Setting up an SSL cert with Google Cloud Load Balancer

Question

I'm trying to setup google cloud load balancer for SSL using a certificate (PositiveSSL) that I generated via a certificate authority.

Via the google cloud shell, here is how I generated the key:

openssl genrsa -out my-key.key 2048

And here is how I generated the CSR (certificate signing request):

openssl req -new -key my-key.key -out my-csr.csr

I then used the CSR to obtain the SSL cert from the certificate authority, and I received the following two files:

1. my-crt.crt
2. my-ca-bundle.ca-bundle

All tolled, I have the following four files:

1. my-key.key
2. my-csr.csr
3. my-crt.crt
4. my-ca-bundle.ca-bundle

The image shown below is the form for creating an SSL cert in Google Cloud Load Balancer:

Can you please direct me as to what information goes where (from the files I have at my disposal). I don't have any files that are in .pem format.

Answer 1

• my-crt.crt is the public key certificate

• my-key.key is the private key to your certificate

• my-ca-bundle.ca-bundle is your certificate chain

Open those files up, copy and paste the content to the form.

This is described in GCP documentation on "Creating and Using SSL Certificates" under the section "Creating an SSL certificate resource from existing certificate files" as per the doc

• In the Public key certificate field, click the Upload button to upload your .crt file or paste the entire contents of your .key file into the field, including the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- that enclose the file contents.
• In the Certificate chain field, click the Upload button to upload your .csr file or paste the entire contents of the .csr file into the field, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- that encloses the file contents.
• In the Private key certificate field, click the Upload button to upload your private key, using the .key file generated previously. This file uses, for example, -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- to enclose the file contents.

Answer 2

You can definitely copy paste from the files. However, if you would like to create a .pem file then I have found this document that describes how to create a .pem File for SSL Certificate Installations. As per the document, the Privacy Enhanced Mail (PEM) files are concatenated certificate containers frequently used in certificate installations when multiple certificates that form a complete chain are being imported as a single file. You can think of it as a layered container of chained certificates. A .pem file is a container format that may just include the public certificate or the entire certificate chain (private key, public key, root certificates):

• Private Key
• Server Certificate (crt, puplic key) (optional)Intermediate CA and/or bundles if signed by a 3rd party

How to create a self-signed PEM file:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

How to create a PEM file from existing certificate files that form a chain:

1) Remove the password from the Private Key (optional) by following the steps listed below:

• Type openssl rsa -in server.key -out nopassword.key and press Enter.
• Enter the pass phrase of the Private Key.

2) Combine the private key, public certificate and any 3rd party intermediate certificate files:

cat nopassword.key > server.pem
cat server.crt >> server.pem

Repeat this step as needed for third-party certificate chain files, bundles, etc:

cat intermediate.crt >> server.pem

Additionally, I have found another server fault article on How to create a .pem File for SSL Certificate Installations.