After you generate a Certificate Signing Request (CSR) for an environment, the next step in enabling SSL is to obtain an SSL certificate.
You can purchase SSL certificates from many vendors. Each vendor will have its own prices and purchase process, but all of them should accept the CSR that you generated and copied using the Acquia Cloud interface and the procedure described in Generating a Certificate Signing Request (CSR). Paste the encoded CSR into the vendor’s purchase form. You can use any type of SSL certificate with Acquia Cloud, including single domain, multidomain (Unified Communications Certificate (UCC) /Subject Alternative Name (SAN)), wildcard, extended validation, and even self-signed certificates. If your vendor requires you to specify the server type for the certificate, choose nginx or, as a second choice, Apache.
Be aware of the following requirements when you obtain your certificate:
- The SHA-1 cryptographic hash algorithm is being deprecated. You should ensure that the SSL certificate you purchase uses an SHA-2 signature. For more information, see Deprecation of SHA-1 for SSL certificates.
- SSL certificates must be Base64 encoded. Acquia Cloud will not install certificates without Base64 encoding.
Selecting a certificate vendor
Based on the experience of Acquia Cloud customers, some certificate vendors appear to produce invalid CA intermediate files that prevent SSL from working on Acquia Cloud. The following SSL certificate vendors have reliably produced valid SSL certificates that work on Acquia Cloud:
- Starfield Technologies
- Comodo (Be especially sure to locate and upload any intermediate certificates.)
The following SSL certificate vendors have produced valid SSL certificates in most cases, but in some cases have produced SSL certificates that failed to work on Acquia Cloud:
Certificates purchased from CloudFlare have the additional step of requiring intermediaries to be added to the CA intermediate certificates field when installing the certificate. For additional information, see What are the root certificate authorities (CAs) used with Cloudflare Origin CA?.
Network Solutions SSL certificates have never yet worked on Acquia Cloud and should be avoided.
About SSL certificates and chain certificates
Your website's SSL certificate is at the head of a chain of certificates that starts with your website and ends at a root certificate, issued by a trusted Certificate Authority, or CA. Every certificate indicates who it was issued by and who it was issued to, which enables web browsers to follow the chain to see if the certificates should be trusted.
Your SSL certificate vendor will provide you with an SSL certificate and may possibly also provide you with additional certificates, called Certificate Authority intermediate certificates or chain certificates. If your SSL certificate vendor is Thawte, click here to see the intermediate certificate. If your SSL certificate depends on one or more Certificate Authority intermediate certificates, you need to install them on your Acquia Cloud environment along with the SSL certificate.
Some SSL certificate vendors can combine multiple certificates into a single certificate. Combined certificates of this nature have not been extensively tested on the Acquia Cloud platform, but Acquia is not aware of any issues with these certificates on our platform.
For some limited purposes, such as enabling IPv6 support without SSL, or testing SSL, you can create a self-signed SSL certificate to use with Acquia Cloud. You can then upload this self-signed certificate instead of purchasing a certificate. For more information, see How to create a self-signed SSL certificate on Acquia Cloud.
After you receive an SSL certificate from your SSL certificate vendor, install it on your Acquia Cloud environment. See Managing SSL certificates for information about how to do this.