SSL enables your application to use the HTTPS secure web protocol to securely communicate with your users online. To use SSL, your environment(s) must have an SSL certificate installed and activated. The certificate must include coverage for your necessary domains. You must also purchase an SSL certificate from a Certificate Authority (CA) or SSL certificate vendor, and upload it to Cloud Platform. Acquia is not a CA or SSL certificate vendor.
The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia documentation and the Cloud Platform user interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?. Acquia supports newer versions of TLS.
Implementing an SSL certificate is considered a best practice:
To ensure that your domains follow standard internet security protocols
To protect visitors on your domains
For more information about managing domains on Cloud Platform, see Managing domains.
Important
Cloud Platform and Site Factory customers can activate more than one SSL certificate for each environment. Support for multiple active certificates is not available on Cloud Platform Professional. For Cloud Platform Professional customers looking to SSL-secure multiple domains, see How do I cover multiple domains with SSL certificates
Types of SSL
Cloud Platform offers the following models for SSL support:
Standard
Legacy/ELB
Standard certificates
The standard model (recommended) allows you to install SSL certificates to any environment in your application by using the existing load balancer pair associated with your application. To access a standard certificate, use a DNS A record/IP address. To find the IP address associated with your application, see Viewing your IP address or CNAME.
Legacy/ELB certificates
The legacy model (indicated as legacy/ELB certificates in the Cloud Platform user interface) requires the use of an Elastic Load Balancer (ELB). To access a legacy/ELB certificate, use a DNS CNAME record. For example:
www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com
The Cloud Platform domain name is the name of your website’s Elastic Load Balancer (ELB) instance, and is listed in the Cloud Platform interface Domain page for the environment. Do not use a DNS A Record to point to the underlying IP address of the ELB, as the IP address may change from time to time.
The ELB routes traffic to the Cloud Platform load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.
Although both models are accepted, Acquia strongly recommends using the standard model with your SSL certificates.
Note
Legacy/ELB certificates are not supported on Site Factory environments. Multi-region Cloud Platform Enterprise customers are encouraged to use the standard model.
If you are not sure which option is suitable for your application, create a Support ticket.
Differences in support for the standard and legacy/ELB models
Standard | Legacy/ELB |
|---|---|
Support for bare domains. For example, | No support for bare domains without added configuration and services because the load balancer is addressed by CNAME rather than by IP address. |
Install certificate on any environment. | Install certificate only on the Production environment on Cloud Platform Enterprise; one certificate can cover all environments on Cloud Platform Professional. ELBs are only available in Production environments. |
Install any number of certificates on any environment (multiple certificates can be active at any time). Multiple active certificates are not supported on Cloud Platform Professional applications. For more information, see How do I cover multiple domains with SSL certificates. | Install only one certificate—installing a new certificate overwrites the previous one. |
Not supported by some old browsers. | Supported by old and new browsers. |
Does not support IPv6. | Supports IPv6. For more information, see Using IPv6 IP addresses. |
Does not use ELBs and uses active/passive load balancers in a high availablity configuration. | Uses ELBs in a high availablity configuration, which offer round-robin load balancers, instead of active/passive load balancers. |
Load balancer requests have a 600-second timeout. | All requests through an ELB have a 705-second timeout. Subscribers still experiencing 60-second timeouts can file a Support ticket. |
Allows activation or deactivation of installed certificates. | Supports only one certificate, activated during installation; to revert to a previous certificate, subscribers must maintain copies of certificates and associated keys. |
To install a standard and a legacy certificate in the same environment at the same time, see How do I cover multiple domains with SSL certificates.
Acquia provides a default SSL certificate that only covers your application’s default Acquia domains (*.acquia-sites.com). If a custom SSL certificate is installed on your application, it will overwrite the default certificate for your domains.
Note
If you decide to switch from using the standard installation method to the Legacy/ELB installation method or vice versa, you will need to repoint DNS for your domains accordingly. This includes informing your CDN and/or WAF provider, if applicable, so they can advise on any necessary configuration changes that may be required. For example, Akamai requires special configuration if you use a standard (SNI) SSL certificate.
SSL termination on Cloud Platform
Cloud Platform terminates SSL requests at the load balancing layer. Acquia also offers certain end-to-end encryption capabilities in Cloud Platform. For more information about end-to-end encryption, contact your Account Manager.
Roles and permissions for SSL management
Cloud Platform provides the following two permissions for managing SSL:
Install or remove SSL certificates for the non-production environments
Install or remove SSL certificates for the production environment
By default, users with the Administrator, Team Lead, and Senior Developer roles have the preceding permissions, and users with the Developer role do not. For more information, see roles and permissions.
Important
Do not email or attach your SSL certificate files to a Support ticket. To ensure the security of your SSL files, use either the SSH or SFTP method of secure file transfer to share SSL files with Acquia Support. For more information about securely sharing files, see How to securely share information with Acquia Support.
SSL on Cloud Platform Professional
Using legacy SSL certificates for a Cloud Platform Professional subscription incurs an added charge. The charge is per Cloud Platform Professional codebase. For more details, see About Acquia billing.
SSL on Cloud Platform Enterprise
Cloud Platform Enterprise subscriptions incur no extra charge for SSL support. Acquia strongly suggests Cloud Platform Enterprise subscriptions use the standard model.