Information for: DEVELOPERS   PARTNERS

Enabling SSL

SSL enables your web application to use the HTTPS secure web protocol to securely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Acquia Cloud.


  • Acquia Cloud subscribers are limited to one SSL certificate per environment.
  • If you are an Acquia Cloud Free customer, SSL is not supported. Learn more about Acquia Cloud Free, and how to upgrade your Acquia Cloud subscription.
Learn more about enabling SSL by visiting the Acquia Academy (sign-in required) for the Managing Your SSL Certificate video tutorial.

Standard certificates and legacy certificates

Acquia Cloud offers two models for SSL support: the standard model and the legacy model.

The standard model (recommended) allows you to associate SSL certificates with any environment in your application, using the existing load balancer pair. To access the certificate, use a DNS A record.


Acquia supports newer versions of TLS. The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia’s documentation and the Acquia Cloud interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?.

The legacy model (indicated as legacy certificates in the Acquia Cloud interface) requires the use of an Elastic Load Balancer (ELB). The certificate must be accessed by using a DNS CNAME record.

Although both models are accepted, Acquia strongly recommends you use the standard model with your certificates. Acquia Cloud Enterprise subscribers with multi-region servers are strongly encouraged to use the standard model.

To install a standard and a legacy certificate in the same environment at the same time, you must complete the following steps:

  • To use the legacy certificate, you must repoint the DNS settings for your domains to the provided CNAME.
  • To use the standard certificate, you must confirm the DNS settings for your domain point to your assigned IP address.

If you have a legacy certificate (which works with the ELB) you can separately install the new certificate, and then update to the Elastic IP address (EIP) as necessary.

If an Acquia-managed SSL certificate is installed directly on an application’s load balancers and the self-service SSL facility is used to activate a certificate, the newly activated certificate will then take priority.


If you use Akamai and upgrade your application from a legacy certificate to a standard certificate, you must contact Akamai to inform them your application’s certificate is now based on SNI. Not informing Akamai of the change will cause Akamai to not work with your application.

Differences in support for the standard and legacy models

Standard Legacy
Support for bare domains (for example, rather than This is possible because the load balancer has Elastic IP address (EIP) No support for bare domains without added configuration and services, since the load balancer is addressed by CNAME, rather than by IP address
Install certificate on any environment Install certificate only on Production environment on Acquia Cloud Enterprise; one certificate can cover all environments on Acquia Cloud Professional
Install any number of certificates on any environment (only one certificate can be active at any time) Install only one certificate—installing a new certificate overwrites the previous one
Not supported by some old browsers Supported by old and new browsers
Does not use ELBs and uses active/passive load balancers in HA configuration Uses ELBs in an HA configuration, which offer round-robin load balancers, instead of active/passive load balancers
Load balancer requests have a 600-second timeout All requests through an ELB have a 705-second timeout. Subscribers still experiencing 60-second timeouts can file a Support ticket
Allows activation or deactivation of installed certificates Supports only one certificate, activated during installation; to revert to a previous certificate, subscribers must maintain copies of certificates and associated keys

SSL termination on Acquia Cloud

Acquia Cloud terminates SSL requests at the load balancing layer. Acquia also offers certain end-to-end encryption capabilities within Acquia Cloud. For more information about end-to-end encryption, contact your Account Manager.

Roles and permissions for SSL management

Acquia Cloud provides the following two permissions for managing SSL:

  • Install or remove SSL certificates for the non-production environments
  • Install or remove SSL certificates for the production environment

By default, users with the Administrator, Team Lead, and Senior Developer roles have the preceding permissions, and users with the Developer role do not. Learn more about roles and permissions.


Do not email your SSL certificate or attach your SSL certificate to a support ticket. Instead, if you must send a certificate to Acquia other than by using the Acquia Cloud interface, contact Acquia Support, and we will advise you how to upload your SSL certificate and private key securely.

SSL on Acquia Cloud Professional

Using legacy SSL certificates for an Acquia Cloud Professional subscription incurs an added charge—the charge is per Acquia Cloud Professional codebase. You can use a multi-domain SSL certificate, and incur charges only for one certificate. If you pay for Acquia Cloud Professional using purchase orders, contact your salesperson about SSL configuration. For more details, see About billing.

SSL on Acquia Cloud Enterprise

Acquia Cloud Enterprise subscriptions incur no extra charge. Acquia strongly suggests Acquia Cloud Enterprise subscriptions use the standard model.