Security in the Acquia Experience: The Importance of SSL Certificates

Acquia considers security our differentiator in creating digital experiences. It is why Acquia prioritizes creating a wealth of tools to keep your and your customers digital assets and personal information protected and secure.

One such way to do so is by installing a Secure Sockets Layer, or SSL. The SSL is a valuable and standard security technology implemented among a vast number of websites for establishing an encrypted link between a web server and a browser. An SSL allows a web developer or administrator to ensure that all data passed between the web server and the users’ web browsers remain private.

While the processes that support this technology is more complex, it is represented by an easily accessible lock icon in the browser, letting the users know they’re protected by an SSL encrypted session. Users can click on the lock icon to display their unique SSL certificate and read the details as needed.

Acquia Cloud: Getting Started with SSL

To use SSL, your environment must have an SSL certificate, which can be purchased from a certificate authority or SSL certificate vendor and uploaded to Acquia Cloud. Acquia Cloud offers two models for SSL support: the Standard model and the Legacy model.

  • The Standard model (recommended) allows you to associate SSL certificates with any environment in your application, using the existing load balancer pair. To access the certificate, use a DNS A record.
  • The Legacy model (indicated as legacy certificates in the Acquia Cloud interface) requires the use of an Elastic Load Balancer (ELB). The certificate must be accessed by using a DNS CNAME record.

Although both models are accepted, Acquia recommends to use the Standard model with your certificates. Acquia Cloud Enterprise subscribers with multi-region servers are also encouraged to use this model.

SSL on Acquia Cloud Professional: Using legacy SSL certificates for an Acquia Cloud Professional subscription incurs an added charge — the charge is per Acquia Cloud Professional codebase. You can use a multidomain SSL certificate and incur charges only for one certificate. Note: If you pay for Acquia Cloud Professional using purchase orders, please contact the sales team about SSL configuration.

SSL on Acquia Cloud Enterprise: Acquia Cloud Enterprise subscriptions incur no additional charges. Acquia suggests Acquia Cloud Enterprise subscriptions use the Standard model. SSL on Acquia Cloud Enterprise must generally be self-service. Subscribers who have a Premium, Enterprise, or Elite subscription can still purchase a certificate through Acquia; however, Acquia will not install certificates provided by subscribers. Subscribers who have purchased a certificate through Acquia that will need updates until the subscriber renews may also require more help.

Generating and Acquiring your SSL Certificate

The first step in obtaining an SSL certificate to use with Acquia Cloud is to generate a Certificate Signing Request (CSR). The CSR contains information about your organization and website that a certificate authority can use to generate the appropriate SSL certificate for your website. Only CSRs generated using the Acquia Cloud interface are managed and displayed in the Acquia Cloud interface on the SSL page.

After you generate a CSR for an environment, the next step for enabling SSL is to obtain an SSL certificate. SSL certificates can be purchased from a vendor, each of which will have its own prices and purchase process; however, all should accept the CSR that you have generated and copied using the Acquia Cloud interface. Include the encoded CSR into your chosen vendor’s purchase form.

Note that you can use any type of SSL certificate with Acquia Cloud, including single domain, multidomain (Unified Communications Certificate (UCC)/Subject Alternative Name (SAN)), wildcard, extended validation and self-signed certificates. If your vendor requires you to specify the server type for the certificate, choose Nginx or, as a second choice, Apache.

In general, certificates provided from most vendors will work properly on Acquia Cloud. In certain cases, you may need to locate and upload intermediate certificates, depending on the vendor and the architecture of your application. Please note the following requirements when obtaining your certificate:

  • The SHA-1 cryptographic hash algorithm is being deprecated. You should ensure that the SSL certificate you purchase uses an SHA-2 signature.
  • SSL certificates must be Base64 encoded — Acquia Cloud will not install certificates without this encoding.
  • SSL certificates must be compatible with either Nginx or Apache. Confirm with your vendor that your certificate files are in a compatible format.
  • SSL certificates must not pin to the *.acquia-sites.com certificate that is provided by Acquia.

After you have obtained an SSL certificate for an environment, you can use the Acquia Cloud interface SSL page to install the certificate. Depending on whether you use a CSR generated with the Acquia Cloud interface, or will use a certificate obtained through another process, there are two methods to install an SSL certificate. It is advised to confirm the validity of your SSL certificate before you upload or try to activate it on Acquia Cloud.

Installing an SSL Certificate

To install an SSL certificate based on a CSR generated with the Acquia Cloud interface, please complete the following:

  1. Sign in to Acquia Cloud as a user with the necessary permissions.
  2. Select your organization, application and environment; then, in the left menu, click SSL.
  3. On the SSL page, click the Install SSL certificate link for the CSR.
  4. If you want the certificate to use the legacy (ELB based) SSL model, select Install legacy SSL certificate. Optionally, in the Label field, enter a label to help you identify the certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.
  5. In the SSL certificate field, enter the SSL certificate in PEM format. Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed.
  6. If the certificate has any CA intermediate certificates, enter these in the CA intermediate certificates field in PEM format. You must enter CA intermediate certificates in the proper order.
  7. Click Install.

To install an SSL certificate not based on an Acquia-generated CSR, please completing the following:

  1. Sign in to Acquia Cloud as a user with the necessary permissions.
  2. Select your organization, application and environment; then, in the left menu, click SSL.
  3. On the SSL page, click Install SSL certificate.
  4. If you want the certificate to use the legacy (ELB based) SSL model, select Install legacy SSL certificate.
  5. In the Label field, enter a label to help you identify the certificate in the Acquia Cloud interface. If you selected Install legacy SSL certificate, there is no label field, since you can only have a single legacy SSL certificate on an environment.
  6. In the SSL certificate field, enter the SSL certificate in PEM format.
  7. In the SSL private key field, enter the private key for this certificate in PEM format.
  8. If the certificate has any CA intermediate certificates, enter these in the CA intermediate certificates field in PEM format. CA intermediate certificates must be entered in the proper order.
  9. Click Install.

Activating an SSL Certificate

After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment. An environment can have only one active SSL certificate at a time. Activating a new certificate will deactivate all other certificates on the environment.

To activate an SSL certificate, on the SSL page, under SSL certificates, locate the certificate and click Activate. The SSL certificate activation takes less than five minutes, after which the SSL web page will display the certificate’s active status.

Please note the following:

  • You must activate Standard (SNI) certificates before use.
  • Legacy certificates installed on the ELB will instantly override the previous certificate on the ELB.
  • You can have a standard and a legacy certificate active at the same time.
  • Activating a standard certificate will deactivate any other non legacy certificates.

Conclusion

We consider security to be the most important building block as you begin your journey in creating a transformative digital experience. An SSL certificate is likely only one of many pieces in your security architecture, yet it’s a significant one. Think of it as your foundation – ensuring secure data for you and your customers and communicating a clear message that your organization values privacy and security.

Acquia has designed multiple tools to take your platform to the next level. With Acquia’s platforms and services, your customers will achieve innovative and high-performing digital experiences for their users. An SSL certificate will ensure protected server-client communication and establish trust in the client relationship.

Josh Anderson

Josh Anderson

Former Writer Acquia