My set up is using google domains for my registry, google apps to host the custom domain via google app engine. This all worked before I tried to install the SSL certificate, so I will elide it here.
I tried to shop around for SSL certificates, this was intimidating, because quite frankly, I know little about certificates, nor web security. I've used godaddy in the past, and figured I would give them a try.
In order to generate an SSL certificate, I first had to generate a private key:
note I am using OS X
$ openssl genrsa -out mykey.pem 2048 Generating RSA private key, 2048 bit long modulus ...
$ openssl req -new -key mykep.pem -out mysite.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
...
You just fill out the form.
Next you request upload the CSR [mysite.csr] to GoDaddy, and then wait for it to validate ownership (I had to set up a TXT record to do this). Finally you download the certificate for "other" server.
Now you have a zip file with two certificates, called <some_hex_string>.crt and gd_bundle-g2-g1.crt
You must create pem files for each doing something like (this is black magic to me):
$ openssl x509 -outform der -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.der
$ openssl x509 -inform der -in 2gd_bundle-g2-g1.der -out gd_bundle-g2-g1.pem
Then simply cat the two together (order matters):
$ cat <some_hex_string>.pem gd_bundle-g2-g1.pem > combined.pem
Now upload combined.pem and mykey.pem to Google Apps.
