SSL Certificate for your domain with Google App Engine

jun 29 2012
Google App Engine

Since June 2012 Google released the use of SSL Certificates to all Google App Engine users. In this post I will help you to get started with generating and installing your SSL Certificate.

App Engine supports two ways of serving SSL Certificates. Virtual IP where a dedicated IP address is assigned to your application, like most websites that are serving SSL requests are now days configured, or via Server Name Indication (SNI), what allows multiple domains to share the same IP address while each domain name can still have its own valid SSL Certificates.

SNI is supported by all major browsers, but not supported by all operating systems, for example Windows XP and some browsers on mobile phone devices like Android 2.x. If your site needs to support visitors from these types of systems we would advise to use the more expensive dedicated IP solution (VIP).

How to install an SSL Certificate on Google App Engine

Before you can install an SSL Certificate on your Google Apps domain you first need to link your own domain name to your application. If you are yet to complete this step, you can find a manual of how to do this here:
https://developers.google.com/appengine/docs/domain

Login onto your Google Apps control panel at:
http://www.google.com/apps/

When you have logged-in, go to "Domain Settings" and then to "SSL"

Here you can see an overview of the total costs for the usage of an SSL Certificate with Google App Engine. When you agree with these costs, click “Enable”.

Select “Increase SNI certificate slots by 5“ or “Add a VIP”. This last option is only available if you have enough funds in your account.

You can now start uploading your certificate. The Google dashboard provides no option to generate a private key or certificate signing request. You can use our manual for the Apache webserver to see how you can create this key material with a tool called OpenSSL.

Click “Upload a new certificate” to continue.

Next you have the option to upload your private key and the certificate that you purchased from GlobalSign.

Because Google App Engine does not have a separate option to upload an Intermediate Certificate, you have to include this certificate in the public key file. You can do this by opening the certificate for your website and the Intermediate Certificates from GlobalSign in a plain text editor and simply copy and paste all the content from the Intermediate Certificate at the end of the file of the webserver certificate that was issued by GlobalSign.

Now you can start the upload:

“PEM encoded X.509 certificate”
The combination of the certificate issued by GlobalSign for your website, and the GlobalSign Intermediate Certificate.

“Unencrypted PEM encoded RSA private key”
This is the private key you generated with OpenSSL, if you open this file with a plain text editor like notepad it will start with "---- BEGIN RSA PRIVATE KEY ----". This is not the Certificate Signing request that you used to request your certificate with GlobalSign.

When you click “Upload” your certificate is uploaded and you can assign this to your website by selecting the name of your website from the drop-down list.

In your Google App Engine dashboard you will see that you will be billed by day for the usage of your SSL Certificate.

Your site is now available over https://.

For more information about SSL Certificates with Google App Engine please check the manual on the Google developers website:

https://developers.google.com/appengine/docs/ssl