Converting pfx file for Google App Engine

Question

I've spent a few days looking for an answer but with no success so I've decided to ask here.

My problem is that i can't add a ssl cerificate on Google Cloud App Engine. I am trying to add a ssl ceriticate provoded by the sweedish bank id system to integrate their services with my backend. They have a rest api for testing purposes and provide a cerificate for the test api.

The certificate is in.pfx form and to import it into Google Cloud App Engine i need to extract two keys:

• PEM encoded X.509 public key cerificate
• Unencrypted PEM encoded RSA key

Since i'm on ubuntu and have easy access to openssl i've tryed using these commands:

openssl pkcs12 -in Server.pfx -nodes -nokeys -out certificate.pem
openssl pkcs12 -in Server.pfx -nodes -nocerts -out key.pem
openssl rsa -in key.pem -out key2.pem -outform pem 

When using the public certificate from ceriticate.pem and private RSA key from key2.pem i get this error:

The certificate data is invalid. Please ensure that the private key and public certificate match.

I've tried experimenting with a few other openssl command but it always resulted in this error.

Am i doing something wrong? I'll provide additional information if it's needed.

---

Response to the first comment:

The content from the certificate.pem file starts with:

-----BEGIN CERTIFICATE-----

As for the key2.pem file, it begins with:

-----BEGIN RSA PRIVATE KEY-----

As a note: The ceritficate.pem file contains Bag Attributes, subject and issuer lines before the -----BEGIN CERTIFICATE----- header, but when i try to import the whole file i get an error saying that:

The public certificate you've selected does not appear to be valid.

so i leave those lines out.

---

In response to the first answer, that's exactly what I've been doing. The certificate.pem file only contains one section that's enclosed with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- . So i copy those lines (including the BEGIN and END lines) and get the first error described above.

Answer 1

Your comment that your certificate has Bag Attributes is your problem. Your Private Key looks correct (PKCS#1).

Your certificate file is a composite file that contains multiple certificates. Usually the first certificate is the one that you want (your SSL certificate). The other certificates are for the intermediate certificate authorities.

Open certificate.pem in a text editor (use VI for example). Then look for lines that start with subject= . If you see the name (domain name, company name) of your certificate in the line, this is the one you want. Save everything from ----- BEGIN CERTIFICATE----- to -----END CERTIFICATE----- . The other certificates will have the name of the certificate authority in the subject= .

Note: You might need the other certificates also (depends on if you are using a major company or not). In that case for each of the other certificates, copy each one from the BEGIN / END to one file called intermediate.pem . You do not need the Bag Attribute section.

Another option is to keep the certificates in one file. Open certifcate.pem and delete the Bag Attributes sections (delete everything between -----END CERTIFICATE----- and -----BEGIN CERTIFICATE----- ).

Answer 2

According to the documentation you can configure SSL certificates with different runtimes environments . I recommend to take a look at this documentation where you may find valuable information. I would also suggest to contact the Certificate authority that provided you this certificates in order to get more help.