Certificate cannot be parsed
Google Cloud requires certificates in PEM format. If the certificate is PEM formatted, check the following:
You can validate your certificate using the following OpenSSL command, replacing certificate-file with the path to your certificate file:
openssl x509 -in certificate-file -text -noout
If OpenSSL is unable to parse your certificate:
- Contact your CA for help.
- Create a new private key and certificate.
Missing common name or subject alternative name
Google Cloud requires that your certificate have either a common name
CN) or subject alternative name (
SAN) attribute. See Create a
When both attributes are absent, Google Cloud displays an error message like the following when you try to create a self-managed certificate:
ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch resource: - The SSL certificate is missing a Common Name(CN) or Subject Alternative Name(SAN).
Google-managed certificate hasn't been issued
Check the Google-managed SSL certificate status.
Private key cannot be parsed
Google Cloud requires PEM-formatted private keys that meet the private key criteria.
You can validate your private key using the following OpenSSL command, replacing private-key-file with the path to your private key:
openssl rsa -in private-key-file -check
The following responses indicate a problem with your private key:
unable to load Private Key
Expecting: ANY PRIVATE KEY
RSA key error: n does not equal p q
RSA key error: d e not congruent to 1
RSA key error: dmp1 not congruent to d
RSA key error: dmq1 not congruent to d
RSA key error: iqmp not inverse of q
To fix the problem, you must create a new private key and certificate.
Private keys with passphrases
If OpenSSL prompts for a passphrase, you'll need to remove the passphrase from your private key before you can use it with Google Cloud. You can use the following OpenSSL command:
openssl rsa -in private-key-file \ -out replacement-private-key-file
Replace the placeholders with valid values:
- private-key-file: The path to your private key that's protected with a passphrase
- replacement-private-key-file: A file path where you'd like to save a copy of your plaintext private key