How to Install SSL Certificate on Google Compute Engine

I recently came across a requirement where I had to install a third party ssl certificate to a Google compute engine instance. I realized it was not straight forward unless if you are using any automated way of installation like certbot etc.

In this post I am assuming that you have already generated / received the the certificate files from the SSL issuer. Usually they share the following files:

  • yourdomain.crt

Copy the above certificate files to your Google compute engine instance. Next step is to copy files at their right places. Usually its a good practice to have all of your SSL related files at /etc/ssl/

Now copy your private.key file (that was generated at the time of certificate generation) in /etc/ssl/ssl.key directory. Create this directory if this does not already exist.

Copy and yourdomain.crt in /etc/ssl/ssl.crt directory. Create this directory if this does not already exist.

Now create a ssl configuration file with name default-ssl.conf in /etc/apache2/sites-enabled/ directory. You should append to this file if it already exists. Add the following content to this file.

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin webmaster@localhost

    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # SSL Engine Switch:
    # Enable/Disable SSL for this virtual host.
    SSLEngine on

    SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
    SSLCertificateKeyFile /etc/ssl/ssl.key/private.key
    SSLCACertificateFile /etc/ssl/ssl.crt/

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
    <Directory /usr/lib/cgi-bin>
      SSLOptions +StdEnvVars
    <Directory /var/www/html/>
      AllowOverride All
    BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Then run the following two commands to configure the ssl.

sudo a2enmod ssl
sudo a2ensite default-ssl

Then restart the web server by first stopping it and then start.

sudo service apache2 stop
sudo service apache2 start

Now your website should be working with https.

4 thoughts on “How to Install SSL Certificate on Google Compute Engine”

  1. Hi. Great post. On running the command ‘sudo a2ensite default-ssl’, I got the error ‘Site default-ssl not properly enabled: /etc/apachesites-enabled/default-ssl.conf is a real file, not touching it. Subsequently, apache is now not working. Kindly advice. I’m using Debian 9 on GCE.

    1. Sorry for replying late. I really missed the comment. But for anyone having the same issue, there must be some syntax error in default-ssl.cong file. Always try keeping backup of this file so that you can revert in that case.

Leave a Reply

Your email address will not be published. Required fields are marked *