Google App Engine

SSL for a Custom Domain

App Engine allows applications to be served via both HTTPS and HTTP via a custom domain instead of an appspot.com address. See Using a Custom Domain to learn how to configure App Engine to use your custom domain. Once you have done that, this document explains how to enable HTTPS for your domain. This service is configured through Google Apps Control Panel and is billed through App Engine applications.

Please note that in April of 2013, Google stopped issuing SSL certificates for double-wildcard domains hosted at appspot.com (i.e. *.*.appspot.com). If you rely on such URLs for HTTPS access to your application, please change any application logic to use "-dot-" instead of ".". For example, to access version "1" of application "myapp" use "https://1-dot-myapp.appspot.com" instead of "https://1.myapp.appspot.com." If you continue to use "https://1.myapp.appspot.com" the certificate will not match, which will result in an error for any User-Agent that expects the URL and certificate to match exactly.

Choosing an SSL type

App Engine supports two types of SSL for custom domains. You can configure your domain to use either or both.

Server Name Indication (SNI)

Server Name Indication is a feature that extends SSL and TLS. This extension allows multiple domains to share the same IP address while still allowing separate valid certificates for all the domains. Some older browsers and operating systems don't support SNI, most notably Internet Explorer and Safari on Windows XP and the default Android browser pre-Honeycomb. When a user visits an SNI site with a client that does not support SNI they will be unable to view the page when connecting via HTTPS. We recommend detecting browsers that do not support SNI and recommending a browser that supports it.

Virtual IP (VIP)

A dedicated IP address is assigned for your application. This allows TLS to be used without the SNI extension and as such it will work on any browser or OS that supports SSL. Each VIP only supports one certificate. The Virtual IP address may change and therefore DNS A records should not be used. Use a CNAME record to avoid any issues caused by Virtual IP changes.

Certificate requirements

App Engine supports the following certificate types:

  • Single Domain/Hostname
  • Self-signed
  • Wildcard
  • Subject Alternative Name (SAN) / Multi Domain

It requires some things of your certificates and keys:

  • Private Key and Certificate should be uploaded in PEM format.
  • Private Keys must not be encrypted.
  • A certificate file can contain at most five certificates; this number includes chained and intermediate certificates.
  • All subject names on the host certificate should match or be subdomains of the domains associated with the account in the Google Apps Control Panel.
  • Private keys must use RSA encryption.
  • Maximum allowed key modulus: 2048 bits

If the host certificate requires an intermediate or chained certificate (as many Certificate Authorities (CAs) issue), you will need to append the intermediate or chained certificates to the end of the public certificate file.

Some App Engine features use special subdomains. For example, an application uses subdomains to address backends. You can use subdomains to address different versions of your application. To use these with SSL, it makes sense to set up a SAN or wildcard certificate. Wildcard certificates only support one level of subdomain.

Activating SSL for your domain

Assuming that you have already set up a custom domain as described in Using a Custom Domain, you can activate SSL for it.

You must have an App Engine application with billing enabled that has cleared at least one billing charge; use this application when enabling SSL.

To activate and configure SSL:

  • Go to the Google Apps Control Panel for your domain. (Browse http://www.google.com/a/yourdomain and sign in.)
  • Navigate to the Domain Settings tab and then to the SSL subtab. (This subtab will not appear until you have configured your application to use a custom domain.)
  • Enter the Application ID of the application you wish to have SSL related charges billed through and click Enable SSL for App Engine Applications. All SSL charges from this Google Apps account will be added to the given application's bill.
  • You will be redirected to the Admin Console of the application named in the previous step. (You may need to log in to the App Engine Application if you use a different account than used to administer the Google Apps account.)
  • Confirm that you wish to bill all SSL-related charges to this application.
  • You will be redirected back to the SSL tab in the Google Apps Control Panel.

(You can disable SSL for a particular domain/Google Apps account in both the App Engine Admin Console and the Google Apps Control Panel. In the Apps control panel Billing Status section, there is a Disable SSL link. In the App Engine Administration Console, there is a Disable Billing for SSL button on the Billing Settings page.)

SSL for Custom Domains is now activated for your Google Apps account. You can now add VIPs and SNI certificate slots as described below.

Changing the number of SNI certificate slots

SNI certificate slots can be increased and decreased on the Google Apps SSL Billing Status page. Click the Increase SNI Certificate Slots button to buy five slots for serving additional certificates via SNI. If your application has five unused slots available, there is also a Decrease SNI Certificate Slots button. To change the serving status of a certificate, please see the Uploading and Configuring Certificates section.

Adding and removing VIPs

Virtual IP addresses (VIPs) are allocated and removed individually on the Google Apps SSL Billing Status page. To add a VIP, click the Add a VIP button. The option to delete a VIP is only available if a VIP is not serving a certificate. To unassign certificates from a VIP, please see the Uploading and Configuring Certificates section.

If you add a VIP and then remove it immediately, you will still be billed for an entire day.

Uploading and configuring certificates

You can manage certificates in the SSL section of the Domain Settings tab of the Google Apps control panel. To reach this section:

  • Go to the Google Apps Control Panel for your domain. (Browse http://www.google.com/a/yourdomain and sign in.)
  • If you're not already on the Configure SSL page, press the Configure SSL Certificates button.

Uploading a certificate and private key

  • Click the Upload a New Certificate button.
  • When prompted, choose the certificate and private key files.
  • Press the Upload button.

Configuring a certificate after you have uploaded it

  • Choose a Serving mode: None, SNI, or SNI and a VIP. (The UI will present choices based on what slots you have available. If you haven't already, you can add SNI slots or add VIPs. SNI and VIP will only charge you for the VIP, not 1 SNI slot plus 1 VIP.)
  • Choose which URLs the certificate should handle. You can choose URLs from the drop-down list or add all matching URLs by using the Assign all Matching URLs button.
  • Click the Save button at the bottom of the page to save your changes.
  • Work with your DNS provider to update CNAME records. For each domain in the assigned URLs, change the CNAME record to the CNAME given in the "CNAME to" field.

To replace a certificate

You can replace one certificate with another. App Engine only allows this if it can assign all of the current certificate's URLs to the new certificate and the new certificate is in "Not serving" mode.

Replacing a certificate moves all URLs from the current certificate to the new one. If the current certificate uses VIP, it will be moved to the other certificate. The new certificate's serving mode will be set to the current certificate's serving mode. The current certificate's serving mode will be reset to "Not serving"

  • Upload the new certificate.
  • For the certificate you wish to replace, choose the new certificate from its "Replace with" list and click the Select button.
  • Click the Save button at the bottom of the page to save your changes.

Change billed application

The application SSL related charges are billed to can be changed on the Google Apps SSL billing Status page.

To change the billed application:

  • Click on the Change link next to the current billed application ID.
  • Enter the Application ID of the application you wish to have SSL related charges billed through and click Change. All SSL charges from this Google Apps account will be added to the given application's bill.
  • You will be redirected to the Admin Console of the application named in the previous step. (You may need to log in to the App Engine Application if you use a different account than used to administer the Google Apps account.)
  • Confirm that you wish to bill all SSL-related charges to this application.
  • You will be redirected back to the SSL tab in the Google Apps Control Panel.

Disabling SSL

To remove a certificate

Before removing the certificate, change your DNS configuration. The CNAME records for the certificate's URLs should be ghs.googlehosted.com. (Work with your domain provider to change your DNS configuration.) Because DNS servers cache records, you probably want to change this at least 24 hours before removing the certificate.

You can manage certificates in the SSL section of the Domain Settings tab of the Google Apps control panel. To reach this section:

  • Go to the Google Apps Control Panel for your domain. (Browse http://www.google.com/a/yourdomain and sign in.)
  • If you're not already on the Configure SSL page, press the Configure SSL Certificates button.

In the SSL section of the Domain Settings tab of the Google Apps control panel, you can remove certificates:

  • Click Delete Certificate on the certificate you wish to remove
  • Click Save at the bottom of the page

Disabling SSL billing

If you wish to keep the URLs that have SSL, work with your DNS provider to change the CNAME record for those addresses to ghs.googlehosted.com before disabling SSL billing.

  • Navigate to the Billing Settings page on the Administration Console
  • Click Disable Billing for SSL for the domain you wish to disable SSL billing for.

Quotas and limits

The following limits apply specifically to the use SSL for custom domains:

Limit Amount
VIPs per domain 10
Mappings per certificate 20
Certificates per account 20

Authentication required

You need to be signed in with Google+ to do that.

Signing you in...

Google Developers needs your permission to do that.