Information for:

# SSL Certificates on Acquia Cloud Edge¶

There are a few options for managing your SSL certificates through Acquia Cloud Edge. Depending on your website’s particular needs, you will want to follow one of the specific sets of instructions below. All SSL management options can be found in the Crypto tab on cloudflare.com.

## Uploading your own SSL certificate¶

If you want to use your own custom SSL certificate with Acquia Cloud Edge, you can upload it directly to Cloudflare’s website. See How do I upload a custom SSL certificate.

## Using the default certificate from Cloudflare¶

You can also use a Cloudflare-signed certificate. By default, your Acquia Cloud Edge subscription entitles you to 1 certificate generated through Cloudflare. You do not need to use this Cloudflare-generated certificate if you have your own certificate, but the option is available to you.

This certificate is automatically available to you with your Acquia Cloud Edge subscription, but requires additional steps to validate and activate it. Depending on your DNS configuration, you will want to proceed with one of the following options:

• If you have configured your domains with an authoritative DNS setup, the certificate will activate once your nameservers are updated through your DNS provider.
• If you have configured your domains with a partial CNAME setup, follow the steps at Activating SSL certificates for domains with partial CNAME setup to activate your new certificate.

### Activating SSL certificates for domains with partial CNAME setup¶

1. Contact Acquia Support, and notify the Support team that your domains are configured in Acquia Cloud Edge with a partial CNAME setup, and you would like to use a Cloudflare-signed SSL certificate.
2. Acquia Support will provide you with 3 SSL CNAME verification records (per domain).
3. Add your CNAME records to your authoritative DNS to validate the default SAN certificate.
• The 3 records notify the certificate issuer that the certificate request for the domain is valid.
• You must always have CNAME verification records in place to verify the domain.
• Until these steps are completed, you will always see the Authorizing certificate message on the Crypto tab.

Note

The CNAME records provided by Acquia will only be valid for 14 days after they are generated. If you attempt to add the CNAME records after 14 days, the certificate status will remain as authorizing certificate, and you will need to request a new set of CNAME records from Acquia Support.

After the certificate has been issued and activated, you can view it in the Edge Certificates section of the Crypto tab, with the label Universal.

## SSL Certificate Settings¶

At the top of Crypto tab, there is a drop-down menu next to the certificate status message. This setting controls how Acquia Cloud Edge servers connect to your origin server for HTTPS requests. By default, the option chosen is Full, but the nature of your website will dictate which option makes sense for you.

These options are listed in the order from the least secure (Off) to the most secure (Full SSL (Strict)). All of these options are available to you, regardless of your plan level. For a full explanation of each option, see What do the SSL options mean?

## Frequently asked questions¶

### How many SSL certificates can I upload?¶

Your Acquia Cloud Edge subscription allows you to upload 1 custom certificate per domain. Contact your Account Manager to discuss pricing for an additional custom certificate allowance.

### If I upload my own certificate, will I be able to access my private key from the Acquia Cloud Edge dashboard?¶

No, you will not be able to view the private key of your custom certificate in the Acquia Cloud Edge dashboard. However, if you are using the same certificate in Acquia Cloud Edge and Acquia Cloud, you can retrieve the private key in the SSL section of the Acquia Cloud interface. Alternatively, contact your certificate vendor, who should be able to provide you with the private key.

### Can I use the Cloudflare default certificate and a custom certificate, or is it one or the other?¶

It is possible to use both certificates simultaneously, and would be in specific use cases. The most common use case would be if you use 2nd-level subdomains (such as test.example.domain.com). A wildcard certificate, such as the certificate provided through Acquia Cloud Edge, covers the first level of subdomain (such as example.domain.com) only. Therefore, if you want to cover the second-level subdomain (such as test.example.domain.com), you would need to leverage the custom certificate option. You can purchase a multi-domain certificate to cover all your domains, including first- and second-level subdomains, but if that is not an option, you can still utilize Cloudflare’s default wildcard SSL for your first-level subdomains and purchase a custom SSL certificate for your second-level subdomains only.

Note

A multi-domain certificate is also known as a subject alternative name (SAN) certificate, or a unified communications certificate (UCC).

### Which SSL option is best for me?¶

The SSL option you select depends on the nature of your website’s content. For websites that do not contain sensitive information, such as a personal blog, the Off setting will likely suffice, as secure connections are not required.

While the Flexible setting may seem like a safe option, it can be somewhat misleading and potentially lead to security risks. With the Flexible setting enabled, a fully secure connection exists only from the user to Acquia Cloud Edge, but not from Acquia Cloud Edge to your origin server.

Users will see your website listed as HTTPS, and assume there is a fully secure connection, which is not actually the case. Because the website is marked as secure, a user may share personal or sensitive information, which puts the user at risk of disclosing secure information over an insecure connection. Therefore, the Flexible option is not recommended if you have any sensitive information on your website.

For any website where sensitive information is collected, Acquia recommends at least Full, if not Full (strict). The Full (strict) option is the most secure, as it requires that your SSL certificate is valid and signed by a certificate authority, ensuring the maximum level of certificate authenticity.