Information for: DEVELOPERS   PARTNERS

SSL Certificates on Acquia Cloud Edge

There are several options for managing your SSL certificates with Acquia Cloud Edge, and depending on your website’s particular needs, you can use one of the specific sets of instructions included on this page to do so. All SSL management options are located in the Crypto tab on cloudflare.com.

Uploading your own SSL certificate

If you want to use your own custom SSL certificate with Acquia Cloud Edge, you can upload it directly to Cloudflare’s website. For more information, see How do I upload a custom SSL certificate.

Using the default certificate from Cloudflare

You can also use a Cloudflare-signed certificate. By default, your Acquia Cloud Edge subscription entitles you to one certificate generated through Cloudflare. You do not need to use this Cloudflare-generated certificate if you have your own certificate, but the option is available to you.

This certificate is available to you with your Acquia Cloud Edge subscription, but requires additional steps for validation and activation. Depending on your DNS configuration, you will want to proceed with one of the following options:

  • If you have configured your domains with an authoritative DNS setup, the certificate will activate after your nameservers are updated through your DNS provider.
  • If you have configured your domains with a partial CNAME setup, use the Activating SSL certificates for domains with partial CNAME setup procedure to activate your new certificate.

Activating SSL certificates for domains with partial CNAME setup

  1. Contact Acquia Support, and notify the Support team that your domains are configured in Acquia Cloud Edge with a partial CNAME setup, and that you want to use a Cloudflare-signed SSL certificate.
  2. Acquia Support will provide you with three SSL CNAME verification records (per domain).
  3. Add your CNAME records to your authoritative DNS to validate the default SAN certificate.
    • The three records notify the certificate issuer that the certificate request for the domain is valid.
    • You must always have CNAME verification records in place to verify the domain.
    • Until you complete these steps, the Crypto tab will continue to display the Authorizing certificate message.

Note

The CNAME records provided by Acquia are valid for only 14 days after they are generated. If you attempt to add the CNAME records after 14 days, the certificate status will remain as authorizing certificate and you will need to request a new set of CNAME records from Acquia Support.

After the certificate has been issued and activated, you can view it in the Edge Certificates section of the Crypto tab, with the label Universal.

SSL Certificate Settings

At the top of Crypto tab, there is a menu next to the certificate status message. This setting controls how Acquia Cloud Edge servers connect to your origin server for HTTPS requests. By default, the option chosen is Full, but the nature of your website will dictate which option makes sense for you.

These options are listed in the order from the least secure (Off) to the most secure (Full SSL (Strict)), and are available to you regardless of your plan level. For a full explanation of each option, see What do the SSL options mean?

Frequently Asked Questions

How many SSL certificates can I upload?

Your Acquia Cloud Edge subscription allows you to upload one custom certificate per domain. Contact your Account Manager to discuss pricing for an additional custom certificate allowance.

If I upload my own certificate, will I be able to access my private key from the Acquia Cloud Edge dashboard?

No, you will not be able to view the private key of your custom certificate in the Acquia Cloud Edge dashboard. However, if you are using the same certificate in Acquia Cloud Edge and Acquia Cloud, you can retrieve the private key in the SSL section of the Acquia Cloud interface. Alternately, contact your certificate vendor, who should be able to provide you with the private key.

Can I use the Cloudflare default certificate and a custom certificate, or is it one or the other?

It is possible to use both certificates simultaneously, and would be in specific use cases. The most common use case would be if you use second-level subdomains (such as test.example.domain.com). A wildcard certificate, such as the certificate provided through Acquia Cloud Edge, covers the first level of subdomain (such as example.domain.com) only. Therefore, if you want to cover the second-level subdomain (such as test.example.domain.com), you must leverage the custom certificate option. You can purchase a multi-domain certificate to cover all your domains, including first- and second-level subdomains, but if that is not an option, you can still utilize Cloudflare’s default wildcard SSL for your first-level subdomains, and then purchase a custom SSL certificate for use with your second-level subdomains.

Note

A multi-domain certificate is also known as a subject alternative name (SAN) certificate, or a unified communications certificate (UCC).

Which SSL option is best for me?

The SSL option you select depends on the nature of your website’s content. For websites that do not contain sensitive information, such as a personal blog, the Off setting will likely suffice, as secure connections are not required.

Although the Flexible setting may seem to be a safe option, it can be misleading and potentially lead to security risks. With the Flexible setting enabled, a fully secure connection exists only from the user to Acquia Cloud Edge, but not from Acquia Cloud Edge to your origin server.

Visitors will access your website using HTTPS and assume there is a fully-secure connection, which is not actually the case. Because the website is marked as secure, a user may share personal or sensitive information, which puts the user at risk of disclosing secure information over an insecure connection. Therefore, the Flexible option is not recommended if you have any sensitive information on your website.

For any website where sensitive information is collected, Acquia recommends at least Full, if not Full (strict). The Full (strict) option is the most secure, as it requires that your SSL certificate is valid and signed by a certificate authority, ensuring the maximum level of certificate authenticity.