With Copilot
Acquia Copilot is a conversational AI connected into our product documentation and knowledge base. Ask Copilot about product features, technical details, troubleshooting and how to get started with Acquia products.
Sign in to use Acquia Copilot
Using the Cloud Platform interface SSL page, you can perform the following tasks to manage an environment’s SSL certificates and CSRs:
After obtaining an SSL certificate for an environment, as described in Obtaining an SSL certificate, you can use the SSL page in the Cloud Platform user interface to install the certificate on an environment. Depending on whether you use a CSR generated through the Cloud Platform user interface or obtain the certificate through some other way, you can use the following methods to install an SSL certificate:
To renew or replace an SSL certificate, see Renewing or replacing an SSL certificate.
You may want to confirm the validity of your SSL certificate before you upload or try to activate the certificate on Cloud Platform. For more information, see Verifying the validity of an SSL certificate.
To install an SSL certificate based on an Acquia-generated CSR, you can follow one of these methods based on the type of your SSL certificate:
To install a legacy SSL certificate based on an Acquia-generated CSR:
If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
To install a non-legacy SSL certificate based on an Acquia-generated CSR:
On the SSL tab, click Install next to the CSR that you generated.
The private key pre-populates in its respective field and you can fill the remaining fields on the installation form. If you are unsure about how to find the private key associated with a CSR that was generated in the Cloud Platform user interface, see Generate private key in CSR.
If you want the certificate to use the legacy (ELB-based) SSL model, select Install legacy SSL certificate.
After you have installed an SSL certificate on an environment, you can view it on the SSL page. The SSL certificates section lists all the installed certificates and their active status. Click View to see details about an SSL certificate, including:
Click Show to view the PEM encoded certificate, CA chain (CA intermediate certificates), or private key. Legacy/ELB certificates will not have the private key visible on this View page in the UI.
Cloud Platform and Site Factory offer SSL management with separate guidelines for default and custom domains. Default SSL certificates issued by Acquia only cover default domains and not custom domains. Ensure that you point to the correct domain to utilize SSL certificates properly.
After installing an SSL certificate on an environment, you must activate the certificate before it starts working with HTTPS requests to the environment.
To activate an SSL certificate, on the SSL page (under SSL certificates) locate the certificate you want to activate, and then click Activate to confirm. The activation will take a few minutes to complete.
When multiple certificates are set to active, HTTPS requests for any given domain on your environment will be served using the newest activated certificate which includes that domain. If multiple certificates are active and cover the same domain, one with an exact match and one with a wildcard match, your environment will serve the certificate with the exact match, even if the wildcard certificate was installed more recently. If no matching certificates are found, your environment will default to using any default or custom certificate installed on that environment by Acquia.
You can deactivate an active SSL certificate at any time. If you are planning to remove an SSL certificate, Acquia recommends to first deactivate the certificate and then remove it.
To deactivate an SSL certificate, on the SSL page (under SSL certificates), locate the active certificate you want to deactivate, and then click Deactivate.
To avoid potential impact to your site(s), it is a best practice to keep your current certificate in place before removing it if you are replacing it with a new certificate.
You can delete a non-legacy SSL certificate in the Cloud Platform user interface at any time. Before doing so, you must deactivate the certificate itself.
To remove a legacy/ELB SSL certificate, you must create a Support ticket. Removing a legacy SSL certificate includes permanently removing your ELB as well. This means that if you would like to install another legacy SSL certificate in the future, you would need to point your domains to a new ELB CNAME address.
To remove a non-legacy SSL certificate:
If you need to delete or deactivate a valid SSL certificate, you must revoke that certificate to prevent an attacker’s website masquerading as your own. Acquia recommends that you deactivate or delete any revoked or expired certificates from all environments. Leaving a revoked certificate active in any environment may result in downtime for your application.
Each SSL certificate vendor has different procedures to perform a certificate revocation. Ensure you follow the instructions your SSL certificate vendor provides. Here are the procedures for two common vendors:
If you need to replace an SSL certificate that is expiring, you do not need to delete or remove your existing certificate(s). There are two options you can take to replace your SSL certificate: The first is to install an updated certificate that includes new information, such as additional domains/ organizational changes, etc. This option includes the same steps as if you were installing a brand new certificate. If this applies to you, follow the instructions on installing a certificate here.
The other option is to install a renewed version of your existing certificate that just has a new expiration date. If there is no change to the details of the certificate itself besides the expiry date, you may not need to generate a new CSR. To install the updated version of the same certificate, follow these steps:
To upload a new SSL certificate to a Cloud Platform subscription that already has an active SSL certificate:
On the SSL page, in the Certificate signing requests section, click Install to navigate to the installation form and have the private key prepopulated in its respective field.
If you have questions on this step, see Generate private key in CSR for the CSR you used to obtain the SSL certificate you want to install.
In the Certificate signing requests section, click View next to the preexisting certificate in the SSL certificates section to find the corresponding private key, as shown in the following screens:
Copy the private key to a local text editor before navigating to the installation form by clicking the button on your SSL page.
(Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
Cloud Platform
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.
In SSL Certificate, enter the main/server SSL certificate file in the PEM format. PEM formatted files are text files written in Base64 ASCII encoding with plain-text headers and footers. The certificate must look something like the following example, but much longer:
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed.
Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
If this content did not answer your questions, try searching or contacting our support team for further assistance.
(Optional) In Label, enter a label to help you identify the certificate. If you selected Install legacy SSL certificate, the system does not display the Label field since you can only have a single legacy SSL certificate on an environment.
In SSL Certificate, enter the SSL certificate in the PEM format. The certificate must look something like the following example, but much longer:
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.
In SSL Certificate, enter the main/server SSL certificate file in the PEM format. PEM formatted files are text files written in Base64 ASCII encoding with plain-text headers and footers. The certificate must look something like the following example, but much longer:
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----Private key files must be unencrypted and non-password protected, or the certificate cannot be deployed.
Click Install.
After the installation is complete, the system displays the CSR details in the SSL certificates section.
-----BEGIN CERTIFICATE-----
MIIFWzCCBEOgAwIG1bBouS1O/ob8scTviFvVCKVzzANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0xNjA5MTUwMDAwMDBaFw0xNzEyMDgxMjAwMDBa
MGYxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQ8wDQYDVQQH
Us8/azXp7pJ75vyNi/tuLbLSQbwqNcEo+jBXPysGdA==
-----END CERTIFICATE-----
If this content did not answer your questions, try searching or contacting our support team for further assistance.