Information for: DEVELOPERS   PARTNERS

Enabling SSL

Using SSL

SSL enables your web application to use the HTTPS secure web protocol to safely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Acquia Cloud.


  • Acquia Cloud subscribers are limited to one SSL certificate per environment.
  • If you are an Acquia Cloud Free customer, SSL is not supported. Learn more about Acquia Cloud Free and how to upgrade your Acquia Cloud subscription.

Standard certificates and legacy certificates

Acquia Cloud offers two models for SSL support: the standard model and the legacy model.

The standard model (recommended) allows you to associate SSL certificates with any environment in your application, using the existing load balancer pair. The certificate is accessed by using a DNS A record.


Acquia supports newer versions of TLS. The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia’s documentation and the Acquia Cloud interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?.

The legacy model (indicated as legacy certificates in the Acquia Cloud interface) requires the use of an Elastic Load Balancer (ELB). The certificate must be accessed by using a DNS CNAME record.

Although both models are accepted, Acquia strongly recommends that you use the standard model with your certificates. Acquia Cloud Enterprise subscribers with multi-region servers are strongly encouraged to use the standard model.

It is possible, however, to have a standard and a legacy certificate installed in the same environment at the same time, based on the completion of the following items:

  • To use the legacy certificate, you will need to repoint the DNS settings for your domains to the provided CNAME.
  • To use the standard certificate, you will need to confirm that the DNS settings for your domain are pointed to your assigned IP address.

If you have a legacy certificate (which works with the ELB) you can separately add the new certificate, and then update to the Elastic IP address (EIP) as necessary.

If an Acquia-managed SSL certificate is installed directly on an application’s load balancers and the self-service SSL facility is used to activate a certificate, the newly activated certificate will then take priority.


If you use Akamai and upgrade your application from a legacy certificate to a standard certificate, you must contact Akamai to inform them that your application’s certificate is now based on SNI. Not informing Akamai of the change will cause Akamai to not work with your application.

Differences in support for the standard and legacy models

Standard Legacy
Support for bare domains (for example, rather than This is possible because the load balancer has Elastic IP address (EIP) No support for bare domains without additional configuration and services, since the load balancer is addressed by CNAME, rather than by IP address.
Install certificate on any environment Install certificate only on Production environment on Acquia Cloud Enterprise; one certificate can cover all environments on Acquia Cloud Professional
Install any number of certificates on any environment (only one certificate can be active at any time) Install only one certificate - installing a new certificate overwrites the previous one
Not supported by some very old browsers Supported by old and new browsers
Does not use ELBs and uses active/passive load balancers in HA configuration Uses ElBs in an HA configuration, which offer round-robin load balancers, instead of active/passive load balancers
Load balancer requests have a 600 second timeout All requests through an ELB have a 60 second timeout
Allows activation or deactivation of installed certificates Supports only one certificate, which is activated during installation; to revert to a previous certificate, subscribers will need to maintain copies of certificates and associated keys

Roles and permissions for SSL management

Acquia Cloud provides these two permissions for managing SSL:

  • Add or remove SSL certificates for the non-production environments
  • Add or remove SSL certificates for the production environment

By default, users with the Administrator, Team Lead, and Senior Developer roles have these permissions, and users with the Developer role do not. Learn more about roles and permissions.


Do not email your SSL certificate or attach your SSL certificate to a support ticket. Instead, if you need to transmit a certificate to Acquia other than by using the Acquia Cloud interface, Contact Acquia support and we will advise you how to upload your SSL certificate and private key securely.

SSL on Acquia Cloud Professional

There is an additional charge for using legacy SSL certificates for an Acquia Cloud Professional subscription — the charge is per Acquia Cloud Professional codebase. You can use a multi-domain SSL certificate, however, and will be charged only for one certificate. If you pay for Acquia Cloud Professional using purchase orders, contact your salesperson to get SSL configured. For more details, see About billing.

SSL on Acquia Cloud Enterprise

There is no extra charge for Acquia Cloud Enterprise subscriptions. Acquia strongly suggests that these subscriptions use the standard model.

SSL on Acquia Cloud Enterprise should generally be self service. However, some subscriber configurations may require additional assistance:

  • Subscribers who have a Premium, Enterprise, or Elite subscription. These subscribers can still purchase a certificate through Acquia, but we will not install certificates provided by subscribers.
  • Subscribers who have purchased a certificate purchased through Acquia which needs to be updated until the subscriber renews.

If you are a subscriber in one of these categories, Contact Acquia support.