Installing a custom SSL Cert on Google App Engine
Google has an awesome team, lots of support, and documentation on their site, so I first navigated there to find out more.
Even with all of this support, GCP was still a bit intimidating because you have to decide among the different types of engines, i.e. Compute, App, Container, etc.
Coming from a background that includes running my own IIS server, I opted first for the Compute Engine and ported over most of my web applications and websites to this instance.
That being done, this past weekend I decided that I would try something new — with the latest coming out of both Google and Microsoft, I decided to set up an App Engine Instance running a .NET Core app.
For starters, I checked out Scott Hanselman's great post on how to deploy a .NET core app and learned more about his experience getting a .NET Core site up and running on GCP: https://www.hanselman.com/blog/TryingASPNETCoreOnTheGoogleCloudPlatformAppEngineFlexibleEnvironment.aspx
I also, after persistent Googling, came across Google’s instructions to complete the same:
When I was finished, I had managed to get my site up and running but still had to connect my domain name. For this, I headed over to Google’s documentation, available here.
Because my site will handle credit card data and because SSL should be standard, I needed to finish the loop by adding an SSL cert.
This is where I ran into my first real roadblock.
Working from a Windows machine with a Command Prompt, it wasn’t so clear to me how to get a custom SSL cert installed. Thinking about it for a minute, I remembered seeing a talk by Google’s Chris Sells, where he did most of his .NET Core management from the built in Cloud Shell. Cloud Shell to the rescue!!
Fig 1. GCP Cloud Shell
From here, I was able to follow the instructions for custom cert install. I summarize them here:
- Generate your private key and a certificate signing request (CSR) by using OpenSSL from the cloud shell mentioned above.
Use the following command:
openssl req -nodes -newkey rsa:2048 -keyout [MY_PRIVATE_KEY].key -out [MY_CSR].csr
[MY_PRIVATE_KEY].keyis the generated file where your private key is stored. Example:
[MY_CSR].csris the generated file for your certificate signing request. Example:
When prompted, enter the following information:
- Your 2 digit country code, for example, US for the United States.
- Your city name.
- Your company name. You can use your own name if you don’t have a company.
- Your organizational unit or NA if you don’t have this.
- A common name that represents your domain, for example: www.example.com.
- Your email address.
For details about the types of supported certificates, see App Engine support for SSL certificates.
3. When your CA requests the contents of your CSR file, follow their instructions for copying and pasting the contents from your
.csr file that you generated earlier.
For example, use a text editor such as Vim or, assuming you specified “server” for your name earlier, you can type
vi server.csr into the Cloud shell and copy your .csr from there.
4. Follow the prompts when your CA requests domain owner approval.
From here, it is simply a matter of receiving your cert from the CA and following the latter half of the Google SSL page on “Converting private keys and concatenating SSL certificates.”
That’s all there is to it. If you have any questions or get stuck, feel free to comment here or find me on Twitter @DamolaOmotosho.