Enabling SSL

Using SSL

SSL enables your web application to use the HTTPS secure web protocol to safely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Acquia Cloud.


If you are an Acquia Cloud Free customer, SSL is not supported. Learn more about Acquia Cloud Free and how to upgrade your Acquia Cloud subscription.

Standard certificates and legacy certificates

Acquia Cloud offers two models for SSL support: the standard model and the legacy model.

The standard model uses Server Name Indication (SNI). SNI is an extension to the TLS protocol that serves multiple certificates from the same IP address and TCP port number, enabling more than one website to use HTTPS from the same IP address, but without requiring all websites to use the same SSL certificate.


Acquia supports newer versions of TLS. The acronyms TLS (Transport Layer Security) and SSL (Secure Socket Layer) are often used interchangeably. For consistency, Acquia’s documentation and the Acquia Cloud interface generally refer to SSL. For more information, see What’s the difference between SSL, TLS, and HTTPS?.

The legacy model uses a domain name-based system (rather than an IP address-based system) and requires use of an Elastic Load Balancer (ELB). Those certificates are labeled as legacy certificates in the Acquia Cloud interface SSL page. Legacy certificates continue to function as normal on Acquia Cloud.

While both methods are currently accepted, Acquia strongly recommends that you use the standard model with your certificates. Acquia Cloud Enterprise customers with multi-region servers are strongly suggested to use the standard model.

It is possible, however, to have a standard and a legacy certificate installed in the same environment at the same time. To do, complete the following items:

  • To use the legacy certificate, you will need to repoint the DNS settings for your domains to the provided CNAME.
  • To use the standard certificate, you will need to confirm that the DNS settings for your domain are pointed to your assigned IP address.

If you have a legacy certificate (which works with the ELB) you can separately add the new certificate, and then update to the Elastic IP address (EIP) as necessary.

If an Acquia-managed SSL certificate is installed directly on an application’s load balancers and the self-service SSL facility is used to activate a certificate, the newly activated certificate will then take priority.


If you use Akamai and upgrade your application from a legacy certificate to a standard certificate, you must contact Akamai to inform them that your application’s certificate is now based on SNI. Not informing Akamai of the change will cause Akamai to not work with your application.

Differences in support for the standard and legacy models

Standard Legacy
Support for bare domains (for example, example.com rather than www.example.com). This is possible because the load balancer has an Elastic IP address (EIP) No support for bare domains without additional configuration and services, since the load balancer is addressed by CNAME, rather than by IP address
Install certificate on any environment Install certificate only on Production environment on Acquia Cloud Enterprise; one certificate can cover all environments on Acquia Cloud Professional
Install any number of certificates on an environment (only one certificate can be active at any time) Install only one certificate - installing a new certificate overwrites the previous one
Not supported by some very old browsers Supported by old and new browsers
Does not use ELBs and uses active/passive load balancers in an HA configuration Uses ELBs in an HA configuration, which offer round-robin load balancers, instead of active/passive load balancers
Load balancer requests have a 600 second timeout All requests through an ELB have a 60 second timeout

Roles and permissions for SSL management

Acquia Cloud provides these two permissions for managing SSL:

  • Add or remove SSL certificates for the non-production environments
  • Add or remove SSL certificates for the production environment

By default, users with the Administrator, Team Lead, and Senior Developer roles have these permissions, while users with the Developer role do not. Learn more about roles and permissions.


Do not email your SSL certificate or attach your SSL certificate to a support ticket. Instead, if you need to transmit a certificate to Acquia other than through the Acquia Cloud interface, contact Acquia Support and we will advise you how to upload your SSL certificate and private key securely.

SSL on Acquia Cloud Professional

There is an additional charge for using legacy SSL certificates for an Acquia Cloud Professional subscription — the charge is per Acquia Cloud Professional codebase. You can use a multidomain SSL certificate, however, and will be charged only for one certificate. If you pay for Acquia Cloud Professional using purchase orders, contact your salesperson to get SSL set up. For more details, see About billing.

SSL on Acquia Cloud Enterprise

There is no extra charge for Acquia Cloud Enterprise subscriptions. Acquia strongly suggests these subscriptions use the standard model.

SSL on Acquia Cloud Enterprise should generally be self service. However, some customer configurations may require additional assistance.

  • Customers who have a Premium, Enterprise, or Elite subscription. These customers can still buy a certificate through us, but Acquia will no longer install certificates provided by customers.
  • Customers who have purchased a certificate purchased through Acquia which needs to be updated until the customer renews.

If you are a customer that falls into one of these categories, contact Acquia Support.

Contact supportStill need assistance? Contact Acquia Support

Acquia: Think Ahead

53 State Street, 10th Floor
Boston, MA 02109
United States
Phone: 888-922-7842

Map: Google Maps
View other locations