Managing SSL certificates

Pre-installation checklist and validation

Before you install an SSL certificate, verify that your files meet the following platform requirements:

Certificate chain requirements:
Cloud Platform requires the full certificate chain to establish trust, particularly for applications behind a CDN.
- Upload in two parts: The installation form has separate fields. Paste your Server (Leaf) Certificate in the SSL Certificate field. Paste your Intermediate Chain (and, if provided by your CA, the Root) in the CA intermediate certificates field.
- Chain Order: The CA intermediate certificates field must contain the chain in descending order: Leaf → Intermediate(s) → Root (or nearest-to-root).
- CDN "Bridge" Certificates: Platform CDN serves the certificate you upload on Cloud Platform. Make sure your intermediate chain is present and in the proper order.
Private key requirements
- Format: The private key must be PEM-formatted and unencrypted and not password-protected.
- Key Size (Platform CDN): If you use Cloud Platform CDN, your certificate must be created with a 2048-bit RSA private key. 4096-bit keys are not supported in Platform CDN.
- Validation: The private key must mathematically match the certificate. You can verify this through the OpenSSL commands to compare their public key hashes:
```
openssl pkey -pubout -in private.key | openssl sha256 
openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
```
  If the output hashes match, the pair is valid.

Troubleshooting common errors

Error Message	Common cause and resolution
`The supplied private key is invalid`	Size Mismatch (Platform CDN): You might use a 4096-bit key on a CDN-enabled environment. Regenerate a 2048-bit key. Encryption: The key is password-protected. Decrypt it through the command: `openssl rsa -in enc.key -out unenc.key` Mismatch: The key does not match the certificate.
`Certificate chain incomplete`	Missing Intermediates: You must upload the intermediate certificates in the CA intermediate certificates field. Incorrect Order: Ensure the chain ends with the Root certificate or the intermediate closest to Root.
`New certificate not appearing`	CDN Caching/Selection: When using Platform CDN, an older valid certificate may still be served. Deactivate the older certificate in the user interface to force the update.

Activating SSL for new domains

A certificate only secures the domains listed in its Common Name (CN) or Subject Alternative Name (SAN). When you map a new domain to an environment, you must upload and activate a certificate that covers that domain.

Map the new domain in the Cloud Platform user interface.
Install a certificate that covers the new domain through SAN or Wildcard.
Activate the certificate on the SSL page.

Note

Multiple active certificates are supported on most environments apart from Cloud Platform Professional and Node.js. Acquia serves the newest activated certificate that covers the domain. If an exact-match and a wildcard cover the domain, the exact match takes precedence.

Installing an SSL certificate

After obtaining an SSL certificate for an environment, as described in Obtaining an SSL certificate, you can use the SSL page in the Cloud Platform user interface to install the certificate on an environment. Depending on whether you use a CSR generated through the Cloud Platform user interface or obtain the certificate through some other way, you can use the following methods to install an SSL certificate:

Installing an SSL certificate based on an Acquia-generated CSR
Installing an SSL certificate not based on an Acquia-generated CSR

To renew or replace an SSL certificate, see Renewing or replacing an SSL certificate.

You may want to confirm the validity of your SSL certificate before you upload or try to activate the certificate on Cloud Platform. For more information, see Verifying the validity of an SSL certificate.

Installing an SSL certificate based on an Acquia-generated CSR

To install an SSL certificate based on an Acquia-generated CSR, you can follow one of these methods based on the type of your SSL certificate:

Legacy certificates

Note

A legacy certificate cannot be installed by using a non-legacy certificate signing request.

To install a legacy SSL certificate based on an Acquia-generated CSR:

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment, and then, in the left menu, click SSL.
On the SSL tab, click Install next to the CSR that you generated.
Copy the value populated in the SSL private key field and paste it in a text editor.
Click Cancel.
Click Install SSL certificate.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```

Important

Cloud Platform supports the use of multiple active certificates on each environment. Acquia doesn’t recommend having more than 10 active certificates per environment at a time. This feature isn’t available on Cloud Platform Professional environments or Node.js applications. Also, this feature isn’t compatible with certificate pinning features provided by some CDN providers.

After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment.

To activate an SSL certificate, on the SSL page (under SSL certificates) locate the certificate you want to activate, and then click Activate to confirm. The activation will take a few minutes to complete.

Note

You must activate Standard (SNI) certificates before use.
Legacy certificates installed on the Elastic Load Balancer (ELB) will instantly override the previous certificate on the ELB.
You can have a single ELB/legacy certificate and one or more standard certificates active at the same time.
Site Factory customers who are using this interface for the first time to replace certificates previously installed by Acquia must ensure that any newly installed self-service certificate covers all of the domains previously covered by the Acquia-installed certificate.

When multiple certificates are set to active, HTTPS requests for any given domain on your environment will be served using the newest activated certificate which includes that domain. If multiple certificates are active and cover the same domain, one with an exact match and one with a wildcard match, your environment will serve the certificate with the exact match, even if the wildcard certificate was installed more recently. If no matching certificates are found, your environment will default to using any default or custom certificate installed on that environment by Acquia.

Deactivating an SSL certificate

You can deactivate an active SSL certificate at any time. If you are planning to remove an SSL certificate, Acquia recommends to first deactivate the certificate and then remove it.

To deactivate an SSL certificate, on the SSL page (under SSL certificates), locate the active certificate you want to deactivate, and then click Deactivate.

Removing an SSL certificate

To avoid potential impact to your site(s), it is a best practice to keep your current certificate in place before removing it if you are replacing it with a new certificate.

You can delete a non-legacy SSL certificate in the Cloud Platform user interface at any time. Before doing so, you must deactivate the certificate itself.

Important

Removing certificates from Cloud Platform is a permanent action that can’t be undone. Acquia recommends you save any necessary SSL files locally before deleting them in the Cloud Platform user interface.

To remove a legacy/ELB SSL certificate, you must create a Support ticket. Removing a legacy SSL certificate includes permanently removing your ELB as well. This means that if you would like to install another legacy SSL certificate in the future, you would need to point your domains to a new ELB CNAME address.

Note

Before Acquia can remove a legacy SSL certificate, all your domains must be pointed away from the ELB CNAME.

To remove a non-legacy SSL certificate:

Sign in to the Cloud Platform user interface.
Go to the application you want to change.
Select the environment from which you want to remove a certificate, and click SSL in the left menu.
In the SSL certificates section, locate the certificate you want to remove, and then click its Remove link. Cloud Platform displays a Remove certificate dialog box
Click Remove in the dialog box to permanently remove the certificate from Cloud Platform.

Revoking a certificate

If you need to delete or deactivate a valid SSL certificate, you must revoke that certificate to prevent an attacker’s website masquerading as your own. Acquia recommends that you deactivate or delete any revoked or expired certificates from all environments. Leaving a revoked certificate active in any environment may result in downtime for your application.

Each SSL certificate vendor has different procedures to perform a certificate revocation. Ensure you follow the instructions your SSL certificate vendor provides. Here are the procedures for two common vendors:

Verisign: Revoke an ECA Certificate
Digicert: EV SSL Certificate Revocation Requests

Renewing or replacing an SSL certificate

If you need to replace an SSL certificate that is expiring, you do not need to delete or remove your existing certificate(s). There are two options you can take to replace your SSL certificate: The first is to install an updated certificate that includes new information, such as additional domains/ organizational changes, etc. This option includes the same steps as if you were installing a brand new certificate. If this applies to you, follow the instructions on installing a certificate here.

The other option is to install a renewed version of your existing certificate that just has a new expiration date. If there is no change to the details of the certificate itself besides the expiry date, you may not need to generate a new CSR. To install the updated version of the same certificate, follow these steps:

To upload a new SSL certificate to a Cloud Platform subscription that already has an active SSL certificate:

Sign in to the Cloud Platform user interface as a user with the required permissions.
Select your organization, application, and environment.
In the left menu, click SSL.
Generate a new certificate signing request if there are any changes in your new SSL certificate, such as adding or removing domains.
If the CSR that was used to originally obtain your certificate is available and you generated your CSR using the Cloud Platform user interface:
- On the SSL page, in the Certificate signing requests section, click Install to navigate to the installation form and have the private key prepopulated in its respective field.
  If you have questions on this step, see Generate private key in CSR for the CSR you used to obtain the SSL certificate you want to install.
If you don’t see the CSR that was used to originally obtain your certificate:
- In the Certificate signing requests section, click View next to the preexisting certificate in the SSL certificates section to find the corresponding private key, as shown in the following screens:
Copy the private key to a local text editor before navigating to the installation form by clicking the Install SSL certificate button on your SSL page. Cloud Platform stores both the certificate signing request file (ssl.csr) and the private key (ssl.key) in the Cloud API.
Install the updated or renewed certificate.
Activate the updated or renewed certificate.

Rekeying an SSL certificate

Rekeying an SSL certificate is the process of replacing the existing private key associated with a currently valid SSL/TLS certificate. After a new private key is generated, the new key is used to generate a new Certificate Signing Request (CSR). You can send the CSR to the Certificate Authority (CA) to get a new certificate. The new certificate retains the same domain name and validity period but is secured by the new, stronger key pair.

This critical security and maintenance process involves the following primary steps:

Generate a new private key and CSR
Submit the CSR to the Certificate Authority (CA)

Generating a new private key and CSR

The first step in rekeying your SSL certificate is to create a new private key and a Certificate Signing Request (CSR). The CSR contains information about your domain and organization that the Certificate Authority (CA) uses to reissue your certificate. Based on your web server software like Apache, Nginx, or IIS, you can generate a new Private Key and CSR. For example,

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Submitting the CSR to the Certificate Authority

After you have your new CSR, you must submit it to the CA that issued your original certificate. The process varies by CA, but typically you must log in to your account on the CA's website and access the option to reissue or replace your certificate. When prompted, paste the contents of your CSR into the appropriate field. The CA verifies that the CSR is associated with the same domain as the existing certificate and uses the new public key from the CSR to issue a brand new SSL certificate. You can download this new certificate and install it on your server, replacing the old one. Post installation, you must test your installation.

Pre-installation checklist and validation

Before you install an SSL certificate, verify that your files meet the following platform requirements:

Certificate chain requirements:
Cloud Platform requires the full certificate chain to establish trust, particularly for applications behind a CDN.
- Upload in two parts: The installation form has separate fields. Paste your Server (Leaf) Certificate in the SSL Certificate field. Paste your Intermediate Chain (and, if provided by your CA, the Root) in the CA intermediate certificates field.
- Chain Order: The CA intermediate certificates field must contain the chain in descending order: Leaf → Intermediate(s) → Root (or nearest-to-root).
- CDN "Bridge" Certificates: Platform CDN serves the certificate you upload on Cloud Platform. Make sure your intermediate chain is present and in the proper order.
Private key requirements
- Format: The private key must be PEM-formatted and unencrypted and not password-protected.
- Key Size (Platform CDN): If you use Cloud Platform CDN, your certificate must be created with a 2048-bit RSA private key. 4096-bit keys are not supported in Platform CDN.
- Validation: The private key must mathematically match the certificate. You can verify this through the OpenSSL commands to compare their public key hashes:
```
openssl pkey -pubout -in private.key | openssl sha256 
openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
```
  If the output hashes match, the pair is valid.

Troubleshooting common errors

Error Message	Common cause and resolution
`The supplied private key is invalid`	Size Mismatch (Platform CDN): You might use a 4096-bit key on a CDN-enabled environment. Regenerate a 2048-bit key. Encryption: The key is password-protected. Decrypt it through the command: `openssl rsa -in enc.key -out unenc.key` Mismatch: The key does not match the certificate.
`Certificate chain incomplete`	Missing Intermediates: You must upload the intermediate certificates in the CA intermediate certificates field. Incorrect Order: Ensure the chain ends with the Root certificate or the intermediate closest to Root.
`New certificate not appearing`	CDN Caching/Selection: When using Platform CDN, an older valid certificate may still be served. Deactivate the older certificate in the user interface to force the update.

Activating SSL for new domains

Map the new domain in the Cloud Platform user interface.
Install a certificate that covers the new domain through SAN or Wildcard.
Activate the certificate on the SSL page.

Note

Installing an SSL certificate

Installing an SSL certificate based on an Acquia-generated CSR
Installing an SSL certificate not based on an Acquia-generated CSR

To renew or replace an SSL certificate, see Renewing or replacing an SSL certificate.

Installing an SSL certificate based on an Acquia-generated CSR

To install an SSL certificate based on an Acquia-generated CSR, you can follow one of these methods based on the type of your SSL certificate:

Legacy certificates

Note

A legacy certificate cannot be installed by using a non-legacy certificate signing request.

To install a legacy SSL certificate based on an Acquia-generated CSR:

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment, and then, in the left menu, click SSL.
On the SSL tab, click Install next to the CSR that you generated.
Copy the value populated in the SSL private key field and paste it in a text editor.
Click Cancel.
Click Install SSL certificate.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```

Important

After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment.

Note

You must activate Standard (SNI) certificates before use.
Legacy certificates installed on the Elastic Load Balancer (ELB) will instantly override the previous certificate on the ELB.
You can have a single ELB/legacy certificate and one or more standard certificates active at the same time.
Site Factory customers who are using this interface for the first time to replace certificates previously installed by Acquia must ensure that any newly installed self-service certificate covers all of the domains previously covered by the Acquia-installed certificate.

Deactivating an SSL certificate

You can deactivate an active SSL certificate at any time. If you are planning to remove an SSL certificate, Acquia recommends to first deactivate the certificate and then remove it.

To deactivate an SSL certificate, on the SSL page (under SSL certificates), locate the active certificate you want to deactivate, and then click Deactivate.

Removing an SSL certificate

To avoid potential impact to your site(s), it is a best practice to keep your current certificate in place before removing it if you are replacing it with a new certificate.

You can delete a non-legacy SSL certificate in the Cloud Platform user interface at any time. Before doing so, you must deactivate the certificate itself.

Important

Note

Before Acquia can remove a legacy SSL certificate, all your domains must be pointed away from the ELB CNAME.

To remove a non-legacy SSL certificate:

Sign in to the Cloud Platform user interface.
Go to the application you want to change.
Select the environment from which you want to remove a certificate, and click SSL in the left menu.
In the SSL certificates section, locate the certificate you want to remove, and then click its Remove link. Cloud Platform displays a Remove certificate dialog box
Click Remove in the dialog box to permanently remove the certificate from Cloud Platform.

Revoking a certificate

Verisign: Revoke an ECA Certificate
Digicert: EV SSL Certificate Revocation Requests

Renewing or replacing an SSL certificate

To upload a new SSL certificate to a Cloud Platform subscription that already has an active SSL certificate:

Sign in to the Cloud Platform user interface as a user with the required permissions.
Select your organization, application, and environment.
In the left menu, click SSL.
Generate a new certificate signing request if there are any changes in your new SSL certificate, such as adding or removing domains.
If the CSR that was used to originally obtain your certificate is available and you generated your CSR using the Cloud Platform user interface:
- On the SSL page, in the Certificate signing requests section, click Install to navigate to the installation form and have the private key prepopulated in its respective field.
  If you have questions on this step, see Generate private key in CSR for the CSR you used to obtain the SSL certificate you want to install.
If you don’t see the CSR that was used to originally obtain your certificate:
- In the Certificate signing requests section, click View next to the preexisting certificate in the SSL certificates section to find the corresponding private key, as shown in the following screens:
Copy the private key to a local text editor before navigating to the installation form by clicking the Install SSL certificate button on your SSL page. Cloud Platform stores both the certificate signing request file (ssl.csr) and the private key (ssl.key) in the Cloud API.
Install the updated or renewed certificate.
Activate the updated or renewed certificate.

Rekeying an SSL certificate

This critical security and maintenance process involves the following primary steps:

Generate a new private key and CSR
Submit the CSR to the Certificate Authority (CA)

Generating a new private key and CSR

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Submitting the CSR to the Certificate Authority

Pre-installation checklist and validation

Before you install an SSL certificate, verify that your files meet the following platform requirements:

Certificate chain requirements:
Cloud Platform requires the full certificate chain to establish trust, particularly for applications behind a CDN.
- Upload in two parts: The installation form has separate fields. Paste your Server (Leaf) Certificate in the SSL Certificate field. Paste your Intermediate Chain (and, if provided by your CA, the Root) in the CA intermediate certificates field.
- Chain Order: The CA intermediate certificates field must contain the chain in descending order: Leaf → Intermediate(s) → Root (or nearest-to-root).
- CDN "Bridge" Certificates: Platform CDN serves the certificate you upload on Cloud Platform. Make sure your intermediate chain is present and in the proper order.
Private key requirements
- Format: The private key must be PEM-formatted and unencrypted and not password-protected.
- Key Size (Platform CDN): If you use Cloud Platform CDN, your certificate must be created with a 2048-bit RSA private key. 4096-bit keys are not supported in Platform CDN.
- Validation: The private key must mathematically match the certificate. You can verify this through the OpenSSL commands to compare their public key hashes:
```
openssl pkey -pubout -in private.key | openssl sha256 
openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
```
  If the output hashes match, the pair is valid.

Troubleshooting common errors

Error Message	Common cause and resolution
`The supplied private key is invalid`	Size Mismatch (Platform CDN): You might use a 4096-bit key on a CDN-enabled environment. Regenerate a 2048-bit key. Encryption: The key is password-protected. Decrypt it through the command: `openssl rsa -in enc.key -out unenc.key` Mismatch: The key does not match the certificate.
`Certificate chain incomplete`	Missing Intermediates: You must upload the intermediate certificates in the CA intermediate certificates field. Incorrect Order: Ensure the chain ends with the Root certificate or the intermediate closest to Root.
`New certificate not appearing`	CDN Caching/Selection: When using Platform CDN, an older valid certificate may still be served. Deactivate the older certificate in the user interface to force the update.

Activating SSL for new domains

Map the new domain in the Cloud Platform user interface.
Install a certificate that covers the new domain through SAN or Wildcard.
Activate the certificate on the SSL page.

Note

Installing an SSL certificate

Installing an SSL certificate based on an Acquia-generated CSR
Installing an SSL certificate not based on an Acquia-generated CSR

To renew or replace an SSL certificate, see Renewing or replacing an SSL certificate.

Installing an SSL certificate based on an Acquia-generated CSR

To install an SSL certificate based on an Acquia-generated CSR, you can follow one of these methods based on the type of your SSL certificate:

Legacy certificates

Note

A legacy certificate cannot be installed by using a non-legacy certificate signing request.

To install a legacy SSL certificate based on an Acquia-generated CSR:

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment, and then, in the left menu, click SSL.
On the SSL tab, click Install next to the CSR that you generated.
Copy the value populated in the SSL private key field and paste it in a text editor.
Click Cancel.
Click Install SSL certificate.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```

Important

After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment.

Note

You must activate Standard (SNI) certificates before use.
Legacy certificates installed on the Elastic Load Balancer (ELB) will instantly override the previous certificate on the ELB.
You can have a single ELB/legacy certificate and one or more standard certificates active at the same time.
Site Factory customers who are using this interface for the first time to replace certificates previously installed by Acquia must ensure that any newly installed self-service certificate covers all of the domains previously covered by the Acquia-installed certificate.

Deactivating an SSL certificate

You can deactivate an active SSL certificate at any time. If you are planning to remove an SSL certificate, Acquia recommends to first deactivate the certificate and then remove it.

To deactivate an SSL certificate, on the SSL page (under SSL certificates), locate the active certificate you want to deactivate, and then click Deactivate.

Removing an SSL certificate

To avoid potential impact to your site(s), it is a best practice to keep your current certificate in place before removing it if you are replacing it with a new certificate.

You can delete a non-legacy SSL certificate in the Cloud Platform user interface at any time. Before doing so, you must deactivate the certificate itself.

Important

Note

Before Acquia can remove a legacy SSL certificate, all your domains must be pointed away from the ELB CNAME.

To remove a non-legacy SSL certificate:

Sign in to the Cloud Platform user interface.
Go to the application you want to change.
Select the environment from which you want to remove a certificate, and click SSL in the left menu.
In the SSL certificates section, locate the certificate you want to remove, and then click its Remove link. Cloud Platform displays a Remove certificate dialog box
Click Remove in the dialog box to permanently remove the certificate from Cloud Platform.

Revoking a certificate

Verisign: Revoke an ECA Certificate
Digicert: EV SSL Certificate Revocation Requests

Renewing or replacing an SSL certificate

To upload a new SSL certificate to a Cloud Platform subscription that already has an active SSL certificate:

Sign in to the Cloud Platform user interface as a user with the required permissions.
Select your organization, application, and environment.
In the left menu, click SSL.
Generate a new certificate signing request if there are any changes in your new SSL certificate, such as adding or removing domains.
If the CSR that was used to originally obtain your certificate is available and you generated your CSR using the Cloud Platform user interface:
- On the SSL page, in the Certificate signing requests section, click Install to navigate to the installation form and have the private key prepopulated in its respective field.
  If you have questions on this step, see Generate private key in CSR for the CSR you used to obtain the SSL certificate you want to install.
If you don’t see the CSR that was used to originally obtain your certificate:
- In the Certificate signing requests section, click View next to the preexisting certificate in the SSL certificates section to find the corresponding private key, as shown in the following screens:
Copy the private key to a local text editor before navigating to the installation form by clicking the Install SSL certificate button on your SSL page. Cloud Platform stores both the certificate signing request file (ssl.csr) and the private key (ssl.key) in the Cloud API.
Install the updated or renewed certificate.
Activate the updated or renewed certificate.

Rekeying an SSL certificate

This critical security and maintenance process involves the following primary steps:

Generate a new private key and CSR
Submit the CSR to the Certificate Authority (CA)

Generating a new private key and CSR

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Submitting the CSR to the Certificate Authority

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment.
In the left menu, click SSL.
On the SSL tab, click Install next to the CSR that you generated.
The private key pre-populates in its respective field and you can fill the remaining fields on the installation form. If you are unsure about how to find the private key associated with a CSR that was generated in the Cloud Platform user interface, see Generate private key in CSR.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the main/server SSL certificate file in the PEM format. PEM formatted files are text files written in Base64 ASCII encoding with plain-text headers and footers. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```
  Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed. The system updates the SSL private key field with the private key for the certificate in the PEM format. Do not change this key.
- In CA intermediate certificates, enter the required intermediate certificates in the PEM format and in the proper order. For more information, see Ensuring that certificates are in proper order.
Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment, and then, in the left menu, click SSL.
On the SSL tab, click Install SSL certificate.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```
- In SSL private key, enter the private key for this certificate in the PEM format.
- In CA intermediate certificates, enter the chain/intermediate certificates files in the PEM format and in the proper order. For more information, see Ensuring that certificates are in proper order.
Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment.
In the left menu, click SSL.
On the SSL tab, click Install next to the CSR that you generated.
The private key pre-populates in its respective field and you can fill the remaining fields on the installation form. If you are unsure about how to find the private key associated with a CSR that was generated in the Cloud Platform user interface, see Generate private key in CSR.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the main/server SSL certificate file in the PEM format. PEM formatted files are text files written in Base64 ASCII encoding with plain-text headers and footers. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```
  Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed. The system updates the SSL private key field with the private key for the certificate in the PEM format. Do not change this key.
- In CA intermediate certificates, enter the required intermediate certificates in the PEM format and in the proper order. For more information, see Ensuring that certificates are in proper order.
Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.

Sign in to the Cloud Platform user interface as a user with the necessary permissions.
Select your organization, application, and environment, and then, in the left menu, click SSL.
On the SSL tab, click Install SSL certificate.
On the Install SSL certificate page, enter the following information about the certificate:
- If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
  - Installing a new certificate as the legacy certificate overwrites the certificate currently active on ELB as there can only be one legacy/ELB certificate in place at a time. For a summary of differences between standard and legacy SSL certificates, see Standard certificates.
  - The legacy method is unavailable in Site Factory and non-production environments.
- (Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
- In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
```
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
```
- In SSL private key, enter the private key for this certificate in the PEM format.
- In CA intermediate certificates, enter the chain/intermediate certificates files in the PEM format and in the proper order. For more information, see Ensuring that certificates are in proper order.
Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.

Managing SSL certificates

Managing SSL certificates

Pre-installation checklist and validation

Private key requirements

Troubleshooting common errors

Activating SSL for new domains

Installing an SSL certificate

Installing an SSL certificate based on an Acquia-generated CSR

Deactivating an SSL certificate

Revoking a certificate

Renewing or replacing an SSL certificate

Rekeying an SSL certificate

Generating a new private key and CSR

Submitting the CSR to the Certificate Authority

Related topics

Managing SSL certificates

Pre-installation checklist and validation

Private key requirements

Troubleshooting common errors

Activating SSL for new domains

Installing an SSL certificate

Installing an SSL certificate based on an Acquia-generated CSR

Deactivating an SSL certificate

Revoking a certificate

Renewing or replacing an SSL certificate

Rekeying an SSL certificate

Generating a new private key and CSR

Submitting the CSR to the Certificate Authority

Related topics

Managing SSL certificates

Pre-installation checklist and validation

Private key requirements

Troubleshooting common errors

Activating SSL for new domains

Installing an SSL certificate

Installing an SSL certificate based on an Acquia-generated CSR

Deactivating an SSL certificate

Revoking a certificate

Renewing or replacing an SSL certificate

Rekeying an SSL certificate

Generating a new private key and CSR

Submitting the CSR to the Certificate Authority

Related topics

Legacy certificates

Non-legacy certificates

Installing an SSL certificate not based on an Acquia-generated CSR

Viewing an SSL certificate

Activating an SSL certificate

Did not find what you were looking for?

Legacy certificates

Non-legacy certificates

Installing an SSL certificate not based on an Acquia-generated CSR

Viewing an SSL certificate

Activating an SSL certificate

Did not find what you were looking for?