Installing a custom SSL Cert on Google App Engine

Published Sep 18, 2017
Installing a custom SSL Cert on Google App Engine

In order to realize one of my latest app ideas, and stop paying Shopify, I decided to try Google’s Cloud Platform (GCP). Specifically, I decided to try their newly added support for .NET Core.

Google has an awesome team, lots of support, and documentation on their site, so I first navigated there to find out more.

Even with all of this support, GCP was still a bit intimidating because you have to decide among the different types of engines, i.e. Compute, App, Container, etc.

Coming from a background that includes running my own IIS server, I opted first for the Compute Engine and ported over most of my web applications and websites to this instance.

That being done, this past weekend I decided that I would try something new — with the latest coming out of both Google and Microsoft, I decided to set up an App Engine Instance running a .NET Core app.

For starters, I checked out Scott Hanselman's great post on how to deploy a .NET core app and learned more about his experience getting a .NET Core site up and running on GCP:

I also, after persistent Googling, came across Google’s instructions to complete the same:

When I was finished, I had managed to get my site up and running but still had to connect my domain name. For this, I headed over to Google’s documentation, available here.

Because my site will handle credit card data and because SSL should be standard, I needed to finish the loop by adding an SSL cert.

This is where I ran into my first real roadblock.

Working from a Windows machine with a Command Prompt, it wasn’t so clear to me how to get a custom SSL cert installed. Thinking about it for a minute, I remembered seeing a talk by Google’s Chris Sells, where he did most of his .NET Core management from the built in Cloud Shell. Cloud Shell to the rescue!!

GCP Cloud ShellFig 1. GCP Cloud Shell

From here, I was able to follow the instructions for custom cert install. I summarize them here:

  1. Generate your private key and a certificate signing request (CSR) by using OpenSSL from the cloud shell mentioned above.

Use the following command:

        openssl req -nodes -newkey rsa:2048 -keyout [MY_PRIVATE_KEY].key -out [MY_CSR].csr


  • [MY_PRIVATE_KEY].key is the generated file where your private key is stored. Example: myserver.key
    • [MY_CSR].csr is the generated file for your certificate signing request. Example: server.csr

When prompted, enter the following information:

  • Your 2 digit country code, for example, US for the United States.
  • Your city name.
  • Your company name. You can use your own name if you don’t have a company.
  • Your organizational unit or NA if you don’t have this.
  • A common name that represents your domain, for example:
  • Your email address.

2. Determine which certificate authority works for you and then purchase a certificate. For example, you can use: SSLMate, Thawte, Comodo, or any other certificate authority.

For details about the types of supported certificates, see App Engine support for SSL certificates.

3. When your CA requests the contents of your CSR file, follow their instructions for copying and pasting the contents from your .csr file that you generated earlier.

For example, use a text editor such as Vim or, assuming you specified “server” for your name earlier, you can type vi server.csr into the Cloud shell and copy your .csr from there.

4. Follow the prompts when your CA requests domain owner approval.

From here, it is simply a matter of receiving your cert from the CA and following the latter half of the Google SSL page on “Converting private keys and concatenating SSL certificates.”

That’s all there is to it. If you have any questions or get stuck, feel free to comment here or find me on Twitter @DamolaOmotosho.

Discover and read more posts from Damola 'D' Omotosho
get started