Information for: DEVELOPERS   PARTNERS

Enabling SSL

SSL enables your web application to use the HTTPS secure web protocol to securely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Cloud Platform.

Important

  • Cloud Platform and Site Factory subscribers can activate more than one SSL certificate per environment. Support for multiple active certificates is not available on Clould Platform Professional.
  • If you are a Cloud Platform Free customer, SSL is not supported. Learn more about Cloud Platform Free, and how to upgrade your Cloud Platform Free subscription.
Learn more about enabling SSL by visiting the Acquia Academy (sign-in required) for the Managing Your SSL Certificate video tutorial.

Standard certificates and legacy certificates

Cloud Platform offers two models for SSL support: the standard model and the legacy model.

The standard model (recommended) allows you to associate SSL certificates with any environment in your application, using the existing load balancer pair. To access the certificate, use a DNS A record.

Note

Acquia supports newer versions of TLS. The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia’s documentation and the Cloud Platform interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?.

The legacy model (indicated as legacy certificates in the Cloud Platform interface) requires the use of an Elastic Load Balancer (ELB). The certificate must be accessed by using a DNS CNAME record.

Although both models are accepted, Acquia strongly recommends you use the standard model with your certificates. Cloud Platform Enterprise subscribers with multi-region servers are strongly encouraged to use the standard model.

Note

Legacy SSL certificates aren’t supported on Site Factory environments.

To install a standard and a legacy certificate in the same environment at the same time, you must complete the following steps:

  • To use the legacy certificate, you must repoint the DNS settings for your domains to the provided CNAME.
  • To use the standard certificate, you must confirm the DNS settings for your domain point to your assigned IP address.

If you have a legacy certificate (which works with the ELB) you can separately install the new certificate, and then update to the Elastic IP address (EIP) as necessary.

If an Acquia-managed SSL certificate is installed directly on an application’s load balancers and the self-service SSL facility is used to activate a certificate, the newly activated certificate will then take priority.

Note

If you use Akamai and upgrade your application from a legacy certificate to a standard certificate, you must contact Akamai to inform them your application’s certificate is now based on SNI. Not informing Akamai of the change will cause Akamai to not work with your application.

Differences in support for the standard and legacy models

Standard Legacy
Support for bare domains (for example, example.com rather than www.example.com). This is possible because the load balancer has Elastic IP address (EIP) No support for bare domains without added configuration and services, since the load balancer is addressed by CNAME, rather than by IP address
Install certificate on any environment Install certificate only on Production environment on Cloud Platform Enterprise; one certificate can cover all environments on Cloud Platform Professional
Install any number of certificates on any environment (multiple certificates can be active at any time) Install only one certificate—installing a new certificate overwrites the previous one
Not supported by some old browsers Supported by old and new browsers
Does not use ELBs and uses active/passive load balancers in HA configuration Uses ELBs in an HA configuration, which offer round-robin load balancers, instead of active/passive load balancers
Load balancer requests have a 600-second timeout All requests through an ELB have a 705-second timeout. Subscribers still experiencing 60-second timeouts can file a Support ticket
Allows activation or deactivation of installed certificates Supports only one certificate, activated during installation; to revert to a previous certificate, subscribers must maintain copies of certificates and associated keys

SSL termination on Cloud Platform

Cloud Platform terminates SSL requests at the load balancing layer. Acquia also offers certain end-to-end encryption capabilities within Cloud Platform. For more information about end-to-end encryption, contact your Account Manager.

Roles and permissions for SSL management

Cloud Platform provides the following two permissions for managing SSL:

  • Install or remove SSL certificates for the non-production environments
  • Install or remove SSL certificates for the production environment

By default, users with the Administrator, Team Lead, and Senior Developer roles have the preceding permissions, and users with the Developer role do not. Learn more about roles and permissions.

Important

Do not email your SSL certificate or attach your SSL certificate to a support ticket. Instead, if you must send a certificate to Acquia other than by using the Cloud Platform interface, contact Acquia Support, and we will advise you how to upload your SSL certificate and private key securely.

SSL on Cloud Platform Professional

Using legacy SSL certificates for a Cloud Platform Professional subscription incurs an added charge. The charge is per Cloud Platform Professional codebase. For more details, see About Acquia billing.

SSL on Cloud Platform Enterprise

Cloud Platform Enterprise subscriptions incur no extra charge. Acquia strongly suggests Cloud Platform Enterprise subscriptions use the standard model.