SSL Setup Guide

PageSpeed Service was turned off on August 3rd, 2015. Please see Turndown Information for PageSpeed Service.

Certificate and Key Requirements

Before starting the SSL setup, please note that PageSpeed Service supports the following certificate types:
  • Single Domain/Hostname
  • Self-signed
  • Wildcard
  • Subject Alternative Name (SAN) / Multi Domain
It requires some things of your certificates and keys:
  • Private keys and certificates should be uploaded in unencrypted PEM format.
  • A certificate file can contain at most five certificates; this number includes chained and intermediate certificates.
  • All subject names on the host certificate should match or be sub-domains of the domains that you'd like to serve through PageSpeed Service.
  • Private keys must use RSA encryption. Maximum allowed key modulus: 2048 bits.

1. Add your domain to PageSpeed Service console

Complete steps 1 to 4 of the PageSpeed Service setup process for your domain (e.g. www.example.com).

2. Register your domain with Google Apps

Serving SSL traffic through PSS requires that your domain www.example.com be registered as the primary domain with Google Apps. If your domain has already been configured with Google Apps move to the next step. If not, sign up for a free account with Google Apps.

The domain that is set up on Google Apps control panel will be example.com and not www.example.com.

3. Creating Certificates in the right format

We require all uploaded certificates and keys to be in unencrypted PEM format.

A certificate looks like:

-----BEGIN CERTIFICATE-----
MIIDHDCCAoWgAwIBAgIJAN5iX5JTokyuM
gNVBAcTBlN5ZG5leTEhMB8GA1UEChMY
…..
----END CERTIFICATE-----
and an unencrypted key looks like:
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA9COFtHw8ppcBD6jEVjXAn6Hnzp+JDI5trRqqYS4uUSb5aH0D
0kP/S8IiV2mmS8BkHXC4zjhMMZ2q282iAkmY67Zl7k2XJsh7sqYD0kky+FnatmJd
….
-----END RSA PRIVATE KEY-----
The information presented in this section will help you to create the certificates in the correct format.

Generating a certificate signing request

You will most likely need to generate a private/public key pair locally before uploading the unsigned public key to the provider in a format called a certificate signing request (csr).

The command below can be used to generate a certificate signing request. To use the command you need to have OpenSSL installed on your local machine.

openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
The certificate signing request can now be sent to a certificate authority for signing. The provider will sign the request and return a fully formed/signed certificate shortly after.

Decrypting an encrypted private key

You can decrypt an encrypted private key on your local machine using OpenSSL. Enter your password to the following command:
openssl rsa -in encrypted.key -out unencrypted.key

4. Inform PageSpeed Service Team

Please write to pss-ssl-support@google.com with the subject "Enable SSL for {Your Domain}" and include the following information:
  • Your domain name and all sub-domains for which you require SSL support
  • Type of SSL required - SNI or VIP
You will need to wait for a response from our support team before proceeding to the next step.


PageSpeed Service supports two types of SSL:

  • Server Name Indication (SNI) (Recommended): This allows multiple domains to share the same IP address while still allowing a separate certificate for each domain.
  • Virtual IP (VIP): Each VIP can only serve a single hostname, wildcard or multi-domain certificate. Currently, PageSpeed Service has a limit of 1 VIP per domain.

5. Upload Certificates

Proceed to this step, only AFTER you receive a notification from PageSpeed Service support team.
  • Go to Google Apps Control Panel for your domain and sign in. In order to get to your control panel, replace example.com with your domain name in this url: www.google.com/a/example.com.
  • Navigate to the Security tab in your Admin Console, under More controls.

  • Google Apps Security Control Panel
  • Navigate to the SSL for Custom Domains tab by clicking on “Show more” in the Security section.

  • SSL For Custom Domains
  • Add your request SSL slots, by clicking on "Increase your SNI slots by 5" or "Add a VIP". You can ignore the billing summary, since SSL support is free of charge for now. You will be informed about pricing information when it is available.

    Enable SSL Slots
  • Click on "Configure SSL Certificates".

    Configure SSL Certificates

5.1 Upload a certificate and private key

  • Click on the "Upload a New Certificate" button.

  • Upload new certificate
  • When prompted, choose the certificate and private key files.
  • Press the Upload button.

5.2 Configure a certificate after you have uploaded it

  • Choose a Serving mode: None, SNI, or SNI and a VIP. (The UI will present choices based on what slots you have available.)
  • Choose which URLs the certificate should handle. You can choose URLs from the drop-down list or add all matching URLs by using the Assign all Matching URLs button.

  • Choose SSL URLs in Google Apps
  • Click the Save button at the bottom of the page to save your changes.

6. Change your CNAME record to serve your domain through PageSpeed Service

  • Login to your DNS provider
  • Add a CNAME record for www.example.com (and all sub-domains, if any)
  • If you are using SNI set the value of the CNAME record to pagespeed.googlehosted.com. If you are using VIP set its value as mentioned in the 'CNAME to' field.
  • If you are using client IP address of the requests for monitoring, localization, etc, please make sure that you use X-Forwarded-For Http header. For details click here.

7. Check if your certificate is set up properly

Visit www.digicert.com/help/ to check if your certificate is set up correctly.