Cloud Platform
SSL on Cloud Platform
SSL enables your application to use the HTTPS secure web protocol to securely communicate with your users online. To use SSL, your environment(s) must have an SSL certificate installed and activated. The certificate must include coverage for your necessary domains. You must also purchase an SSL certificate from a Certificate Authority (CA) or SSL certificate vendor, and upload it to Cloud Platform. Acquia is not a CA or SSL certificate vendor.
The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia documentation and the Cloud Platform user interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?. Acquia supports newer versions of TLS.
Implementing an SSL certificate is considered a best practice:
For more information about managing domains on Cloud Platform, see Managing domains.
Cloud Platform offers the following models for SSL support:
The standard model (recommended) allows you to install SSL certificates to any environment in your application by using the existing load balancer pair associated with your application. To access a standard certificate, use a DNS A record/IP address. To find the IP address associated with your application, see Viewing your IP address or CNAME.
The legacy model (indicated as legacy/ELB certificates in the Cloud Platform user interface) requires the use of an Elastic Load Balancer (ELB). To access a legacy/ELB certificate, use a DNS CNAME record. For example:
www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com
The Cloud Platform domain name is the name of your website’s Elastic Load Balancer (ELB) instance, and is listed in the Cloud Platform interface Domain page for the environment. Do not use a DNS A Record to point to the underlying IP address of the ELB, as the IP address may change from time to time.
If you are not sure which option is suitable for your application, create a Support ticket.
Cloud Platform terminates SSL requests at the load balancing layer. Acquia also offers certain end-to-end encryption capabilities in Cloud Platform. For more information about end-to-end encryption, contact your Account Manager.
Cloud Platform provides the following two permissions for managing SSL:
By default, users with the Administrator, Team Lead, and Senior Developer roles have the preceding permissions, and users with the Developer role do not. For more information, see roles and permissions.
Using legacy SSL certificates for a Cloud Platform Professional subscription incurs an added charge. The charge is per Cloud Platform Professional codebase. For more details, see About Acquia billing.
Cloud Platform Enterprise subscriptions incur no extra charge for SSL support. Acquia strongly suggests Cloud Platform Enterprise subscriptions use the standard model.
Cloud Platform*.acquia-sites.com. If you use custom domains, you must install and activate a certificate that covers the custom domain.The ELB routes traffic to the Cloud Platform load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.
Although both models are accepted, Acquia strongly recommends using the standard model with your SSL certificates.
| Install only one certificate—installing a new certificate overwrites the previous one. |
| Not supported by some old browsers. | Supported by old and new browsers. |
| Does not support IPv6. | Supports IPv6. For more information, see Using IPv6 IP addresses. |
| Does not use ELBs and uses active/passive load balancers in a high availablity configuration. | Uses ELBs in a high availablity configuration, which offer round-robin load balancers, instead of active/passive load balancers. |
| Load balancer requests have a 600-second timeout. | All requests through an ELB have a 705-second timeout. Subscribers still experiencing 60-second timeouts can file a Support ticket. |
| Allows activation or deactivation of installed certificates. | Supports only one certificate, activated during installation; to revert to a previous certificate, subscribers must maintain copies of certificates and associated keys. |
To install a standard and a legacy certificate in the same environment at the same time, see How do I cover multiple domains with SSL certificates.
Acquia provides a default SSL certificate that only covers your application’s default Acquia domains (*.acquia-sites.com). If a custom SSL certificate is installed on your application, it will overwrite the default certificate for your domains.
If this content did not answer your questions, try searching or contacting our support team for further assistance.
The ELB routes traffic to the Cloud Platform load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.
Although both models are accepted, Acquia strongly recommends using the standard model with your SSL certificates.
| Install only one certificate—installing a new certificate overwrites the previous one. |
| Not supported by some old browsers. | Supported by old and new browsers. |
| Does not support IPv6. | Supports IPv6. For more information, see Using IPv6 IP addresses. |
| Does not use ELBs and uses active/passive load balancers in a high availablity configuration. | Uses ELBs in a high availablity configuration, which offer round-robin load balancers, instead of active/passive load balancers. |
| Load balancer requests have a 600-second timeout. | All requests through an ELB have a 705-second timeout. Subscribers still experiencing 60-second timeouts can file a Support ticket. |
| Allows activation or deactivation of installed certificates. | Supports only one certificate, activated during installation; to revert to a previous certificate, subscribers must maintain copies of certificates and associated keys. |
To install a standard and a legacy certificate in the same environment at the same time, see How do I cover multiple domains with SSL certificates.
Acquia provides a default SSL certificate that only covers your application’s default Acquia domains (*.acquia-sites.com). If a custom SSL certificate is installed on your application, it will overwrite the default certificate for your domains.
If this content did not answer your questions, try searching or contacting our support team for further assistance.