SSL certificate chain certificate via API

[Stevo Novkovski]

Hello,

In the website GUI there is an option to include certificate chain when we create ssl for load balancer, but what about via API?

As i saw, there is only private key and certificate fields, but not certificate chain field.

[George (Google Cloud Support)]

Hello Stevo,

The "certificate" field represents a local certificate file which should be in PEM format, must not be greater than five certs long and must at least include one intermediate cert.

More information about SslCertifcates using the API, can be found in this Help Center article.

I hope this helps.

Sincerely,

George

[Michael Strickland]

I ran into a similar issue today, and the issue appears to have been that the individual certificates within my --certificate file were in reverse order.

The file I received from our certificate authority included the root certificate first, then several intermediate certs, and finally the primary cert. Loading that with gcloud resulted in a "The SSL certificate and key do not match" error.

When I reversed the order to be:

1. Primary cert
2. Intermediate cert(s)
3. Root cert

"gcloud compute ssl-certificates create" completed successfully. This is the page that helped me realize I could try reversing the order: https://www.digicert.com/ssl-support/pem-ssl-creation.htm.

This Load Balancing help page does have the following disclaimer:

It does not validate whether all certificates are chained in a legitimate way. It is your responsibility to provide valid certificate chains.

But maybe there is some more specific language that could be included about either what GCP expects or what a valid chain is?