This tutorial explains how to generate a CSR (Certificate Signing Request) for Google App Engine. Because GAE provisions Google-managed SSL certificates automatically (signed by Google Trust Services or Let’s Encrypt), you only need to generate a CSR if you plan to upload your own certificate, for example an OV, EV, or wildcard certificate from a commercial Certificate Authority.
GAE has no built-in CSR generator, so you will create the CSR off-platform using OpenSSL. You can run the commands in Google Cloud Shell (available from the Cloud Console) or on any local machine that has OpenSSL installed.
Generate the CSR on Google App Engine
You have two options:
- Use our CSR Generator to create the CSR and private key automatically.
- Follow the manual steps below to generate the CSR with OpenSSL.
Step 1. Open a terminal
If you are using Google Cloud Shell, open the Cloud Console, select your project, and click the Activate Cloud Shell button in the top-right toolbar. A terminal session opens at the bottom of the page in your home directory (/home/your-username).
On a local machine, open any terminal that has OpenSSL available (Linux, macOS Terminal, or Windows with OpenSSL installed).
Step 2. Run the OpenSSL command
Run the following command to generate a new RSA-2048 private key and a CSR in one step. Google App Engine requires RSA-2048 keys; larger key sizes (3072, 4096) and ECC keys are not supported.
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
Replace yourdomain with your actual domain name. The command creates two files:
- yourdomain.key, your private key. Keep this file secure; you will need it when you upload the certificate to GAE.
- yourdomain.csr, your Certificate Signing Request.
Step 3. Fill in the CSR fields
OpenSSL prompts you for several fields. Enter the information as shown in the examples below:
- Country Name (2-letter code): the ISO country code where your organization is legally registered, for example US.
- State or Province Name: the full name of the state or region, for example California.
- Locality Name: the city where your organization is located, for example San Francisco.
- Organization Name: the legal name of your company. For a Domain Validation certificate, you can leave this blank.
- Organizational Unit Name: leave blank (this field is deprecated and ignored by CAs).
- Common Name: the fully qualified domain name (FQDN) you want to secure, for example yourdomain.com. For a wildcard certificate, enter *.yourdomain.com.
- Email Address: optional. You can leave this blank.
- A challenge password / An optional company name: skip both fields by pressing Enter.
Step 4. Submit the CSR
Open the CSR file and copy the entire contents, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines:
cat yourdomain.csr
Paste the CSR text into the order form when you apply for your SSL certificate. You can also verify your CSR before submitting it by using our CSR Decoder.
After the Certificate Authority validates your request and issues the certificate, proceed to upload it to Google App Engine.
Upload the SSL certificate to Google App Engine
Once you receive the certificate files from your CA (typically a .crt file and a .ca-bundle or intermediate certificate file), you can upload them through the Google Cloud Console or the gcloud CLI.
Option A: Google Cloud Console
- Open the Google Cloud Console and navigate to App Engine > Settings > SSL certificates.
- Click Upload a new certificate.
- Paste the contents of your certificate file (.crt) into the PEM encoded X.509 public key certificate field. If your CA provided a separate intermediate bundle, append it below your certificate in the same field.
- Paste the contents of your private key (yourdomain.key) into the Unencrypted PEM encoded RSA private key field.
- Click Upload. Google validates the files and activates the certificate on your custom domain.
Option B: gcloud CLI
If you prefer the command line, create the certificate with the gcloud CLI:
gcloud app ssl-certificates create \
--display-name="My SSL Certificate" \
--certificate=/path/to/yourdomain_fullchain.crt \
--private-key=/path/to/yourdomain.key
The –certificate flag expects a PEM file that contains your server certificate followed by the intermediate chain. The –private-key flag points to your unencrypted RSA private key file.
After uploading, map the certificate to your custom domain:
gcloud app domain-mappings update yourdomain.com \
--certificate-id=CERT_ID
Replace CERT_ID with the certificate ID returned by the previous command, and yourdomain.com with your actual domain.
To confirm that the certificate is active and correctly installed, scan your domain with our SSL Checker.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


