PageSpeed Service was turned off on August 3rd, 2015. Please see Turndown Information for PageSpeed Service.
Certificate and Key Requirements
Before starting the SSL setup, please note that PageSpeed Service supports the following certificate types:- Single Domain/Hostname
- Self-signed
- Wildcard
- Subject Alternative Name (SAN) / Multi Domain
- Private keys and certificates should be uploaded in unencrypted PEM format.
- A certificate file can contain at most five certificates; this number includes chained and intermediate certificates.
- All subject names on the host certificate should match or be sub-domains of the domains that you'd like to serve through PageSpeed Service.
- Private keys must use RSA encryption. Maximum allowed key modulus: 2048 bits.
1. Add your domain to PageSpeed Service console
Complete steps 1 to 4 of the PageSpeed Service setup process for your domain (e.g. www.example.com).
2. Register your domain with Google Apps
Serving SSL traffic through PSS requires that your domain www.example.com be registered as the primary domain with Google Apps. If your domain has already been configured with Google Apps move to the next step. If not, sign up for a free account with Google Apps.
The domain that is set up on Google Apps control panel will be example.com and not www.example.com.
3. Creating Certificates in the right format
We require all uploaded certificates and keys to be in unencrypted PEM format.
A certificate looks like:
-----BEGIN CERTIFICATE----- MIIDHDCCAoWgAwIBAgIJAN5iX5JTokyuM gNVBAcTBlN5ZG5leTEhMB8GA1UEChMY ….. ----END CERTIFICATE-----and an unencrypted key looks like:
-----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA9COFtHw8ppcBD6jEVjXAn6Hnzp+JDI5trRqqYS4uUSb5aH0D 0kP/S8IiV2mmS8BkHXC4zjhMMZ2q282iAkmY67Zl7k2XJsh7sqYD0kky+FnatmJd …. -----END RSA PRIVATE KEY-----The information presented in this section will help you to create the certificates in the correct format.
Generating a certificate signing request
You will most likely need to generate a private/public key pair locally before uploading the unsigned public key to the provider in a format called a certificate signing request (csr).
The command below can be used to generate a certificate signing request. To use the command you need to have OpenSSL installed on your local machine.
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csrThe certificate signing request can now be sent to a certificate authority for signing. The provider will sign the request and return a fully formed/signed certificate shortly after.
Decrypting an encrypted private key
You can decrypt an encrypted private key on your local machine using OpenSSL. Enter your password to the following command:openssl rsa -in encrypted.key -out unencrypted.key
4. Inform PageSpeed Service Team
Please write to pss-ssl-support@google.com with the subject "Enable SSL for {Your Domain}" and include the following information:- Your domain name and all sub-domains for which you require SSL support
- Type of SSL required - SNI or VIP
PageSpeed Service supports two types of SSL:
- Server Name Indication (SNI) (Recommended): This allows multiple domains to share the same IP address while still allowing a separate certificate for each domain.
- Virtual IP (VIP): Each VIP can only serve a single hostname, wildcard or multi-domain certificate. Currently, PageSpeed Service has a limit of 1 VIP per domain.
5. Upload Certificates
Proceed to this step, only AFTER you receive a notification from PageSpeed Service support team.- Go to Google Apps Control Panel for your domain and sign in. In order to get to your control panel, replace example.com with your
domain name in this url:
www.google.com/a/example.com
. - Navigate to the Security tab in your Admin Console, under More controls.
- Navigate to the SSL for Custom Domains tab by clicking on “Show more” in the Security section.
- Add your request SSL slots, by clicking on "Increase your SNI slots by 5" or "Add a VIP".
You can ignore the billing summary, since SSL support
is free of charge for now. You will be informed about pricing information when it is available.
- Click on "Configure SSL Certificates".


5.1 Upload a certificate and private key
- Click on the "Upload a New Certificate" button.
- When prompted, choose the certificate and private key files.
- Press the Upload button.

5.2 Configure a certificate after you have uploaded it
- Choose a Serving mode: None, SNI, or SNI and a VIP. (The UI will present choices based on what slots you have available.)
- Choose which URLs the certificate should handle. You can choose URLs from the drop-down list or add all matching URLs by using the Assign all Matching URLs button.
- Click the Save button at the bottom of the page to save your changes.

6. Change your CNAME record to serve your domain through PageSpeed Service
- Login to your DNS provider
- Add a CNAME record for www.example.com (and all sub-domains, if any)
- If you are using SNI set the value of the CNAME record to
pagespeed.googlehosted.com
. If you are using VIP set its value as mentioned in the 'CNAME to' field. - If you are using client IP address of the requests for monitoring, localization, etc, please make sure that you use X-Forwarded-For Http header. For details click here.
7. Check if your certificate is set up properly
Visit www.digicert.com/help/ to check if your certificate is set up correctly.