Adding new ssl certificate in Google App Engine

After copy pasting your key file and certificate for your App Engine custom domain. You receive a generic popup error in cloud console.

Sorry, there‚Äôs a problem. If you entered information, check it and try 
again. Otherwise, the problem might clear up on its own, so check back later.
The actual error message is listed under activity area from dashboard of Google cloud console and the error states the following:

Invalid argument (HTTP 400): Invalid certificate. `CertificateRawData`
must contain a PEM encoded x.509 public key certificate, with header and 
footer included, and an unencrypted PEM encoded RSA private key, with 
header and footer included and with size at most 2048 bits. The requested 
private key and public certificate must match.
Before you can upload a ssl certificate, the ssl certificate private key has to be a RSA encoded private key and certificate needs to be x509 encoded. Let's back track and go through the steps to properly request a csr and key file. After generating a csr file you will request a certificate from registrar by copy pasting csr or uploading a file with csr text.

Step 1:

First you need to create a csr and private key file. Openssl command is used to generate a csr and private key file. Openssl command is available in most linux command line operating systems. If you visit openssl project website you will notice there isn't a windows binary file available. If you are a Windows user, you can run openssl command using Google cloud shell machine from your web browser described here:

$ openssl req -new -newkey rsa:2048 -nodes -subj /C=US/CN=COMMON_NAME -keyout KEYFILE
Replace COMMON_NAME with domain name for which you are generating a request file known as csr.

$ openssl req -new -newkey rsa:2048 -nodes -subj /C=US/ -keyout mykey.key

Step 2:

Transform generated key file from running openssl req command to an rsa key.

openssl rsa -in mykey.key -out mykey.key.pem

Step 3:

Upload your csr to certificate authority for approval. Domain level csr are normally approved within a few minutes. For GoDaddy you can upload your csr file or copy paste csr text for standard domain verification. Your csr is verified within a few minutes and you will be able to download a certficate file ending with file name .crt:

Step 4:

Download approved crt file from certificate authority and convert to x509

openssl x509 -in certificate.crt -out certificatex509.crt

Step 5:

Check if your rsa key file and x509 certificate match.

openssl x509 -noout -modulus -in certificatex509.crt | openssl md5

openssl rsa -noout -modulus -in mykey.key.pem | openssl md5

Step 6:

Upload mykey.key.pem and certificatex509 to app engine:

gcloud app ssl-certificates create --certificate=C:\path\to\cert\certificatex509.crt --display-name=my-cert-1 --private-key=C:\path\to\cert\mykey.key.pem

Step 7:

Login to cloud console and assign my-cert-1 to your custom domain.


"Securing Custom Domains with ssl" (

Securing Custom Domains with ssl

"Verify the private key and cert" ( )

Verify the private key and cert (3.)

"Upload ssl certificate using GCLOUD API Reference" (

GCLOUD API Reference to upload ssl certificate

Tag Stackoverflow Questions

"Adding new ssl certificate in google app engine" (

Adding new ssl certificate

"Trying to get an ssl certificate from comodo to work for google app engine" (

Trying to get..

"Trouble with google apps custom domain ssl" (

Trouble with..

Z Data Tech Last modified: January 30, 2023