Add SSL certificate from Godaddy to Google App Engine

Question

I'm trying to add an SSL certificate that I created on Godaddy to my Google App Engine account on a Mac.

Using Keychain, I created a new 2048bit RSA private-public key pair, and with it created a CertificateSigningRequest.certSigningRequest. I then used this certificate signing request to create the new SSL certificate on Godaddy. They then let me download a zip file with two .crt files in it (734b34####.crt and gd_bundle-g2-g1.crt).

And then trying to add it to GAE, I get this screen:

Can anyone tell me what to enter as "PEM encoded X.509 public key certificate" and what as "Unexcrypted PEM encoded RSA private key"?

I tried exporting from Keychain all different relevant keys and certificates in all kinds of format (p12, cer, and converting them to pem), even without passwords on them.

For some reason, whenever I export & convert the private key, its beginning looks like this:

Bag Attributes friendlyName: *.mydomain.com localKeyID: 10 93 42 BE 45... subject=/OU=Domain Control Validated/CN=*.mydomain.com issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 -----BEGIN CERTIFICATE-----

Answer 1

After not finding any guide to do it on a Mac, and trying different options for hours, here's what I did:

1. Concat the two .crt provided by Godaddy into one: cat 734b34####.crt gd_bundle-g2-g1.crt > godaddy.crt.
2. Use godaddy.crt for the first certificate ("PEM encoded X.509 public key certificate").
3. In Keychain, export (without a password) the private key that was used for the certificate signing request in p12 format, let's call it private.p12:
4. Convert the p12 private key: openssl pkcs12 -in private.p12 -out private.pem -nodes -clcerts. The password is just empty.
5. [EDIT] - then convert the private.pem file to RSA type: openssl rsa -in private.pem -out private_unencrypted.pem -outform PEM
6. Copy the contents of the created file: pbcopy < private_unencrypted.pem.
7. Paste (what we've just copied) into the second text area ("Unecrypted PEM encoded RSA private key").
8. Edit the pasted text, so that all of the text starting from Bag Attributes until -----BEGIN RSA PRIVATE KEY----- (excluding) is deleted. The result is a long string that starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----.

You should now be able to click the Upload button at the bottom.

Phew!

Would love to see if anyone had a more elegant / official way to do it.