Information for:

# SSL certificates on Acquia Edge¶

Several options exist for managing your SSL certificates with Acquia Edge. Depending on your website’s particular needs, you can use one of the specific sets of instructions on this page. All SSL management options are located in the Crypto tab on cloudflare.com.

If you want to use your own custom SSL certificate with Acquia Edge, you can upload it directly to Cloudflare’s website. For more information, see How do I upload a custom SSL certificate.

## Using the default certificate from Cloudflare¶

You can also use a Cloudflare-signed certificate. By default, your Acquia Edge subscription entitles you to one certificate generated through Cloudflare. You don’t need to use this Cloudflare-generated certificate if you have your own certificate, but the option is available to you.

This certificate is available to you with your Acquia Edge subscription, but requires more steps for validation and activation. Depending on your DNS configuration, you will want to proceed with one of the following options:

• If you have configured your domains with an authoritative DNS setup, the certificate will activate after your nameservers are updated through your DNS provider.
• If you have configured your domains with a partial CNAME setup, use the activate SSL on CNAME procedure to activate your new certificate.

### Activating SSL certificates for domains with partial CNAME setup¶

1. Contact Acquia Support, and notify the Support team your domains are configured in Acquia Edge with a partial CNAME setup, and you want to use a Cloudflare-signed SSL certificate.

Acquia Support will provide you with two SSL CNAME verification records (per domain).

• The two records notify the certificate issuer that the certificate request for the domain is valid.
• You must always have CNAME verification records in place to verify the domain.
• Until you complete these steps, the Crypto tab will continue to display the Authorizing certificate message.

Note

The CNAME records provided by Acquia are valid for only 14 days after they are generated. If you try to add the CNAME records after 14 days, the certificate status will remain as authorizing certificate and you must request a new set of CNAME records from Acquia Support.

After the certificate has been issued and activated, you can view it in the Edge Certificates section of the Crypto tab, with the label Universal.

## SSL certificate settings¶

At the top of the Crypto tab, there is a menu next to the certificate status message. This setting controls how Acquia Edge servers connect to your origin server for HTTPS requests. By default, the option chosen is Full, but the nature of your website will determine which option makes sense for you.

These options are listed in order from the least secure (Off) to the most secure (Full SSL (Strict)), and are available to you regardless of your plan level. For a full explanation of each option, see What do the SSL options mean?

How many SSL certificates can I upload?

Your Acquia Edge subscription allows you to upload one custom certificate per domain. Contact your Account Manager to discuss pricing for an additional custom certificate allowance.

If I upload my own certificate, will I be able to access my private key from the Acquia Edge dashboard?

No, you can’t view the private key of your custom certificate in the Acquia Edge dashboard. If you are using the same certificate in Acquia Edge and Cloud Platform, you can retrieve the private key in the SSL section of the Cloud Platform interface. Alternately, contact your certificate vendor, who can provide you with the private key.

Can I use the Cloudflare default certificate and a custom certificate, or is it one or the other?

It’s possible to use both certificates simultaneously for specific use cases. The most common use case would be if you use second-level subdomains (such as test.example.domain.com). A wildcard certificate, such as the certificate provided through Acquia Edge, covers the first level subdomain (such as example.domain.com) only. If you want to cover the second-level subdomain (such as test.example.domain.com), you must leverage the custom certificate option. You can buy a multi-domain certificate to cover all your domains, including first- and second-level subdomains. If that is not an option, you can still utilize Cloudflare’s default wildcard SSL for your first-level subdomains, and then buy a custom SSL certificate for use with your second-level subdomains.

Note

A multi-domain certificate is also known as a subject alternative name (SAN) certificate, or a unified communications certificate (UCC).