After you generate a Certificate Signing Request (CSR) for an environment, the next step for enabling SSL is to obtain an SSL certificate.
You can purchase SSL certificates from many vendors. Each vendor will have its own prices and purchase process, but all of them should accept the CSR that you generated and copied using the Cloud Platform interface and the procedure described in Generating a certificate signing request (CSR). Paste the encoded CSR into the vendor’s purchase form. You can use any type of SSL certificate with Cloud Platform, including single domain, multi-domain (Unified Communications Certificate (UCC)/Subject Alternative Name (SAN)), wildcard, extended validation, and even self-signed certificates. If your vendor requires you to specify the infrastructure type for the certificate, choose Nginx or, as a second choice, Apache. For more information about different types of SSL certificates, see Types of SSL Certificates.
Selecting a vendor
In general, certificates from reputable vendors will work properly on Cloud Platform.
Acquia is aware of the following issues:
Let’s Encrypt: Acquia does not support the one-click renewal feature from Let’s Encrypt, but the certificates are valid and will work if installed through the Cloud Platform interface. For more information, see Using Let’s Encrypt SSL on Cloud Platform.
Self-signed certificates: When viewing a website with a self-signed certificate lacking a trusted root certificate, the web browser will display Certificate Not Trusted warnings. For development purposes, you can add the self-signed certificate to your browser’s list of trusted certificates. For more information, see Creating a self-signed SSL certificate.
Certificate requirements
Be aware of the following requirements when you obtain your certificate:
The SHA-1 cryptographic hash algorithm is being deprecated. Therefore, ensure that the SSL certificate you purchase uses an SHA-2 signature. For more information, see SHA-1 SSL Certificates.
SSL certificates must be Base64 encoded. Cloud Platform will not install certificates without Base64 encoding.
SSL certificates must be compatible with either Nginx or Apache. Before you purchase a certificate, ensure to confirm with your vendor that your certificate files are in PEM format. To determine if the SSL files are in PEM format, verify that their extension is .pem, .crt, or .cert.
SSL certificates must not pin to the SSL certificate provided for
acquia-sites.comcertificate for default domain names, due to how Acquia-provided certificates may be renewed or altered at any time.
About SSL certificates and chain certificates
Your website’s SSL certificate is at the head of a chain of certificates that starts with your website and ends at a root certificate, issued by a trusted Certificate Authority, or CA. Every certificate indicates who it was issued by and who it was issued to, which enables web browsers to follow the chain to see if the certificates should be trusted.
Your SSL certificate vendor will provide you with an SSL certificate and may possibly also provide you with additional certificates, called Certificate Authority intermediate certificates or chain certificates. If your SSL certificate vendor is Thawte, click here to see the intermediate certificate. Intermediate/chain certificates are required as part of the installation process on Cloud Platform.
Some SSL certificate vendors might combine multiple certificates into a single certificate. Combined certificates of this nature are not extensively tested on Cloud Platform. Therefore, Acquia is not aware of any issues with these certificates on Cloud Platform.
Self-signed certificates
For some limited purposes, such as enabling IPv6 support without SSL, or testing SSL, you can create a self-signed SSL certificate to use with Cloud Platform. You can then upload this self-signed certificate instead of purchasing a certificate. For more information, see Creating a self-signed SSL certificate.
Important
Most web browsers will display a Certificate Not Trusted error message for self-signed certificates, because self-signed certificates are not generated by a certificate authority (CA).
Next step
After you receive an SSL certificate from your SSL certificate vendor, install it on your Cloud Platform environment(s). For additional information about how to do this, see Managing SSL certificates.