SSL enables your application to use the HTTPS secure web protocol to securely communicate with your users online. To use SSL, your environment(s) must have an SSL certificate installed and activated. The certificate must include coverage for your necessary domains. You must also purchase an SSL certificate from a Certificate Authority (CA) or SSL certificate vendor, and upload it to Cloud Platform. Acquia is not a CA or SSL certificate vendor.
The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia documentation and the Cloud Platform user interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?. Acquia supports newer versions of TLS.
Implementing an SSL certificate is considered a best practice:
- To ensure that your domains follow standard internet security protocols
- To protect visitors on your domains
For more information about managing domains on Cloud Platform, see Managing domains.
Types of SSL
Cloud Platform offers the following models for SSL support:
- Standard
- Legacy/ELB
Standard certificates
The standard model (recommended) allows you to install SSL certificates to any environment in your application by using the existing load balancer pair associated with your application. To access a standard certificate, use a DNS A record/IP address. To find the IP address associated with your application, see Viewing your IP address or CNAME.
Legacy/ELB certificates
The legacy model (indicated as legacy/ELB certificates in the Cloud Platform user interface) requires the use of an Elastic Load Balancer (ELB). To access a legacy/ELB certificate, use a DNS CNAME record. For example:
www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com
The Cloud Platform domain name is the name of your website’s Elastic Load Balancer (ELB) instance, and is listed in the Cloud Platform interface Domain page for the environment. Do not use a DNS A Record to point to the underlying IP address of the ELB, as the IP address may change from time to time.
The ELB routes traffic to the Cloud Platform load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.
Although both models are accepted, Acquia strongly recommends using the standard model with your SSL certificates.
If you are not sure which option is suitable for your application, create a Support ticket.
Differences in support for the standard and legacy/ELB models
| Standard | Legacy/ELB |
|---|---|
Support for bare domains. For example, example.com rather than www.example.com. This is possible because the load balancer has an Elastic IP address (EIP). | No support for bare domains without added configuration and services because the load balancer is addressed by CNAME rather than by IP address. |
| Install certificate on any environment. | Install certificate only on the Production environment on Cloud Platform Enterprise; one certificate can cover all environments on Cloud Platform Professional. ELBs are only available in Production environments. |
| Install any number of certificates on any environment (multiple certificates can be active at any time). Multiple active certificates are not supported on Cloud Platform Professional applications. For more information, see How do I cover multiple domains with SSL certificates. | Install only one certificate—installing a new certificate overwrites the previous one. |
| Not supported by some old browsers. | Supported by old and new browsers. |
| Does not support IPv6. | Supports IPv6. For more information, see Using IPv6 IP addresses. |
| Does not use ELBs and uses active/passive load balancers in a high availablity configuration. | Uses ELBs in a high availablity configuration, which offer round-robin load balancers, instead of active/passive load balancers. |
| Load balancer requests have a 600-second timeout. | All requests through an ELB have a 705-second timeout. Subscribers still experiencing 60-second timeouts can file a Support ticket. |
| Allows activation or deactivation of installed certificates. | Supports only one certificate, activated during installation; to revert to a previous certificate, subscribers must maintain copies of certificates and associated keys. |
To install a standard and a legacy certificate in the same environment at the same time, see How do I cover multiple domains with SSL certificates.
Acquia provides a default SSL certificate that only covers your application’s default Acquia domains (*.acquia-sites.com). If a custom SSL certificate is installed on your application, it will overwrite the default certificate for your domains.
SSL termination on Cloud Platform
Cloud Platform terminates SSL requests at the load balancing layer. Acquia also offers certain end-to-end encryption capabilities in Cloud Platform. For more information about end-to-end encryption, contact your Account Manager.
Roles and permissions for SSL management
Cloud Platform provides the following two permissions for managing SSL:
- Install or remove SSL certificates for the non-production environments
- Install or remove SSL certificates for the production environment
By default, users with the Administrator, Team Lead, and Senior Developer roles have the preceding permissions, and users with the Developer role do not. For more information, see roles and permissions.
SSL on Cloud Platform Professional
Using legacy SSL certificates for a Cloud Platform Professional subscription incurs an added charge. The charge is per Cloud Platform Professional codebase. For more details, see About Acquia billing.
SSL on Cloud Platform Enterprise
Cloud Platform Enterprise subscriptions incur no extra charge for SSL support. Acquia strongly suggests Cloud Platform Enterprise subscriptions use the standard model.