Creating a self-signed SSL certificate

You might want to create a self-signed SSL certificate for an Acquia Cloud application to test the application with SSL on Acquia Cloud before you purchase an SSL certificate. You might also use a self-signed SSL certificate If you are using a network that supports IPv6; to support IPv6 on Acquia Cloud, you need an Elastic Load Balancer (ELB) , which requires supplying an SSL certificate to work with Acquia Cloud.

Enable SSL

To install an SSL certificate, you need to enable SSL support for an environment. This feature is not available to Acquia Cloud Free users.

Creating SSL certificates

To create a self-signed SSL certificate, you will create both a root certificate and a site certificate.

Create a root certificate

  1. Create a private key for your root certificate. Connect to your environment with SSH and use a command like this:

    openssl genrsa -out root-CA.key 2048

  2. Next, enter a command like this to self-sign the certificate:

    openssl req -x509 -new -nodes -key root-CA.key -days 1024 -out root-CA.pem

  3. You should see a result that looks like the following text. Enter the values that are appropriate to your site, system, and location.

    You are about to be asked to enter information that will be
    incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Oregon
    Locality Name (eg, city) []:Portland
    Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Name (Root CA)
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:www.mysite.com
    Email Address []:[email protected]

The root certificate is created in the same directory, with the name root-CA.pem; its key is created with the name root-CA.key.

Create the site certificate

Next, create the site's certificate.

  1. Create the private key:

    openssl genrsa -out site-key.pem 2048

  2. Generate the certificate signing request (CSR):

    openssl req -new -key site-key.pem -out site-csr.csr

  3. You will be presented with similar text as when you created the root certificate. Use the same values as you did for the root certificate except for the Organization Name. For the Organization Name, use a different value, such as My Name (Site CA).

    You will also see the following questions:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
  4. Enter a command like this to sign the CSR with the root key and output in PEM format with the .pem extension.

    openssl x509 -req -in site-csr.csr -CA root-CA.pem -CAkey root-CA.key -CAcreateserial -out site-crt.pem -days 500

The site certificate CSR is created in the same directory, with the name site-csr.csr; the site certificate key is created with the name site-crt.pem, and its key is created with the name site-key.pem.

Install your certificates

Next, install the root certificate and site certificate, as described in Installing an SSL certificate not based on an Acquia-generated CSR. As you install the certificates, select Install legacy SSL certificate to instruct Acquia Cloud to provision an ELB for the environment.

After the Install SSL certificate task in Acquia Cloud is completed, an ELB will be provisioned for the environment. Visit the SSL page to verify that the certificate has been installed and visit the Servers page for the environment to see the address of the domain you'll need to use to create a CNAME record to point to. The domain address will end with elb.amazonaws.com.

For more information about configuring your DNS settings, see Configuring DNS settings with legacy SSL.

Contact supportStill need assistance? Contact Acquia Support