There's an article that walks you through the some of the steps, though it actually points you to another article halfway through. But following the steps in those article presupposes that you already have a certificate that you want to use, and that's hardly ever going to be the case for folks who just want to set things up for the first time.
I just went through the process for Sheryl's business, and used gandi.net to obtain the certificate. (I actually tried using StartSSL first, but ended up requesting a certificate with a 4096 bit key that I couldn't use with App Engine. And their UI is just awful.) Using gandi.net was mostly painless, and a great deal at $16/year, but there are a few things that aren't entirely obvious that I wanted to point out.
- You need to kick off the process by generating a certificate signing request (CSR). gandi.net's help page on the topic will walk you through the steps, but it presupposes that you're comfortable with the command line and have OpenSSL installed. If you're not comfortable with that, read up on it a bit first. (Okay, chances are if you're the admin of an App Engine website, you're comfortable on the command line.)
- Make sure you enter www.yourdomain.com when openssl asks for "Common Name (eg, YOUR name)".
- The myserver.key file that's generated when you create your CSR is the "Unencrypted PEM encoded RSA private key" that gets uploaded via the Google Admin interface once you have a signed certificate. Keep that file somewhere safe—you'll need it later!
- It's easiest to go through the email-based domain verification flow. gandi.net will verify by sending a mail to firstname.lastname@example.org, which probably doesn't exist. I enabled a catch-all address on my Google Apps domain so that mail sent there would be delivered to my real GMail account. You could probably work around this by creating a Google Group in your domain with the address admin, too. If you go that route, just make sure it can receive mail from outside your domain, and that your real account is a member of the Google Group.
- Once everything's verified, you can download both your site's signed certificate and gandi.net's intermediate certificate. You'll need both. Open them up in a text editor and, without changing any of the signed data, paste the intermediate certificate immediately following the site's certificate, and save the new, combined certificates to a separate file. This is the file that's referred to as the "PEM encoded X.509 certificate" that gets uploaded via the Google Admin interface. (Along with the myserver.key file, mentioned previously.)
Those are the gotchas I remember. The rest of the process was just dealing with the disjointed billing and admin interfaces across three Google products—Google Apps for Work, Google Cloud, and App Engine. The help center article will walk you through that, for the most part.