This guide shows you how to install an SSL certificate on Google App Engine, both the modern way (a free Google-managed certificate that App Engine provisions and renews automatically for any custom domain) and the legacy way (uploading your own third-party certificate when you need a specific CA, an EV/OV certificate, or a wildcard). App Engine is a fully managed PaaS, so all of this happens in the Google Cloud Console or through the gcloud CLI; you never log into a server.
Prerequisites
Before you install a certificate, make sure the following are in place:
- A deployed App Engine application (standard or flexible environment) in a Google Cloud project.
- A registered domain you control, with access to its DNS records.
- The domain verified for your Google account through Google Search Console or Webmaster Central (App Engine reads verified ownership from there).
- The gcloud CLI installed and authenticated, if you prefer the command line over the Console.
- The Owner, Editor, or App Engine Admin role on the project.
Custom domains and SSL on App Engine work in this order: verify the domain, map it to your application, point DNS at App Engine, then either let Google provision a managed certificate or upload your own.
Option 1: Free Google-managed SSL (recommended)
Google-managed certificates are free, automatically provisioned through Let’s Encrypt, and auto-renewed for as long as the domain remains mapped. This is the default for any new custom domain on App Engine and is the right choice for the vast majority of sites. Managed certificates do not support wildcards: each host name (for example example.com and www.example.com) is covered by its own certificate.
Step 1: Verify ownership of your domain
In your browser, sign in to Google Search Console with the same Google account that owns the Cloud project, add your domain as a property, and complete one of the verification methods (DNS TXT record is the most reliable). App Engine will not let you map a domain you have not verified.
Step 2: Map the custom domain in the Console
- Open the Google Cloud Console and select your project.
- From the Navigation menu, choose App Engine > Settings.
- Open the Custom Domains tab and click Add a custom domain.
- Pick the verified domain from the dropdown, then enter the subdomains you want to serve (typically the root example.com and www.example.com).
- Click Save mappings, then follow the on-screen instructions to add the suggested A, AAAA, and CNAME records at your DNS provider.
To do the same from the command line, run:
gcloud app domain-mappings create www.example.com --project=YOUR_PROJECT_ID
gcloud app domain-mappings create example.com --project=YOUR_PROJECT_ID
Step 3: Wait for the managed certificate
Once DNS has propagated, App Engine automatically requests a Let’s Encrypt certificate for each mapped host name. Provisioning is usually fast, but DNS propagation can take up to 24 hours. Check the status with:
gcloud app domain-mappings list --project=YOUR_PROJECT_ID
Each mapping shows an SSL state of MANAGED_CERTIFICATE_STATUS: OK when the certificate is live. While it is being issued you will see PROVISIONING or PENDING_DNS; that usually clears itself once DNS records resolve to the Google IPs.
Step 4: Force HTTPS for visitors (standard environment)
In App Engine standard, redirect every request to HTTPS by adding secure: always to each handler in app.yaml:
handlers:
- url: /.*
script: auto
secure: always
redirect_http_response_code: 301
Deploy the change with gcloud app deploy. In the flexible environment, handle the HTTP-to-HTTPS redirect at the application or load-balancer level.
Option 2: Upload your own third-party SSL certificate
Choose this path when you need a wildcard certificate, an OV or EV certificate from a specific Certificate Authority, or a certificate already issued for your domain. App Engine accepts a single PEM file containing the leaf and any intermediate certificates, plus an unencrypted PEM-encoded RSA private key. Up to five certificates total are allowed in the uploaded PEM file (one leaf plus up to four intermediates), and uploaded certificates can be reused across projects in the same Cloud organization.
Step 1: Generate the CSR and order the certificate
If you have already generated your CSR and received the issued certificate from your CA, skip ahead to Step 2.
A CSR (Certificate Signing Request) is a block of encoded text containing your contact and domain data that the CA uses to verify and sign your certificate. You have two ways to create one:
- Use our CSR Generator to produce the CSR and private key in your browser.
- Generate it locally with OpenSSL; see how to generate a CSR on Google App Engine.
Submit the CSR (including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– markers) to the CA during your order. Save the matching private key in a secure location; you will need it during installation.
Step 2: Combine the certificate and chain into a single PEM
If the CA delivered separate files (your server certificate plus one or more intermediates), concatenate them in the correct order (your certificate first, intermediates after). Open a terminal in the folder that holds the files and run:
cat yourdomain.crt intermediate.crt > concat.crt
On Windows PowerShell, the equivalent is:
Get-Content yourdomain.crt, intermediate.crt | Set-Content concat.crt
The result is a PEM-encoded certificate file with the full chain. If you also need to convert formats (for example from .pfx or .p12 to PEM), use our SSL tools.
The private key must be an unencrypted PEM-encoded RSA key (for example myserver.key.pem). If yours is password-protected, strip the passphrase with:
openssl rsa -in encrypted.key -out myserver.key.pem
Step 3: Upload the certificate in the Cloud Console
- Open the Google Cloud Console and select your project.
- Go to Navigation menu > App Engine > Settings, then open the SSL Certificates tab.
- Click Upload a new certificate.
- Give the certificate a Name, then upload concat.crt under PEM encoded X.509 public key certificate and myserver.key.pem under Unencrypted PEM encoded RSA private key.
- Click Upload.
Step 4: Assign the certificate to your domains
On the certificate’s details page, select the custom domains you want it to secure, then click Save. If a domain is currently using a Google-managed certificate, disable managed mode for it first; otherwise the upload will not be applied.
Step 5 (optional): Upload and bind from the gcloud CLI
The same operation from the command line:
gcloud app ssl-certificates create \
--display-name="example.com 2026" \
--certificate=concat.crt \
--private-key=myserver.key.pem
The command returns the new certificate ID. Bind it to a mapped domain and turn off managed mode for that mapping:
gcloud app domain-mappings update www.example.com \
--certificate-id=CERT_ID \
--certificate-management=manual
To switch back to a free Google-managed certificate later, run:
gcloud app domain-mappings update www.example.com \
--certificate-management=automatic
Notes and limits
- Managed certificates do not cover wildcards. For *.example.com, upload a wildcard certificate as in Option 2.
- Let’s Encrypt limits issuance to 50 managed certificates per week per base domain. The limit is rarely an issue, but it matters if you map many subdomains at once.
- Uploaded certificates that are not assigned to any domain are deleted automatically after 30 days.
- The maximum is one leaf plus four intermediates in a single uploaded PEM file.
- An uploaded certificate is visible across all projects in your Cloud organization, so a single wildcard can be reused.
Test the SSL installation
Open your site over https:// and confirm the padlock, then run a deeper scan with our SSL Checker for an instant report on the certificate, chain, and protocol support.
Frequently Asked Questions
Yes. Once you map a verified custom domain to your App Engine application and point DNS at Google, App Engine automatically provisions a free SSL certificate through Let’s Encrypt and renews it for you. You do not pay for this and you do not have to upload anything.
The free Google-managed certificates do not support wildcards. To secure *.example.com, buy a wildcard certificate, combine the leaf and intermediates into a single PEM, then upload it under App Engine > Settings > SSL Certificates (Option 2 above).
App Engine cannot issue a Let’s Encrypt certificate until your domain’s DNS records resolve to the Google IPs it provided when you created the mapping. Verify that the A, AAAA, and CNAME records match the values shown under Custom Domains, then wait for DNS propagation, which can take up to 24 hours. Run gcloud app domain-mappings list to recheck the status.
In the standard environment, add secure: always (and optionally redirect_http_response_code: 301) to each handler in app.yaml, then redeploy with gcloud app deploy. In the flexible environment, perform the redirect at the application or load-balancer level.
Only if you uploaded your own. Google-managed certificates are renewed automatically as long as the domain is still mapped and DNS still resolves to App Engine. Uploaded third-party certificates expire at the date set by the CA (currently up to about one year for public TLS certificates), so you must repeat the upload-and-assign steps before that date.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


