You may want to create a self-signed SSL certificate for a Cloud Platform application in one of the following cases:
You want to test your application with SSL before purchasing the final certificate
You want to test a new subdomain on an application with a SSL certificate that doesn’t cover the new subdomain
Your application requires IPv6 but not SSL
To create a root certificate:
Create a private key for your root certificate. Connect to your environment with SSH
To ensure that you are in a writable directory (such as
/mnt/tmp/), use a command similar to the following:
openssl genrsa -out root-CA.key 2048
Next, enter a command similar to the following example to self-sign the certificate:
openssl req -x509 -new -nodes -key root-CA.key -days 1024 -out root-CA.pem
The following result (or something similar to it) will be displayed. Enter the values that are appropriate to your site, system, and location.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) :Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Name (Root CA) Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :www.mysite.com Email Address :[email protected]
The root certificate is created in the same directory, with the name
root-CA.pem; its key is created with the name
Next, use the following procedure to create the site certificate.
You need to use different values for the Organization Name than you used when creating the root certificate, or the process will fail, and the certificate will not work properly.
You need to use the same values for the Common Name that you used
when creating the root certificate. The
Common Name must begin with
a subdomain, such as
Create the private key with the following command:
openssl genrsa -out site-key.pem 2048
Use the following command to generate the certificate signing request (CSR):
openssl req -new -key site-key.pem -out site-csr.csr
You will be presented with similar text as when you created the root
certificate. Use the same values as you did for the root
certificate except for the Organization Name*. For the
Organization Name, use a different value, such as
My Name (Site CA).
The following questions will also be displayed:
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
A challenge password by pressing the Enter key.
Enter a command similar to this example this to sign the CSR with the
root key and output in
PEM format with the
openssl x509 -req -in site-csr.csr -CA root-CA.pem -CAkey root-CA.key -CAcreateserial -out site-crt.pem -days 500
The site certificate CSR is created in the same directory, with the name
site-csr.csr; the site certificate key is created with the name
site-crt.pem, and its key is created with the name
Next, install the root certificate and site certificate, as described in Installing an SSL certificate not based on an Acquia-generated CSR, and then complete the appropriate steps for your application:
If your application doesn’t require IPv6, use the Standard installation method outlined in Standard certificates.
A code change is required to route traffic to https to leverage your new SSL certificate. For more information, see Redirecting all HTTP traffic to HTTPS.