Information for:

# SSL certificates on Acquia Edge¶

Important

If you are a new customer who started with Acquia Edge after January 1, 2021, see Understanding a managed CNAME setup.

Several options exist for managing your SSL certificates with Acquia Edge. Depending on your website’s particular needs, you can use one of the specific sets of instructions on this page. All SSL management options are located on the SSL/TLS tab of the Edge dashboard.

## Using Universal SSL¶

Edge CDN and Edge Security include a Universal SAN certificate, covering any hostnames that you may have active on Edge. The Universal certificate renews every year without requiring a certificate maintenance by your team. For these types of certificates, Cloudflare is displayed as the owner of the certificate.

The Universal SSL certificate is available for each domain that you set up within your Edge subscription.

For the Authoritative DNS method, the Universal certificate is deployed after you update your nameservers to move to the Acquia Edge-provided nameservers. A single certificate is issued covering the zone apex and a wildcard on any first-level subdomains.

For the Partial CNAME DNS method, Universal SSL certificates attempt to issue for each proxied hostname that you set on the DNS tab of your zone(s). A single certificate is issued for each proxied hostname, with no wildcards. For domain control validation to complete for each certificate, you must have a CNAME record in your DNS to set resolution to Acquia Edge for each hostname. For any HTTP request to the respective hostnames, certificates are issued within minutes.

You can monitor the status of all certificates in the Edge Certificates section of the SSL/TLS tab with the label Universal.

If you do not want to utilize Universal SSL, you can choose Disable Universal SSL through the Edge Certificates section of the SSL/TLS tab. If no dedicated or custom certificates are uploaded for the domain, visitors cannot access the domain over HTTPS.

## SSL certificate settings¶

At the top of the SSL/TLS tab, there is a menu next to the certificate status message. This setting controls how Acquia Edge servers connect to your origin server for HTTPS requests. By default, the option chosen is Full, but the nature of your website will determine which option makes sense for you.

These options are listed in order from the least secure (Off) to the most secure (Full SSL (Strict)), and are available to you regardless of your plan level. For a full explanation of each option, see What do the SSL options mean?

How many SSL certificates can I upload?

Your Acquia Edge subscription allows you to upload one custom certificate per domain. Contact your Account Manager to discuss pricing for an additional custom certificate allowance.

If I upload my own certificate, will I be able to access my private key from the Acquia Edge dashboard?

No, you can’t view the private key of your custom certificate in the Acquia Edge dashboard. If you are using the same certificate in Acquia Edge and Cloud Platform, you can retrieve the private key in the SSL section of the Cloud Platform interface. Alternately, contact your certificate vendor, who can provide you with the private key.

Can I use Universal SSL and a custom certificate, or is it one or the other?

It’s possible to use both certificates simultaneously for specific use cases. The most common use case would be if you use second-level subdomains (such as test.example.domain.com). A wildcard certificate, such as the Universal certificate provided through Acquia Edge in authoritative DNS setups, covers the first level subdomain (such as example.domain.com) only. If you want to cover the second-level subdomain (such as test.example.domain.com), you must leverage the custom certificate option.

Note

A multi-domain certificate is also known as a subject alternative name (SAN) certificate, or a unified communications certificate (UCC).