Managing SSL certificates

Using SSL

On the Acquia Cloud interface's SSL page, you can perform several tasks to manage an environment's SSL certificates and CSRs, including:

Installing an SSL certificate

After you have obtained an SSL certificate for an environment (as described in Obtaining an SSL certificate) you can use the Acquia Cloud interface's SSL page to install the certificate on an environment. There are two ways to install an SSL certificate, depending on whether you used a CSR you generated with the Acquia Cloud interface or whether you obtained the certificate some other way.

Installing an SSL certificate based on a CSR you generated with the Acquia Cloud interface

To install an SSL certificate that is based on a CSR you generated with the Acquia Cloud interface:

  1. Sign in to the Acquia Cloud interface as a user with the necessary permissions.
  2. Select your organization, application, and environment, and then, in the left menu, click SSL.
  3. On the SSL page, under Certificate signing requests, click the Install link for the CSR.

    Install an SSL certificate

  4. On the Install new SSL certificate page, enter the following information about the certificate:
    • If you want this certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate. See Standard certificates and legacy certificates for a summary of some of the differences between standard SSL certificates and legacy SSL certificates.
    • Optionally, in the Label field, enter a label that will help you identify this certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.
    • In the SSL certificate field, enter the SSL certificate in PEM format. Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed. The certificate should look something like this, but much longer:

        -----BEGIN CERTIFICATE-----
      MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
      dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
      MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
      Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
      -----END CERTIFICATE-----
    • The Acquia Cloud interface fills the SSL private key field with the private key for this certificate in PEM format. Do not modify this key.
    • If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.
  5. Click Install.

Installing an SSL certificate not based on an Acquia-generated CSR

To install an SSL certificate that is not based on an Acquia-generated CSR:

  1. Sign in to the Acquia Cloud interface as a user with the necessary permissions.
  2. Select your organization, application, and environment, and then, in the left menu, click SSL.
  3. On the SSL page, click Install SSL Certificate.

    Install an SSL certificate

  4. On the Install new SSL certificate page, enter the following information about the certificate:
    • If you want this certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
    • Optionally, in the Label field, enter a label that will help you identify this certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.
    • In the SSL certificate field, enter the SSL certificate in PEM format. The certificate should look something like this, but much longer:

        -----BEGIN CERTIFICATE-----
      MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
      dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
      MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
      Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
      -----END CERTIFICATE-----
    • In the SSL private key field, enter the private key for this certificate in PEM format.
    • If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.
  5. Click Install.

Viewing an SSL certificate

After you have installed an SSL certificate on an environment, you can view it on the SSL page. The SSL certificates section lists all the installed certificates, their active status, and any associated CSR. Click View to see details about an SSL certificate, including:

  • The certificate's label (the name you identified it with when you installed it)
  • Whether the certificate is a legacy certificate
  • The certificate's active status
  • The certificate's expiration date
  • The domains associated with the certificate

Click Show to view the PEM encoded certificate, CA chain (CA intermediate certificates), or private key.

Activating an SSL certificate

After you have installed an SSL certificate on an environment, you must activate it before it starts working with HTTPS requests to the environment. An environment can have only one active SSL certificate at a time. Activating a new certificate will deactivate all other certificates on the environment.

To activate an SSL certificate:

  1. On the SSL page, under SSL certificates, locate the certificate you want to activate and click Activate.
  2. In the Activate certificate dialog, enter your Acquia account password to confirm, and then click Activate.

    Activating an SSL certificate

The SSL certificate activation should take less than five minutes, after which the SSL webpage will display the certificate's active status.

Deactivating an SSL certificate

You can deactivate an active SSL certificate at any time. You must deactivate an active certificate before you can remove it.

To deactivate an SSL certificate:

  1. On the SSL page, under SSL certificates, locate the active certificate you want to deactivate and click Deactivate.
  2. In the Deactivate certificate dialog, enter your Acquia account password to confirm, and then click Deactivate.

Removing an SSL certificate

You can delete an inactive SSL certificate from an environment at any time. Before you remove an active SSL certificate, you must first deactivate it.

To remove an SSL certificate, complete the following steps:

  1. Sign in to the Acquia Cloud interface, and then go to the application you want to modify.
  2. Select the environment from which you want to remove a certificate, and click SSL in the left menu.
  3. In the SSL certificates section, locate the certificate that you want to remove, and then click its Remove link.
    Acquia Cloud displays a Remove certificate dialog box.
  4. In the available field, enter your Acquia account password to confirm the deletion of the certificate.
  5. Click Remove in the dialog box to permanently remove the certificate from Acquia Cloud.

Revoking a certificate

If you no longer want a removed SSL certificate to function, you should also revoke the old certificate to prevent an attacker’s website from masquerading as your own. Each SSL certificate vendor has different procedures to perform an certificate revocation. Please follow the instructions your SSL certificate vendor provides. Here are the procedures for two common vendors:

Configuring DNS settings with legacy SSL

If you install a legacy SSL certificate, Acquia Cloud creates a new DNS domain name for your environment that ends with elb.amazonaws.com. You then need to configure your DNS settings to create a CNAME record pointing your environment's domain name to the Acquia Cloud domain name. For example:

www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com

This Acquia Cloud domain name is the name of your website's Amazon Elastic Load Balancer (ELB) instance and is listed in the Acquia Cloud interface Domain page for the environment. Don't use a DNS A Record to point to the underlying IP address of the ELB, since the IP address may change from time to time.

The ELB routes traffic to the Acquia Cloud load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.

Contact supportStill need assistance? Contact Acquia Support