Domains:

Make sure your CUSTOM DOMAIN includes a subdomain or 'Full Qualified Domain Name.' The 'www.' is considered a subdomain and it's ALWAYS required for ssl in Google Appengine (10/2014.) So in my example if I wanted SSL at customedomain.com I would add 'www.customedomain.com' You can re-direct your naked domain to your Full Qualified Domain Name.

Google Appengine DOES NOT provide SSL support for naked domains like: https://customedomain.com

Answer 4

You need to generate a certificate with a CA and upload it. They aren't offering certificate creation as a service.