You may want to concatenate the files into your certificate.pem for extra compatibility with various browsers.
On Tuesday, September 25, 2012 2:22:33 PM UTC+10, gops wrote: > > newbie here. > > my ca provide 3 .crt format certificates. > > and I am allowed to upload only one pem via google apps ssl tab. > > one is sslca.crt, another is addexternalcaroot.crt and one is mywebsite.crt > > I converted mywebsite.crt to pem and uploaded and it works with SNI. > > what do I need to do with other too ? > > On Mon, Aug 27, 2012 at 6:39 AM, Cayden Meyer <cay...@google.com<javascript:> > > wrote: > >> Just updating this thread. We have added support for up to 5 >> chained/intermediate certificates. Users of Comodo and other CAs which >> require more than 2 chained/intermediate certificates can now append the CA >> provided bundles/intermediate certificates to their uploaded certificate. >> >> Cheers, >> >> Cayden Meyer >> Product Manager, Google App Engine >> >> On 3 August 2012 18:27, Nacho Coloma <ico...@gmail.com <javascript:>>wrote: >> >>> Hi Cayden, >>> >>> Thanks for your reply. >>> >>> You appear to have the incorrect CNAME for your domain. This is most >>>> probably what is causing android browsers to fail to connect. The correct >>>> CNAME can be found in your Google Apps control panel. The uploading and >>>> configuring certificates section of the SSL for Custom Domains >>>> documentation <https://developers.google.com/appengine/docs/ssl> may >>>> prove helpful if you have any issues. >>>> >>> >>> Yep, I saw the change of ghs name but since neither certificate was >>> working we are just stopping this (with this working configuration) until >>> our new certificate arrives. >>> >>> We just purchased a new one with DigiCert that includes EV validation >>> and uses (supposedly, as far as we could check) a single intermediate >>> authority. >>> >>> >>>> On the topic of intermediate certificates you should be able to >>>> download a single intermediate certificate from Comodo >>>> here<https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0>. >>>> >>>> Usually certificate authorities provide a bundle file which contains the >>>> full chain, all the certificates in the bundle are often not required. >>>> >>> >>> Ours is (was) a Comodo EssentialSSL. It comes with 5 CAs in the bundle, >>> and AFAIK most browsers require the chain up to the root CA. >>> >>> Don't worry about this, the change of certificate should fix it up. >>> Anyway, I would reconsider the limitation of two CAs in the PEM bundle, if >>> that's an option. Anyway, it's just my fault for not fully understanding >>> the limitations before choosing the certificate provider. Thank God for the >>> 15-days refund policy. >>> >>> Thanks for your support. >>> >>> >>>> >>>> On 2 August 2012 04:03, Nacho Coloma <ico...@gmail.com <javascript:>>wrote: >>>> >>>>> Hi, I have just configured a certificate for our own custom domain >>>>> (VIP) and it is working fine, but Android browsers are rejecting to >>>>> connect. >>>>> >>>>> Investigating, it seems that I should include the full chain of >>>>> intermediate CAs to the uploaded PEM file, but that's not possible since >>>>> AppEngine only allows at most two certificates in the PEM file. Our >>>>> Comodo >>>>> certificate has a chain composed of five CAs. If I try to upload the full >>>>> PEM file, AppEngine complains that the format is not supported. >>>>> >>>>> The working certificate can be seen at https://koliseo.com. You can >>>>> test it with: >>>>> >>>>> openssl s_client -showcerts -connect www.koliseo.com:443 >>>>> >>>>> Desktop browsers are OK with it, but Android (Froyo and Honeycomb) >>>>> will just refuse to connect. Any ideas? >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Google App Engine" group. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msg/google-appengine/-/AvvSXY6BrugJ. >>>>> To post to this group, send email to >>>>> google-a...@googlegroups.com<javascript:> >>>>> . >>>>> To unsubscribe from this group, send email to >>>>> google-appengi...@googlegroups.com <javascript:>. >>>>> For more options, visit this group at >>>>> http://groups.google.com/group/google-appengine?hl=en. >>>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Google App Engine" group. >>>> To post to this group, send email to >>>> google-a...@googlegroups.com<javascript:> >>>> . >>>> To unsubscribe from this group, send email to >>>> google-appengi...@googlegroups.com <javascript:>. >>>> For more options, visit this group at >>>> http://groups.google.com/group/google-appengine?hl=en. >>>> >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Google App Engine" group. >>> To post to this group, send email to >>> google-a...@googlegroups.com<javascript:> >>> . >>> To unsubscribe from this group, send email to >>> google-appengi...@googlegroups.com <javascript:>. >>> For more options, visit this group at >>> http://groups.google.com/group/google-appengine?hl=en. >>> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google App Engine" group. >> To post to this group, send email to >> google-a...@googlegroups.com<javascript:> >> . >> To unsubscribe from this group, send email to >> google-appengi...@googlegroups.com <javascript:>. >> For more options, visit this group at >> http://groups.google.com/group/google-appengine?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To view this discussion on the web visit https://groups.google.com/d/msg/google-appengine/-/3s5DGFtep_8J. To post to this group, send email to google-appengine@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.