Jason Parms

Google App Engine helps to build and run applications on Google’s infrastructure. You can develop, manage, and host web applications on this PaaS (Platform as a service) cloud-computing platform. There is no need to maintain the server, but it requires only uploading of your application.

In the intelligence of application protection, SSL can play a vital role and goes beyond a basic functionality with covering worldwide-distributed SSL endpoints and inbuilt load balancing to protect applications rapidly and dependably. In this article, we are explaining step by step instructions to install SSL certificate on Google App Engine.

Generate the CSR:

Before installing SSL on Google App Engine, it is necessary to generate a CSR to get a private key.

There are some prerequisite steps in Google App Engine while generating the CSR which is as follows.

  • Create an App Engine project.
  • Buy a domain.
  • Set up a Google Apps account.
  • Append the App Engine application as a service of the Google Apps account.
  • Append a sub domain URL in Google Apps for your App Engine application.
  • Enable SSL for the application.
  • Configure SSL certificate.

Google App Engine supports single domain, wildcard, SNI, Self-signed certificates and the configuration of SSL certificate needs some key requirements, which should be fulfilled like:

  • Private key and certificate must be in PEM format.
  • Private keys should be remained unencrypted.
  • A Certificate file should contain up to five certificates (chained and intermediate certificate).
  • Subject names on the host certificate should match the domains linked to the account in the Google Apps Control Panel.
  • There should be the use of RSA encryption for Private keys.
  • Maximum 2048 bits key should be used.

Learn how to generate certificate signing request and what kind of information you must include in CSR.

After creating a CSR key, you will get the certificate in the email in a zip file; you need to download the certificate file. After that, extract the file to the server directory.

Create PEM File:

  • Open a text editor and copy the entire certificate details and paste into the text editor in following order:
    • Primary certificate: domain_name.crt
    • Intermediate certificate: certificate_provider.crt
  • Add “BEGIN CERTIFICATE” and “END CERTIFICATE” mark on each certificate.
  • The text file will be looking as follows:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: certificate_provider.crt)
-----END CERTIFICATE-----
  • Now save the file with name as domain_name.pem

Activate SSL for Custom Domain in the Google App Engine

For activation of SSL certificate for a custom domain, you have to add your app into Google App. If you have already added the app into Google App, then just skip the below mentioned first step.

  1. Login to your Google Apps Account. To add your app as a service in Google App, browse More Controls > App engine Apps > Add Service. Now enter application ID and click on “Add it now” button, accept the terms of agreement & click on the Activate button.
  2. Now connect your app to Google Apps and map it to the subdomain and there will be an app URL like App-ID.appspot.com. If you want to allow users to access the primary domain with Google app account, then click on “Add new URL” button. After that, enter sub domain URL like app.yoursite.com or www. yoursite.com
  3. You should click on Enable SSL for App Engine Applications by following Security > Advance Settings > Show More > SSL for Customer Domains and enter App ID to activate SSL certificate.
  4. Now, you will be redirected to App Engine Admin Console of the application.

Configure SSL for Custom domains in Google app Engine

Configuration of SSL certificate includes uploading and configuration of the SSL certificate. First, we discuss on uploading the SSL certificate into the Google Admin Console.

Uploading SSL Certificate:

  • First, login into the Google Admin console
  • Click on Security > Advanced Settings > Show More (optional) > SSL for Custom Domains.
  • Now, click on Configure SSL Certificates that will land you on the SSL configuration page.
  • Click on Upload a new certificate button.

new certificate - google app engine

  • Now, under PEM encoded X.509 certificate, click Choose File to locate and select domain_name.pem certificate file.
  • Under unencrypted PEM encoded RSA private key, click on choose file and select domain_name.key private key file ( a private key file that you got at the time of CSR generation).
  • After selecting PEM X.509 certificate file and private key file, click on the upload button.

Configuration of SSL Certificate:

  • When you have completed uploading process of certificate and key files, then choose “Serving mode” option on the page.

choose serving mode - google app engine

  • During configuration, there will be three Serving mode options available like Not Serving, SNI (server name indication) and SNI + VIP:<a VIP number>.**VIP = Virtual IP**. You have to select one of these three serving mode options on the base of your server type.

serving mode - google app engine

  • After selecting the serving mode, you can assign matching URLs in two ways: you can add each matching URL by selecting from the drop down box and click on Add button or you can add multiple matching URLs with a click on “Assign all matching URLs”.

Note: If you don’t have any URLs to assign, You can assign it Using a Custom Domain guideline provided by the Google app Engine.

  • You have to change CNAME (basic resource record in DNS) details of the URL and for that, you have to contact DNS service provider. Learn how to create CNAME record in Google App Engine.
  • Click on the save button and your SSL certificate is uploaded and configured successfully.