# Managing SSL certificates¶

Using SSL

Using the Acquia Cloud interface SSL page, you can perform several tasks to manage an environment’s SSL certificates and CSRs, including:

## Installing an SSL certificate¶

Important

Acquia Cloud customers are limited to one SSL certificate per environment.

After you have obtained an SSL certificate for an environment (as described in Obtaining an SSL certificate) you can use the Acquia Cloud interface SSL page to install the certificate on an environment. There are two ways to install an SSL certificate, depending on whether you used a CSR you generated with the Acquia Cloud interface or whether you obtained the certificate some other way.

Note

By default, the following SSL private keys and files are stored in /mnt/gfs/site.env/ssl:

• ca.crt
• ssl.crt
• ssl.csr
• ssl.key

At this time, you may want to verify the validity of your SSL certificate before you upload or attempt to activate it on Acquia Cloud. For assistance, see Verifying the validity of an SSL certificate.

### Installing an SSL certificate based on a CSR you generated with the Acquia Cloud Interface¶

To install an SSL certificate that is based on a CSR you generated with the Acquia Cloud interface:

1. Sign in to the Acquia Cloud interface as a user with the necessary permissions.

2. Select your organization, application, and environment, and then, in the left menu, click SSL.

3. On the SSL page, click the Install SSL certificate link for the CSR.

4. On the Install new SSL certificate page, enter the following information about the certificate:

• If you want this certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate. See Standard certificates and legacy certificates for a summary of some of the differences between standard SSL certificates and legacy SSL certificates.

• Optionally, in the Label field, enter a label that will help you identify this certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.

• In the SSL certificate field, enter the SSL certificate in PEM format. Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed. The certificate should look something like this, but much longer:

-----BEGIN CERTIFICATE-----
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----

• The Acquia Cloud interface fills the SSL private key field with the private key for this certificate in PEM format. Do not modify this key.

• If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.

5. Click Install.

### Installing an SSL certificate not based on an Acquia-generated CSR¶

To install an SSL certificate that is not based on an Acquia-generated CSR:

1. Sign in to the Acquia Cloud interface as a user with the necessary permissions.

2. Select your organization, application, and environment, and then, in the left menu, click SSL.

3. On the SSL page, click Install SSL Certificate.

4. On the Install SSL certificate page, enter the following information about the certificate:

• If you want this certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.

• In the Label field, enter a label that will help you identify this certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.

• In the SSL certificate field, enter the SSL certificate in PEM format. The certificate should look something like this, but much longer:

-----BEGIN CERTIFICATE-----
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----

• In the SSL private key field, enter the private key for this certificate in PEM format.

• If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.

5. Click Install.

Note

Intermediate certificates need to be entered in a single file, in the proper order, beginning with the intermediate certificate closest to your website’s certificate and ending with the intermediate certificate closest to the root certificate. This should be the same as the order that they were provided to you by your certificate vendor.

## Viewing an SSL certificate¶

After you have installed an SSL certificate on an environment, you can view it on the SSL page. The SSL certificates section lists all the installed certificates, their active status, and any associated CSR. Click View to see details about an SSL certificate, including:

• The certificate’s label (the name you identified it with when you installed it)
• Whether the certificate is a legacy certificate
• The certificate’s active status
• The certificate’s expiration date
• The domains associated with the certificate

Click Show to view the PEM encoded certificate, CA chain (CA intermediate certificates), or private key.

## Activating an SSL certificate¶

After you have installed an SSL certificate on an environment, you must activate it before it starts working with HTTPS requests to the environment. An environment can have only one active SSL certificate at a time. Activating a new certificate will deactivate all other certificates on the environment.

To activate an SSL certificate:

Note

• Standard (SNI) certificates must be activated before use.
• Legacy certificates installed on the Elastic Load Balancer (ELB) will immediately override the previous certificate on the ELB.
• It is possible to have a standard and a legacy certificate active at the same time. Activating a standard certificate will deactivate any other non-legacy certificates.
1. On the SSL page, under SSL certificates, locate the certificate you want to activate and click Activate.

2. In the Activate certificate dialog, enter your Acquia account password to confirm, and then click Activate.

The SSL certificate activation should take less than five minutes, after which the SSL webpage will display the certificate’s active status.

### Deactivating an SSL certificate¶

You can deactivate an active SSL certificate at any time. You must deactivate an active certificate before you can remove it.

To deactivate an SSL certificate:

1. On the SSL page, under SSL certificates, locate the active certificate you want to deactivate and click Deactivate.
2. In the Deactivate certificate dialog, enter your Acquia account password to confirm, and then click Deactivate.

## Removing an SSL certificate¶

You can delete an inactive SSL certificate from an environment at any time. Before you remove an active SSL certificate, you must first deactivate it.

Important

Removing certificates from Acquia Cloud is permanent, and will deprovision the Elastic Load Balancer (ELB) assigned to the subscription.

Before you remove a legacy certificate, be sure to point the DNS on all domains to your load balancers, as using CNAME to point DNS to the ELB can cause downtime for your environment.

To remove an SSL certificate, complete the following steps:

1. Sign in to the Acquia Cloud interface, and then go to the application you want to modify.
2. Select the environment from which you want to remove a certificate, and click SSL in the left menu.
3. In the SSL certificates section, locate the certificate that you want to remove, and then click its Remove link. Acquia Cloud displays a Remove certificate dialog box.
4. In the available field, enter your Acquia account password to confirm the deletion of the certificate.
5. Click Remove in the dialog box to permanently remove the certificate from Acquia Cloud.

### Revoking a certificate¶

If you no longer want a removed SSL certificate to function, you should also revoke the old certificate to prevent an attacker’s website from masquerading as your own. Each SSL certificate vendor has different procedures to perform an certificate revocation. Please follow the instructions your SSL certificate vendor provides. Here are the procedures for two common vendors:

## Configuring DNS settings with legacy SSL¶

If you install a legacy SSL certificate, Acquia Cloud creates a new DNS domain name for your environment that ends with elb.amazonaws.com. You then need to configure your DNS settings to create a CNAME record pointing your environment’s domain name to the Acquia Cloud domain name. For example:

www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com


This Acquia Cloud domain name is the name of your website’s Amazon Elastic Load Balancer (ELB) instance and is listed in the Acquia Cloud interface Domain page for the environment. Don’t use a DNS A Record to point to the underlying IP address of the ELB, since the IP address may change from time to time.

The ELB routes traffic to the Acquia Cloud load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.

Still need assistance? Contact Acquia Support