I wanted to make my personal website only accessible via https, seems like this should be straight forward, right? Just buy a certificate, install it via appengine, and voila! It was almost that easy, but was a little intimidating, and only one non-obvious snag that was quickly remedied.
My set up is using google domains for my registry, google apps to host the custom domain via google app engine. This all worked before I tried to install the SSL certificate, so I will elide it here.
I tried to shop around for SSL certificates, this was intimidating, because quite frankly, I know little about certificates, nor web security. I've used godaddy in the past, and figured I would give them a try.
In order to generate an SSL certificate, I first had to generate a private key:
note I am using OS X
$ openssl genrsa -out mykey.pem 2048
Generating RSA private key, 2048 bit long modulus
...
Next up I had to create a
CSR (Certificate Signing Request):
$ openssl req -new -key mykep.pem -out mysite.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
...
You just fill out the form.
Next you request upload the CSR [mysite.csr] to GoDaddy, and then wait for it to validate ownership (I had to set up a TXT record to do this). Finally you download the certificate for "other" server.
Now you have a zip file with two certificates, called <some_hex_string>.crt and gd_bundle-g2-g1.crt
You must create pem files for each doing something like (this is black magic to me):
$ openssl x509 -outform der -in gd_bundle-g2-g1.crt -out gd_bundle-g2-g1.der
$ openssl x509 -inform der -in 2gd_bundle-g2-g1.der -out gd_bundle-g2-g1.pem
Then simply cat the two together (order matters):
$ cat <some_hex_string>.pem gd_bundle-g2-g1.pem > combined.pem
Now upload combined.pem and mykey.pem to Google Apps.