0

I'm going to setup the SSL for my domain, now, the configuration is this: - google cloud machine that hosts the website (example.com), and a webapp (js, example.com/myapp) that communicates with API written on a google app engine instance - a google app engine instnace that hosts the API (example.com/api)

What I want to do is to map the API to the example.com/api and ensure that the communication between the app and the API is https (I've to use the same domain otherwise it does not work).

The question now is: how can I do this? and what type of SSL certificate do I need?

My thoughts:

  • a single domain certificate could be enough, website, app and api are on the same domain in the end.
  • I can use the apache proxy to map the /api to the GAE instance of the API, (but I'm not sure of this).
  • I may get a wildecard SSL certificate, bound the api to api.example.com and then use apache to map the api.example.com to example.com/api . Still not sure of this.

In the end, what should I do?

Improve this question

1 Answer 1

Reset to default
1

You only need a single domain certificate if it will be referenced as you described.

Depending upon your app you can have a listener to determine how you wish to call it. If it is a simple page reference it would be https://www.yourdomain.com/folder+pagename

You have to configure SSL for custom domains. Enable it in the Google App Engine billing for SNI + VIP. After this enabled use openssl to create your CSR. [I used Ubuntu linux openssl]

Make sure it is upto date and not an old version so you are not subject to the heartbleed vulnerability.

openssl req -new -newkey rsa:2048 -nodes -out www_yourdowmain_com.csr \ -keyout www_yourdowmianprivatekey_com.key -subj "/C=US/ST=Full State not the two \ letter abbreviation /L=City /O=Company Name LLC /OU=Division of company \ Information Technology /CN=www.yourdomain.com"

You will add your alternate domains at the time of purchase. 

www.yourdomain.com yourdomain.com

Update your DNS records - Add CNAME record for GAE

When you get your certificate issued you have another half dozen steps depending upon the SSL issuer. The general steps to install and activate the SSL on GAE you have to upload two files: combined.pem file and you unencrypted private key. Once the files are uploaded you then select the serving role and CNAME record.

Your certificate + intermediate certificate = combined.pem file [In some cases it maybe three certificates to make the combined pem file]

private key file from CSR request

openssl rsa -in www_yourdowmianprivatekey_com.key -out unencryptedkey.pem

The Google documentation leaves a lot to be desired. If this is a domain that you plan to have for a while I would get a two year certificate. I just went through this process in the last two weeks. I have used Digicert and GoDaddy in the past. Other vendors are Verisign/Symantec, Comodo. If this is a public project you want a SSL provider that is distributed as part of the major browsers. This puts Digicert, Verisign, Comodo on the top of the list due to the length of time they have been in the marketplace. Some other providers may not be as widely accepted.

Improve this answer
1
  • Hello and thanks, a couple of questions: - why do i need to enable on GAE the https for custom domains? can't i just forward the calls to example.com/api to my GAE instance? or do I miss anything? The fact is that i've a GAE where the APIs are, and a Compute engine where the JS and webisite are, so DNS will point to the Compute Engine and GAE has to be "proxied" to avoid cross-domain calls in JS. what am I missing? Commented May 26, 2015 at 7:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.