Enabling SSL

Using SSL

SSL enables your web application to use the HTTPS secure web protocol to safely communicate with your users online. To use SSL, your environment must have an SSL certificate, which you must purchase from a Certificate Authority (CA) or SSL certificate vendor and upload to Acquia Cloud.

Standard certificates and legacy certificates

Acquia Cloud offers two models for SSL support: the standard model and the legacy model.

The standard model uses Server Name Indication (SNI). SNI is an extension to the TLS protocol that serves multiple certificates from the same IP address and TCP port number, enabling more than one website to use HTTPS from the same IP address, but without requiring all websites to use the same SSL certificate.

The legacy model uses a domain name-based system (rather than an IP address-based system) and requires use of an Elastic Load Balancer (ELB). Those certificates are labeled as legacy certificates in the Acquia Cloud interface's SSL page. Legacy certificates continue to function as normal on Acquia Cloud.

While both methods are currently accepted, Acquia strongly recommends that you use the standard model with your certificates. Acquia Cloud Enterprise customers with multi-region servers are strongly suggested to use the standard model.

It is possible, however, to have a standard and a legacy certificate installed in the same environment at the same time. To do, complete the following items:

  • To use the legacy certificate, you will need to repoint the DNS settings for your domains to the provided CNAME.
  • To use the standard certificate, you will need to confirm that the DNS settings for your domain are pointed to your assigned IP address.

If you have a legacy certificate (which works with the ELB) you can separately add the new certificate, and then update to the Elastic IP address (EIP) as necessary.

If an Acquia-managed SSL certificate is installed directly on an application's load balancers and the self-service SSL facility is used to activate a certificate, the newly activated certificate will then take priority.

Differences in support for the standard and legacy models

Standard Legacy
Support for bare domains (for example, example.com rather than www.example.com). This is possible because the load balancer has an Elastic IP address (EIP) No support for bare domains without additional configuration and services, since the load balancer is addressed by CNAME, rather than by IP address
Install certificate on any environment Install certificate only on Production environment on Acquia Cloud Enterprise; one certificate can cover all environments on Acquia Cloud Professional
Install any number of certificates on an environment (only one can be active) Install only one certificate
Not supported by some very old browsers Supported by old and new browsers
Does not use ELBs and uses active/passive load balancers in an HA configuration Uses ELBs in an HA configuration, which offer round-robin load balancers, instead of active/passive load balancers
Load balancer requests have a 600 second timeout All requests through an ELB have a 60 second timeout

Roles and permissions for SSL management

Acquia Cloud provides these two permissions for managing SSL:

  • Add or remove SSL certificates for the non-production environments
  • Add or remove SSL certificates for the production environment

By default, users with the Administrator, Team Lead, and Senior Developer roles have these permissions, while users with the Developer role do not. Learn more about roles and permissions.

SSL on Acquia Cloud Professional

There is an additional charge for using legacy SSL certificates for an Acquia Cloud Professional subscription — the charge is per Acquia Cloud Professional codebase. You can use a multidomain SSL certificate, however, and will be charged only for one certificate. If you pay for Acquia Cloud Professional using purchase orders, contact your salesperson to get SSL set up. For more details, see About Acquia Cloud billing.

SSL on Acquia Cloud Enterprise

There is no extra charge for Acquia Cloud Enterprise subscriptions. Acquia strongly suggests these subscriptions use the standard model.

SSL on Acquia Cloud Enterprise should generally be self service. However, some customer configurations may require additional assistance.

  • Customers who have a Premium, Enterprise, or Elite subscription. These customers can still buy a certificate through us, but Acquia will no longer install certificates provided by customers.
  • Customers who have purchased a certificate purchased through Acquia which needs to be updated until the customer renews.

If you are a customer that falls into one of these categories, contact Acquia Support.

Contact supportStill need assistance? Contact Acquia Support