Troubleshooting SSL certificates

Certificate cannot be parsed

Google Cloud requires certificates in PEM format. If the certificate is PEM formatted, check the following:

You can validate your certificate using the following OpenSSL command, replacing certificate-file with the path to your certificate file:

openssl x509 -in certificate-file -text -noout

If OpenSSL is unable to parse your certificate:

Missing common name or subject alternative name

Google Cloud requires that your certificate have either a common name (CN) or subject alternative name (SAN) attribute. See Create a CSR for additional information.

When both attributes are absent, Google Cloud displays an error message like the following when you try to create a self-managed certificate:

ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch resource:
 - The SSL certificate is missing a Common Name(CN) or Subject Alternative
   Name(SAN).

Google-managed certificate hasn't been issued

Check the Google-managed SSL certificate status.

Private key cannot be parsed

Google Cloud requires PEM-formatted private keys that meet the private key criteria.

You can validate your private key using the following OpenSSL command, replacing private-key-file with the path to your private key:

    openssl rsa -in private-key-file -check

The following responses indicate a problem with your private key:

  • unable to load Private Key
  • Expecting: ANY PRIVATE KEY
  • RSA key error: n does not equal p q
  • RSA key error: d e not congruent to 1
  • RSA key error: dmp1 not congruent to d
  • RSA key error: dmq1 not congruent to d
  • RSA key error: iqmp not inverse of q

To fix the problem, you must create a new private key and certificate.

Private keys with passphrases

If OpenSSL prompts for a passphrase, you'll need to remove the passphrase from your private key before you can use it with Google Cloud. You can use the following OpenSSL command:

openssl rsa -in private-key-file \
    -out replacement-private-key-file

Replace the placeholders with valid values:

  • private-key-file: The path to your private key that's protected with a passphrase
  • replacement-private-key-file: A file path where you'd like to save a copy of your plaintext private key