Information for: DEVELOPERS   PARTNERS

Obtaining an SSL certificate

Using SSL

After you generate a Certificate Signing Request (CSR) for an environment, the next step for enabling SSL is to obtain an SSL certificate.

You can purchase SSL certificates from many vendors. Each vendor will have its own prices and purchase process, but all of them should accept the CSR that you generated and copied using the Acquia Cloud interface and the procedure described in Generating a certificate signing request (CSR). Paste the encoded CSR into the vendor’s purchase form. You can use any type of SSL certificate with Acquia Cloud, including single domain, multi-domain (Unified Communications Certificate (UCC)/Subject Alternative Name (SAN)), wildcard, extended validation, and even self-signed certificates. If your vendor requires you to specify the server type for the certificate, choose nginx or, as a second choice, Apache.

Selecting a vendor

In general, certificates from reputable vendors will work properly on Acquia Cloud. In some cases, you may need to locate and upload intermediate certificates, depending on your vendor and the architecture of your application.

Acquia is aware of the following issues:

  • Let’s Encrypt – Acquia does not support the one-click renewal feature from Let’s Encrypt, but the certificates are valid and will work if installed through the Acquia Cloud interface.
  • No Elliptic Curve (EC) format support – Acquia Cloud does not support the Elliptic Curve Diffie Hellman format for certificates.
  • Self-signed certificates – When viewing a website with a self-signed certificate lacking a trusted root certificate, the web browser will display Certificate Not Trusted warnings. For development purposes, you can add the self-signed certificate to your browser’s list of trusted certificates.

Certificate requirements

Be aware of the following requirements when you obtain your certificate:

  • The SHA-1 cryptographic hash algorithm is being deprecated. You should ensure that the SSL certificate you purchase uses an SHA-2 signature. For more information, see Deprecation of SHA-1 for SSL certificates.
  • SSL certificates must be Base64 encoded. Acquia Cloud will not install certificates without Base64 encoding.
  • SSL certificates must be compatible with either nginx or Apache. Before you purchase a certificate, be sure to confirm with your vendor that your certificate files are in a compatible format.
  • SSL certificates must not pin to the *.acquia-sites.com certificate that is provided by Acquia, due to how Acquia-provided certificates may be renewed or altered at any time.

About SSL certificates and chain certificates

Your website’s SSL certificate is at the head of a chain of certificates that starts with your website and ends at a root certificate, issued by a trusted Certificate Authority, or CA. Every certificate indicates who it was issued by and who it was issued to, which enables web browsers to follow the chain to see if the certificates should be trusted.

Your SSL certificate vendor will provide you with an SSL certificate and may possibly also provide you with additional certificates, called Certificate Authority intermediate certificates or chain certificates. If your SSL certificate vendor is Thawte, click here to see the intermediate certificate. If your SSL certificate depends on one or more Certificate Authority intermediate certificates, you need to install them on your Acquia Cloud environment along with the SSL certificate.

Some SSL certificate vendors can combine multiple certificates into a single certificate. Combined certificates of this nature have not been extensively tested on the Acquia Cloud platform, but Acquia is not aware of any issues with these certificates on our platform.

Self-signed certificates

For some limited purposes, such as enabling IPv6 support without SSL, or testing SSL, you can create a self-signed SSL certificate to use with Acquia Cloud. You can then upload this self-signed certificate instead of purchasing a certificate. For more information, see Creating a self-signed SSL certificate.

Important

Most web browsers will display a Certificate Not Trusted error message for self-signed certificates, because self-signed certificates are not generated by a certificate authority (CA).

Next step

After you receive an SSL certificate from your SSL certificate vendor, install it on your Acquia Cloud environment. For additional information about how to do this, see Managing SSL certificates.