cómo configurar SSL en el motor de aplicaciones de Google (nombre de dominio personalizado)

Google just announced SSL support for custom domain but I can't understand how it can be set-up as there is no way to generate Certificate Signing Request (CSR) on GAE ?!

http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=2644386 Me estoy perdiendo de algo ?

preguntado el 04 de julio de 12 a las 01:07

4 Respuestas

Para ampliar lo anterior:

The following three steps should be sufficient to generate a private key and a self-signed certificate suitable for testing SSL on GAE on a linux box:

  • openssl genrsa -out yourdomain.com.key 1024
  • openssl req -new -key yourdomain.com.key -out yourdomain.com.csr
  • openssl x509 -req -days 365 -in yourdomain.com.csr -signkey yourdomain.com.key -out yourdomain.com.crt

Disclaimer: It works but I do not know what I'm doing

contestado el 15 de mayo de 15 a las 20:05

More recent (and lower voted) answers have better info. - gaefan

Various programs exist to create a Certificate Signing Request (CSR.) I used 'openssl' on a linux machine to generate the Key and CSR.

1) I generated an Unencrypted PEM encoded RSA private key as specified by Google's SSL for a Custom Domain (https://cloud.google.com/appengine/docs/ssl)

cd $HOME
openssl genrsa -out rsa_private_key.key 2048

2) Use the 'rsa_private_key.key' to generate the required Certificate Signing Request (CSR) file.

openssl req -new -key rsa_private_key.key -out request.csr 

You will be asked the following questions:

   Country Name (2 letter code) [AU]: US
   State or Province Name (full name) [Some-State]: Illinois
   Locality Name (eg, city) []: Chicago
   Organization Name (eg, company) [Internet Widgits Pty Ltd]: Chicago Company, Ltd.
   Organizational Unit Name (eg, section) []: IT
   Common Name (eg, YOUR name) []: checkout.customedomain.com
   Email Address []:

I ignored two additional questions and everything worked fine. The 'request.csr' located on your home directory ($HOME) is the CSR file needed by the Certificate Authority provider to generate your certificate(s). Again, it doesn't have to be openssl: Many tools for various platforms are supported by providers. Just keep in mind Google's requirements.

A side note regarding Custom Domains:

Make sure your CUSTOM DOMAIN includes a subdomain or 'Full Qualified Domain Name.' The 'www.' is considered a subdomain and it's ALWAYS required for ssl in Google Appengine (10/2014.) So in my example if I wanted SSL at customedomain.com I would add 'www.customedomain.com' You can re-direct your naked domain to your Full Qualified Domain Name.

Google Appengine DOES NOT provide SSL support for naked domains like: https://customedomain.com

Respondido 29 Oct 14, 23:10

This is reposted from my answer at: ¿Cómo obtener el archivo .pem de los archivos .key y .crt?

I was trying to go from godaddy to app engine. What did the trick was using this line in the terminal (mac) to generate the the key and csr:

openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr

Exactamente como está, pero reemplazando el nombre con mi nombre de dominio (no es que realmente importara)

Also, what follows that is a bunch of questions and I answered all the questions pertaining to common name / organization as www.name.com , and I skipped the pass code and company name by just pressing enter

Then I opened the .csr file, copied it, pasted it in go daddy's csr form, waited for godaddy to approve it, then downloaded it, unzipped it, navigated to the unzipped folder in the terminal and entered:

cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt

Then I used these instructions from the post Trouble with Google Apps Custom Domain SSL, which were:

openssl rsa -in privateKey.key -text > private.pem
openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem

exactamente como está, excepto que en lugar de privateKey.key usé name.unencrypted.priv.key, y en lugar de www_mydomain_com.crt, usé name.crt

Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate",

and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..

.. Y eso finalmente funcionó.

contestado el 23 de mayo de 17 a las 13:05

For whatever reason to get Android to recognize the cert, I had to individually PEM encode the files from godaddy and THEN concat them. The final file had two "-----BEGIN CERTIFICATE-----" statements. After doing that, ssllabs.com/ssltest/analyze.html when from grade B to grade A and after closing and after a bit, the error went away on Chrome. - blaine garrett

it worked thanks man :) i am using google app engine and this private Rsa key had issue i used below code from stackoverflow this also worked me :) Your private PEM file has this line: -----BEGIN RSA PRIVATE KEY----- Delete everything above this line and it will work. - Ramdrupal7

You need to generate a certificate with a CA and upload it. They aren't offering certificate creation as a service.

Respondido 04 Jul 12, 02:07

Thanks ! It seems to work by simply generating the CSR on a linux server , concatenate the CA bundle and upload it along with the private certificate (.key file) - themihai

Hi mihai, could you please give us more details (e.g. Linux commands) on how you've been able to generate this GAE-compatible CSR, for instance for a typical wildcard SSL certificate *.yourdomain.com ? The Google doc seems to assume we're all SSL cert gurus... Thanks a lot! - Luis LC

@LouisLC I generated a CSR (nothing special just followed the wizz) . I've got the certificate from digicert and I ended up with : DigiCertCA.crt TrustedRoot.crt domain.csr domain.key www_mydomain_com.crt . I concatenated the stuff from digicert with the following command : cat DigiCertCA.crt TrustedRoot.crt www_epek_com.crt > bundle . then I uploaded bundle and domain.key to GAE . - themihai

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.