TLS All the Things!

Let's say you have a website associated with a Google Apps for Your Domain (though okay, it's Google Apps for Work now) registration, and served off of App Engine. Great! Now let's say you want to enable that website for HTTPS. Great...ish.

There's an article that walks you through the some of the steps, though it actually points you to another article halfway through. But following the steps in those article presupposes that you already have a certificate that you want to use, and that's hardly ever going to be the case for folks who just want to set things up for the first time.

I just went through the process for Sheryl's business, and used gandi.net to obtain the certificate. (I actually tried using StartSSL first, but ended up requesting a certificate with a 4096 bit key that I couldn't use with App Engine. And their UI is just awful.) Using gandi.net was mostly painless, and a great deal at $16/year, but there are a few things that aren't entirely obvious that I wanted to point out.

  • You need to kick off the process by generating a certificate signing request (CSR). gandi.net's help page on the topic will walk you through the steps, but it presupposes that you're comfortable with the command line and have OpenSSL installed. If you're not comfortable with that, read up on it a bit first. (Okay, chances are if you're the admin of an App Engine website, you're comfortable on the command line.)
  • Make sure you enter www.yourdomain.com when openssl asks for "Common Name (eg, YOUR name)".
  • The myserver.key file that's generated when you create your CSR is the "Unencrypted PEM encoded RSA private key" that gets uploaded via the Google Admin interface once you have a signed certificate. Keep that file somewhere safe—you'll need it later!
  • It's easiest to go through the email-based domain verification flow. gandi.net will verify by sending a mail to admin@yourdomain.com, which probably doesn't exist. I enabled a catch-all address on my Google Apps domain so that mail sent there would be delivered to my real GMail account. You could probably work around this by creating a Google Group in your domain with the address admin, too. If you go that route, just make sure it can receive mail from outside your domain, and that your real account is a member of the Google Group.
  • Once everything's verified, you can download both your site's signed certificate and gandi.net's intermediate certificate. You'll need both. Open them up in a text editor and, without changing any of the signed data, paste the intermediate certificate immediately following the site's certificate, and save the new, combined certificates to a separate file. This is the file that's referred to as the "PEM encoded X.509 certificate" that gets uploaded via the Google Admin interface. (Along with the myserver.key file, mentioned previously.)
Those are the gotchas I remember. The rest of the process was just dealing with the disjointed billing and admin interfaces across three Google products—Google Apps for Work, Google Cloud, and App Engine. The help center article will walk you through that, for the most part.

The end result, https://www.redlettercontent.com/, might not do much when it comes to improving the site's Google ranking, but it's never too early (and in many cases, it's effectively too late) to TLS All the Things!
Location: Brooklyn, NY 11201, USA

Comments

Post a Comment

Popular posts from this blog

Are you acquainted with our state's stringent usury laws?

Personal bankruptcy laws are a double-edged sword; while they provide a legitimate way out of desperate financial situations to individuals facing bad luck or genuinely poor business decisions, they also provide an escape clause to debtors who engage in irresponsible spending, thereby removing a disincentive for risky behavior. I'm of the opinion that the positive social benefits outweigh the possible abuses, as most liberals are about the various social safety nets we (used to) have in place in this country. Last year (or maybe earlier this year), the Republican majority was able to push through changes to federal bankruptcy laws that make it more difficult for individuals to file for bankruptcy (I don't believe that any corresponding changes were made to corporate bankruptcy laws, which is, you know, shocking ). This was a basically a freebie to the credit card industry–and yes, the credit card industry directly employs two-thirds of my immediate family, so I understand that
Read more

Beep Beep Beep Beep, Yeah!

Cars are scary. They're big steel machines of doom. I do not trust that a car I operate won't just stop working as a drive it. I fear running over nails. I fear psycho people in lanes next to me losing their minds and making sharp turns of their steering wheels to crash into me...for no reason. No one (aside from Jeff) at all understands my fear of driving. Not just, "driving at night is a little creepy." We're talking nightmares. Every bad dream I have that I can remember involves me operating a vehicle careening out of control. Me driving a vehicle without brakes. Having to merge into traffic and not being able to maneuver the steering wheel. I drove a bit growing up (living in a Florida suburb, you kind of had to), but unlike the majority of my friends, I didn't have my own car. So I borrowed my parents' cars when necessary, to drive to and from my house and my buddies' houses, the mall, Borders, Friday's, and back home. I was terrified of chang
Read more

In which I blog again, however briefly

Blogging has been sporadic at best (and postively tubercular at worst) throughout the past weeks as I haven't had much of an Internet connection. Now I do have much of an Internet connection, but only because I am at Ryan and Sarahs's home in Boston for the weekend, and they were kind enough to have a cable modem that doesn't suck. I've posted some nerd-phone photos of my trip on the Flickr side of things, and the basic gist is that I'm having a nice time with two of my favourite people. If anyone out there happens to work for Verizon and would like to set me up for DSL back in Brooklyn, I think I'm ready.
Read more