Elvin Efendi's personal website


uploading ECDSA TLS certificate to GCP

22 Jun 2019

This is going to be a very short article, it’s mostly for myself to remember how to upload ECDSA TLS certificate to GCP.

Few days ago I was experimenting with Google’s HTTPs Load Balancer. One of the steps is to upload your TLS certificate to GCP so that Google’s HTTPs Load Balancer (GCLB) can terminate TLS connections (it also has an opton to use managed certificate, but that’s not what I wanted to do). Similar to other GCP resources, this can be done using API, Web UI, or gcloud command line tool. I was using gcloud.

As noted GCP accepts only TSL certificates using RSA-2048 or ECDSA P-256 encryption. The TLS certificate I wanted to upload was obtained from Cloudflare, to be installed in my origin server. I confirmed that the private key satisfies GCP’s requirements in terms of encryption algorithm by using

openssl ec -in key.pem -text -noout

Where key.pem was my private key. When sharing keep in mind the output of this command includes sensitive information.

After that I tried uploading the certificate:

gcloud compute ssl-certificates create elvin-test-cert --certificate cert.pem --private-key key.pem

However this did not work, and I got following error:

ERROR: (gcloud.compute.ssl-certificates.create) Could not fetch resource:
 - The SSL key could not be parsed.

I then tried to upload this in the web UI - but got the same error. After that I generated a self signed RSA-2048 certificate and was able to successfully upload it.

Then I tried reformatting the private key I obtained from Cloudflare using:

openssl ec -in key.pem -out new_key.pem

And tried to upload this new key:

gcloud compute ssl-certificates create elvin-test-cert --certificate cert.pem --private-key new_key.pem

And success! It worked! So what was the issue with original private key? Because the fact that openssl ec -in key.pem -text -noout worked on the original private key means the key itself is not corrupted. It turns out GCP requires ECDSA private key to strictly start with -----BEGIN EC PRIVATE KEY----- and end with -----END EC PRIVATE KEY-----. However the private key I got from Cloudflare did not have EC in those lines, reformatting the key changed the comment from -----BEGIN PRIVATE KEY----- to -----BEGIN EC PRIVATE KEY-----.

comments powered by Disqus