Information for: DEVELOPERS   PARTNERS

Managing SSL certificates

Using SSL

Using the Acquia Cloud interface SSL page, you can perform several tasks to manage an environment’s SSL certificates and CSRs, including:

For information about using SSL on Acquia Cloud Site Factory subscriptions, see HTTPS (SSL) and Acquia Cloud Site Factory.

Installing an SSL certificate

Important

Acquia Cloud subscribers are limited to one SSL certificate per environment.

After you have obtained an SSL certificate for an environment (as described in Obtaining an SSL certificate), you can use the Acquia Cloud interface SSL page to install the certificate on an environment. Depending on whether you use a CSR you generated with the Acquia Cloud interface, or whether you obtained the certificate some other way, there are two methods to install an SSL certificate.

Note

By default, the following SSL private keys and files are stored in /mnt/gfs/site.env/ssl:

  • ca.crt
  • ssl.crt
  • ssl.csr
  • ssl.key

You may want to confirm the validity of your SSL certificate before you upload or try to activate it on Acquia Cloud. For help, see Verifying the validity of an SSL certificate.

Installing an SSL certificate based on an Acquia-generated CSR

To install an SSL certificate based on a CSR you generated with the Acquia Cloud interface:

  1. Sign in to Acquia Cloud as a user with the necessary permissions.

  2. Select your organization, application, and environment, and then, in the left menu, click SSL.

  3. On the SSL page, click the Install SSL certificate link for the CSR.

    Install an SSL certificate

  4. On the Install new SSL certificate page, enter the following information about the certificate:

    • If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate. See Standard certificates and legacy certificates for a summary of some of the differences between standard SSL certificates and legacy SSL certificates.

    • Optionally, in the Label field, enter a label to help you identify the certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.

    • In the SSL certificate field, enter the SSL certificate in PEM format. Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed. The certificate must look something like the following example, but much longer:

      -----BEGIN CERTIFICATE-----
      MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
      dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
      MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
      Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
      -----END CERTIFICATE-----
      
    • The Acquia Cloud interface fills the SSL private key field with the private key for the certificate in PEM format. Do not change this key.

    • If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. You must enter CA intermediate certificates in the proper order.

  5. Click Install.

Installing an SSL certificate not based on an Acquia-generated CSR

To install an SSL certificate not based on an Acquia-generated CSR:

  1. Sign in to Acquia Cloud as a user with the necessary permissions.

  2. Select your organization, application, and environment, and then, in the left menu, click SSL.

  3. On the SSL page, click Install SSL Certificate.

    Install an SSL certificate

  4. On the Install SSL certificate page, enter the following information about the certificate:

    • If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.

    • In the Label field, enter a label to help you identify the certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.

    • In the SSL certificate field, enter the SSL certificate in PEM format. The certificate must look something like the following example, but much longer:

      -----BEGIN CERTIFICATE-----
      MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
      dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
      MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
      Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
      -----END CERTIFICATE-----
      
    • In the SSL private key field, enter the private key for this certificate in PEM format.

    • If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.

  5. Click Install.

Note

You must enter Intermediate certificates in a single file, in the proper order, beginning with the intermediate certificate closest to your website’s certificate and ending with the intermediate certificate closest to the root certificate. The order must be the same as the order provided to you by your certificate vendor.

Viewing an SSL certificate

After you have installed an SSL certificate on an environment, you can view it on the SSL page. The SSL certificates section lists all the installed certificates, their active status, and any associated CSR. Click View to see details about an SSL certificate, including:

  • The certificate’s label (the name you identified the certificate with when you installed it)
  • Whether the certificate is a legacy certificate
  • The certificate’s active status
  • The certificate’s expiration date
  • The domains associated with the certificate

Click Show to view the PEM encoded certificate, CA chain (CA intermediate certificates), or private key.

Activating an SSL certificate

After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment. An environment can have only one active SSL certificate at a time. Activating a new certificate will deactivate all other certificates on the environment.

To activate an SSL certificate:

Note

  • You must activate Standard (SNI) certificates before use.
  • Legacy certificates installed on the Elastic Load Balancer (ELB) will instantly override the previous certificate on the ELB.
  • You can have a standard and a legacy certificate active at the same time. Activating a standard certificate will deactivate any other non-legacy certificates.
  1. On the SSL page, under SSL certificates, locate the certificate you want to activate and click Activate.

    Activating an SSL certificate

The SSL certificate activation takes less than five minutes, after which the SSL webpage will display the certificate’s active status.

Deactivating an SSL certificate

You can deactivate an active SSL certificate at any time. You must deactivate an active certificate before you can remove it.

To deactivate an SSL certificate:

  1. On the SSL page, under SSL certificates, locate the active certificate you want to deactivate and click Deactivate.

Removing an SSL certificate

You can delete an inactive SSL certificate from an environment at any time. Before you remove an active SSL certificate, you must first deactivate it.

Important

Removing certificates from Acquia Cloud is permanent, and will deprovision the Elastic Load Balancer (ELB) assigned to the subscription.

Before you remove a legacy certificate, ensure you point the DNS on all domains to your load balancers, as using CNAME to point DNS to the ELB can cause downtime for your environment.

To remove an SSL certificate, complete the following steps:

  1. Sign in to Acquia Cloud, and then go to the application you want to change.
  2. Select the environment from which you want to remove a certificate, and click SSL in the left menu.
  3. In the SSL certificates section, locate the certificate you want to remove, and then click its Remove link. Acquia Cloud displays a Remove certificate dialog box.
  4. Click Remove in the dialog box to permanently remove the certificate from Acquia Cloud.

Revoking a certificate

If you no longer want a removed SSL certificate to function, you must also revoke the old certificate to prevent an attacker’s website from masquerading as your own. Each SSL certificate vendor has different procedures to perform a certificate revocation. Ensure you follow the instructions your SSL certificate vendor provides. Here are the procedures for two common vendors:

Configuring DNS settings with legacy SSL

If you install a legacy SSL certificate, Acquia Cloud creates a new DNS domain name for your environment ending with elb.amazonaws.com. You then must configure your DNS settings to create a CNAME record pointing your environment’s domain name to the Acquia Cloud domain name. For example:

www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com

The Acquia Cloud domain name is the name of your website’s Amazon Elastic Load Balancer (ELB) instance, and is listed in the Acquia Cloud interface Domain page for the environment. Do not use a DNS A Record to point to the underlying IP address of the ELB, since the IP address may change from time to time.

The ELB routes traffic to the Acquia Cloud load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.