Information for: DEVELOPERS   PARTNERS

Managing SSL certificates

Using the Cloud Platform interface SSL page, you can perform several tasks to manage an environment’s SSL certificates and CSRs, including the following:

Learn more by visiting the Acquia Academy (sign-in required) for the video tutorial on Managing your SSL Certificate.

Installing an SSL certificate

Important

Cloud Platform Free doesn’t support SSL.

After you have obtained an SSL certificate for an environment (as described in Obtaining an SSL certificate), you can use the Cloud Platform interface SSL page to install the certificate on an environment. Depending on whether you use a CSR you generated with the Cloud Platform interface, or whether you obtained the certificate some other way, there are two methods to install an SSL certificate.

Note

By default, Cloud Platform stores the following SSL private keys and files in /mnt/gfs/[application].[env]/ssl:

  • ca.crt
  • ssl.crt
  • ssl.csr
  • ssl.key

You may want to confirm the validity of your SSL certificate before you upload or try to activate the certificate on Cloud Platform. For more information, see Verifying the validity of an SSL certificate on the Acquia Support Knowledge Base.

Installing an SSL certificate based on an Acquia-generated CSR

To install an SSL certificate based on a CSR you generated with the Cloud Platform interface, complete the following steps:

  1. Sign in to Cloud Platform as a user with the necessary permissions.

  2. Select your organization, application, and environment, and then, in the left menu, click SSL.

  3. On the SSL page, click the plus icon in the upper right of the page to install the SSL certificate.

  4. On the Install SSL certificate page, enter the following information about the certificate:

    • If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate. See Standard certificates and legacy certificates for a summary of some differences between standard SSL certificates and legacy SSL certificates. This method isn’t available on Site Factory environments.

    • Optionally, in the Label field, enter a label to help you identify the certificate in the Cloud Platform interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.

    • In the SSL certificate field, enter the SSL certificate in PEM format. Private key files must be unencrypted and non-password protected, or the certificate can’t be deployed. The certificate must look something like the following example, but much longer:

      -----BEGIN CERTIFICATE-----
      MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
      dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
      MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
      Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
      -----END CERTIFICATE-----
      
    • The Cloud Platform interface fills the SSL private key field with the private key for the certificate in PEM format. Don’t change this key.

    • Enter the required intermediate certificates into the CA intermediate certificates field, in PEM format, and in the proper order.

  5. Click Install.

Installing an SSL certificate not based on an Acquia-generated CSR

To install an SSL certificate not based on an Acquia-generated CSR:

  1. Sign in to Cloud Platform as a user with the necessary permissions.

  2. Select your organization, application, and environment, and then, in the left menu, click SSL.

  3. On the SSL page, click the plus icon in the upper right of the page to install the SSL certificate.

  4. On the Install SSL certificate page, enter the following information about the certificate:

    • If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.

    • In the Label field, enter a label to help you identify the certificate in the Cloud Platform interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.

    • In the SSL certificate field, enter the SSL certificate in PEM format. The certificate must look something like the following example, but much longer:

      -----BEGIN CERTIFICATE-----
      MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
      MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
      d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
      dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
      MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
      Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
      -----END CERTIFICATE-----
      
    • In the SSL private key field, enter the private key for this certificate in PEM format.

    • If the certificate has any CA intermediate certificates, enter them in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.

  5. Click Install.

Note

You must enter Intermediate certificates in a single file, in the proper order, beginning with the intermediate certificate closest to your website’s certificate and ending with the intermediate certificate closest to the root certificate. For information on ordering your certificates, see Check the order of your certificates.

Viewing an SSL certificate

After you have installed an SSL certificate on an environment, you can view it on the SSL page. The SSL certificates section lists all the installed certificates, their active status, and any associated CSR. Click View to see details about an SSL certificate, including:

  • The certificate’s label (the name you identified the certificate with when you installed it)
  • Whether the certificate is a legacy certificate
  • The certificate’s active status
  • The certificate’s expiration date
  • The domains associated with the certificate

Click Show to view the PEM encoded certificate, CA chain (CA intermediate certificates), or private key.

Activating an SSL certificate

Important

Cloud Platform supports the use of multiple active certificates on each environment. Acquia doesn’t recommend the use of this features with more than 10 active certificates per environment at a time. This feature isn’t available on Cloud Platform Professional environments and isn’t compatible with certificate pinning features provided by some CDN providers.

After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment.

To activate an SSL certificate, on the SSL page (under SSL certificates) locate the certificate you want to activate, and then click Activate.

Note

  • You must activate Standard (SNI) certificates before use.
  • Legacy certificates installed on the Elastic Load Balancer (ELB) will instantly override the previous certificate on the ELB.
  • You can have one legacy-method and one or more standard-method certificates active at the same time.

The SSL certificate activation takes less than five minutes, after which the SSL webpage will display the certificate’s active status. When multiple certificates are set to active, HTTPS requests for any given domain on your environment will be served using the newest activated certificate which includes that domain. If multiple certificates are active and cover the same domain, one with an exact match and one with a wildcard match, your environment will serve the certificate with the exact match, even if the wildcard certificate was installed more recently. If no matching certificates are found, your environment will default to using any default or custom certificate installed on that environment by Acquia.

Renewing or replacing an SSL certificate

To upload a new SSL certificate to an Cloud Platform subscription that already has an active SSL certificate, complete the following steps:

  1. Sign in to Cloud Platform as a user with the required permissions.

  2. Select your organization, application, and environment.

  3. In the left menu, click SSL.

  4. Generate a new certificate signing request.

  5. If you generated your CSR using the Cloud Platform user interface, on the SSL page, in the Certificate signing requests section, click Install for the CSR you want to install.

    Note

    Cloud Platform stores both the certificate signing request file (ssl.csr) and private key (ssl.key) in /mnt/gfs/[application].[env]/ssl.

  6. Install the updated or renewed certificate.

  7. Activate the updated or renewed certificate.

Deactivating an SSL certificate

You can deactivate an active SSL certificate at any time. You must deactivate an active certificate before you can remove it.

To deactivate an SSL certificate, on the SSL page (under SSL certificates), locate the active certificate you want to deactivate, and then click Deactivate.

Removing an SSL certificate

You can delete a non-legacy SSL certificate in the Cloud Platform user interface at any time. Before doing so, you must deactivate the certificate itself.

Important

Removing certificates from Cloud Platform is a permanent action that can’t be undone. Acquia recommends you save any necessary SSL files locally before deleting them in the Cloud Platform user interface.

To remove a legacy SSL certificate, you must contact Acquia support. Removing a legacy SSL certificate, includes permanently removing your ELB. This means that if you would like to install another legacy SSL certificate in the future, you would need to point your domains to a new ELB CNAME address.

Note

Before Acquia can remove a legacy SSL certificate, all your domains must be pointed away from the ELB CNAME.

To remove a non-legacy SSL certificate, complete the following steps:

  1. Sign in to Cloud Platform.
  2. Go to the application you want to change.
  3. Select the environment from which you want to remove a certificate, and click SSL in the left menu.
  4. In the SSL certificates section, locate the certificate you want to remove, and then click its Remove link. Cloud Platform displays a Remove certificate dialog box
  5. Click Remove in the dialog box to permanently remove the certificate from Cloud Platform.

Revoking a certificate

If you no longer want a removed SSL certificate to function, you must also revoke the old certificate to prevent an attacker’s website from masquerading as your own. Each SSL certificate vendor has different procedures to perform a certificate revocation. Ensure you follow the instructions your SSL certificate vendor provides. Here are the procedures for two common vendors:

Configuring DNS settings with legacy SSL

If you install a legacy SSL certificate, Cloud Platform creates a new DNS domain name for your environment ending with elb.amazonaws.com. You then must configure your DNS settings to create a CNAME record pointing your environment’s domain name to the Cloud Platform domain name. For example:

www.example.com CNAME 1234-4321.us-east-1.elb.amazonaws.com

The Cloud Platform domain name is the name of your website’s Amazon Elastic Load Balancer (ELB) instance, and is listed in the Cloud Platform interface Domain page for the environment. Don’t use a DNS A Record to point to the underlying IP address of the ELB, since the IP address may change from time to time.

The ELB routes traffic to the Cloud Platform load balancers for your Production environment. If your other environments (Dev and Stage) use the same load balancers, then the ELB and SSL certificate will work for those environments as well.