bg-tutorials

How to Install an SSL Certificate on Google App Engine

This guide shows you how to install an SSL certificate on Google App Engine, both the modern way (a free Google-managed certificate that App Engine provisions and renews automatically for any custom domain) and the legacy way (uploading your own third-party certificate when you need a specific CA, an EV/OV certificate, or a wildcard). App Engine is a fully managed PaaS, so all of this happens in the Google Cloud Console or through the gcloud CLI; you never log into a server.

Prerequisites

Before you install a certificate, make sure the following are in place:

  • A deployed App Engine application (standard or flexible environment) in a Google Cloud project.
  • A registered domain you control, with access to its DNS records.
  • The domain verified for your Google account through Google Search Console or Webmaster Central (App Engine reads verified ownership from there).
  • The gcloud CLI installed and authenticated, if you prefer the command line over the Console.
  • The Owner, Editor, or App Engine Admin role on the project.

Custom domains and SSL on App Engine work in this order: verify the domain, map it to your application, point DNS at App Engine, then either let Google provision a managed certificate or upload your own.

Option 1: Free Google-managed SSL (recommended)

Google-managed certificates are free, automatically provisioned through Let’s Encrypt, and auto-renewed for as long as the domain remains mapped. This is the default for any new custom domain on App Engine and is the right choice for the vast majority of sites. Managed certificates do not support wildcards: each host name (for example example.com and www.example.com) is covered by its own certificate.

Step 1: Verify ownership of your domain

In your browser, sign in to Google Search Console with the same Google account that owns the Cloud project, add your domain as a property, and complete one of the verification methods (DNS TXT record is the most reliable). App Engine will not let you map a domain you have not verified.

Step 2: Map the custom domain in the Console

  • Open the Google Cloud Console and select your project.
  • From the Navigation menu, choose App Engine > Settings.
  • Open the Custom Domains tab and click Add a custom domain.
  • Pick the verified domain from the dropdown, then enter the subdomains you want to serve (typically the root example.com and www.example.com).
  • Click Save mappings, then follow the on-screen instructions to add the suggested A, AAAA, and CNAME records at your DNS provider.

To do the same from the command line, run:

gcloud app domain-mappings create www.example.com --project=YOUR_PROJECT_ID
gcloud app domain-mappings create example.com --project=YOUR_PROJECT_ID

Step 3: Wait for the managed certificate

Once DNS has propagated, App Engine automatically requests a Let’s Encrypt certificate for each mapped host name. Provisioning is usually fast, but DNS propagation can take up to 24 hours. Check the status with:

gcloud app domain-mappings list --project=YOUR_PROJECT_ID

Each mapping shows an SSL state of MANAGED_CERTIFICATE_STATUS: OK when the certificate is live. While it is being issued you will see PROVISIONING or PENDING_DNS; that usually clears itself once DNS records resolve to the Google IPs.

Step 4: Force HTTPS for visitors (standard environment)

In App Engine standard, redirect every request to HTTPS by adding secure: always to each handler in app.yaml:

handlers:
- url: /.*
  script: auto
  secure: always
  redirect_http_response_code: 301

Deploy the change with gcloud app deploy. In the flexible environment, handle the HTTP-to-HTTPS redirect at the application or load-balancer level.

Option 2: Upload your own third-party SSL certificate

Choose this path when you need a wildcard certificate, an OV or EV certificate from a specific Certificate Authority, or a certificate already issued for your domain. App Engine accepts a single PEM file containing the leaf and any intermediate certificates, plus an unencrypted PEM-encoded RSA private key. Up to five certificates total are allowed in the uploaded PEM file (one leaf plus up to four intermediates), and uploaded certificates can be reused across projects in the same Cloud organization.

Step 1: Generate the CSR and order the certificate

If you have already generated your CSR and received the issued certificate from your CA, skip ahead to Step 2.

A CSR (Certificate Signing Request) is a block of encoded text containing your contact and domain data that the CA uses to verify and sign your certificate. You have two ways to create one:

Submit the CSR (including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– markers) to the CA during your order. Save the matching private key in a secure location; you will need it during installation.

Step 2: Combine the certificate and chain into a single PEM

If the CA delivered separate files (your server certificate plus one or more intermediates), concatenate them in the correct order (your certificate first, intermediates after). Open a terminal in the folder that holds the files and run:

cat yourdomain.crt intermediate.crt > concat.crt

On Windows PowerShell, the equivalent is:

Get-Content yourdomain.crt, intermediate.crt | Set-Content concat.crt

The result is a PEM-encoded certificate file with the full chain. If you also need to convert formats (for example from .pfx or .p12 to PEM), use our SSL tools.

The private key must be an unencrypted PEM-encoded RSA key (for example myserver.key.pem). If yours is password-protected, strip the passphrase with:

openssl rsa -in encrypted.key -out myserver.key.pem

Step 3: Upload the certificate in the Cloud Console

  • Open the Google Cloud Console and select your project.
  • Go to Navigation menu > App Engine > Settings, then open the SSL Certificates tab.
  • Click Upload a new certificate.
  • Give the certificate a Name, then upload concat.crt under PEM encoded X.509 public key certificate and myserver.key.pem under Unencrypted PEM encoded RSA private key.
  • Click Upload.

Step 4: Assign the certificate to your domains

On the certificate’s details page, select the custom domains you want it to secure, then click Save. If a domain is currently using a Google-managed certificate, disable managed mode for it first; otherwise the upload will not be applied.

Step 5 (optional): Upload and bind from the gcloud CLI

The same operation from the command line:

gcloud app ssl-certificates create \
  --display-name="example.com 2026" \
  --certificate=concat.crt \
  --private-key=myserver.key.pem

The command returns the new certificate ID. Bind it to a mapped domain and turn off managed mode for that mapping:

gcloud app domain-mappings update www.example.com \
  --certificate-id=CERT_ID \
  --certificate-management=manual

To switch back to a free Google-managed certificate later, run:

gcloud app domain-mappings update www.example.com \
  --certificate-management=automatic

Notes and limits

  • Managed certificates do not cover wildcards. For *.example.com, upload a wildcard certificate as in Option 2.
  • Let’s Encrypt limits issuance to 50 managed certificates per week per base domain. The limit is rarely an issue, but it matters if you map many subdomains at once.
  • Uploaded certificates that are not assigned to any domain are deleted automatically after 30 days.
  • The maximum is one leaf plus four intermediates in a single uploaded PEM file.
  • An uploaded certificate is visible across all projects in your Cloud organization, so a single wildcard can be reused.

Test the SSL installation

Open your site over https:// and confirm the padlock, then run a deeper scan with our SSL Checker for an instant report on the certificate, chain, and protocol support.

Frequently Asked Questions

Does App Engine give you free SSL certificates?

Yes. Once you map a verified custom domain to your App Engine application and point DNS at Google, App Engine automatically provisions a free SSL certificate through Let’s Encrypt and renews it for you. You do not pay for this and you do not have to upload anything.

Can I use a wildcard certificate on App Engine?

The free Google-managed certificates do not support wildcards. To secure *.example.com, buy a wildcard certificate, combine the leaf and intermediates into a single PEM, then upload it under App Engine > Settings > SSL Certificates (Option 2 above).

Why does my custom domain show “managed certificate pending”?

App Engine cannot issue a Let’s Encrypt certificate until your domain’s DNS records resolve to the Google IPs it provided when you created the mapping. Verify that the A, AAAA, and CNAME records match the values shown under Custom Domains, then wait for DNS propagation, which can take up to 24 hours. Run gcloud app domain-mappings list to recheck the status.

How do I redirect HTTP to HTTPS on App Engine?

In the standard environment, add secure: always (and optionally redirect_http_response_code: 301) to each handler in app.yaml, then redeploy with gcloud app deploy. In the flexible environment, perform the redirect at the application or load-balancer level.

Do I need to renew the certificate myself?

Only if you uploaded your own. Google-managed certificates are renewed automatically as long as the domain is still mapped and DNS still resolves to App Engine. Uploaded third-party certificates expire at the date set by the CA (currently up to about one year for public TLS certificates), so you must repeat the upload-and-assign steps before that date.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.