How to Re-Issue a SSL Certificate for App Engine (with RapidSSL)

Google provides a great documentation on how to setup SSL on App Engine. RapidSSL has a couple of good hands on guides on how to generate a certificate, but none specific to the App Engine setup. I encourage you to read through all three of them to get an overview. Additionally you can check out this excellent StackExchange answer explaining the different file formats like .csr, .pem and .key.

Let’s get started with the first of our six steps.

Step 1: Generate a new Private Key including a Certificate Signing Request (CSR)

First of all we need to generate a new private key. Our private key has a couple of requirements according to Google’s documentation:

- Should be uploaded in PEM format
- Private Keys must not be encrypted
- Private keys must use RSA encryption
- Maximum allowed key modulus: 2048 bits

Create a proper key by executing the following command:

openssl genrsa -out private_key.key 2048

Note: Don’t use the -des3 option since App Engine requires the private key to not be encrypted.

Next we need a Certificate Signing Request. It contains all the important information to apply for a certificate. During this step you have to fill out several details. For RapidSSL you should not enter an email address, challenge password or an optional company name. This might be different for other operators.

openssl req -new -key private_key.key -out request.csr 

Step 2: Upload the Certificate Signing Request

First we have to find the existing certificate. Please visit Log in and find your order in “List Orders” under the navigation point “My Orders”.

At this page click on the “Re-Issue Certificate” button. Copy the content of your request.csr file and paste it into the textbox. Follow the steps accordingly. An email will be sent you. Verify it and accept the order review.

Step 3: Save the new Certificates

You will receive an email including the certificate of the web server and of the intermediate certificate authority (CA).

According to Google’s documentation we need to combine them.

If the host certificate requires an intermediate or chained certificate (as many Certificate Authorities (CAs) issue), you will need to append the intermediate or chained certificates to the end of the public certificate file.

Create a new file naming it combined_certificates.pem. Add the web server certificate first and then append the intermediate CA certificate.

It’s content combined should like this:


Step 4: Upload your Certificates and Private Key

Visit the App Engine Admin Area. Click on “Billing Status” in the navigation and click on the “Settings” button for your domain.

Click on “Upload a new Certificate” and choose the file combined_certificates.pem for the file upload button “PEM encoded X.509 certificate”. Choose the file private_key.key for “Unencrypted PEM encoded RSA private key”.

After clicking upload the certificate immediately appears below your currently serving certificate.

Click on “Replace Certificate” and choose your new certificate.

Note: Since you only replaced your certificate it shouldn’t be necessary to update your Domain.

Step 5: Confirm your Website is serving your new SSL Certificate

You can confirm that your new certificate serving by comparing the output of these commands:

echo | openssl s_client -connect <your_domain>:443 2>/dev/null | openssl x509 -noout -fingerprint
openssl x509 -noout -in combined.pem -fingerprint

Step 6: Remove your old Certificate

Delete old certificate within Google Apps and delete the private_key.key file.

Make sure the old certificate gets revoked by emailing your order number, old certificate’s serial number or old certificate.

Congratulations! You just replaced your SSL certificates ☺