On 20 July 2020, Acquia Edge CDN and Acquia Edge Protect will be implementing a change to Universal SSL certificates. As of 20 July, Universal SSL Certificates will now be issued by DigiCert. Universal SSL Certificates from Sectigo (formerly known as Comodo) are no longer supported. This means that our underlying service provider will issue the zones listed below new Universal SSL Certificates and remove the old Universal SSL Certificates.
Why is this change happening?
Acquia's underlying service provider is changing providers of Universal SSL certificates and implementing Universal SSL certificates in all zones.
Universal SSL is designed to be automatic and the best fit for most customers. Domain validation, certificate issuance, and certificate renewal are all managed by Cloudflare on every customer’s behalf. For zones where Acquia's provider is neither the authoritative DNS provider nor hosts content served over HTTP— as is the case for partial zones— the only way we can continue to automatically have domains validate is to order certificates for each proxied hostname.
As a result, newly-issued Universal SSL Certificates for partial zones reduce the scope of support for requests made without SNI to a single hostname for each zone. This may be impacting traffic to your application.
What kind of traffic to my application is impacted by this change?
This will only impact applications supporting traffic from legacy, non-SNI clients. This will mostly impact traffic to your application from users with older browsers and mobile devices (e.g. older than IE 7, Windows XP in general).
What do I need to do now?
Due to this change, customer applications that have significant client traffic that lacks support for SNI will need to create a Dedicated Certificate with Custom Hostnames that contains every hostname that requires support for TLS handshakes made without SNI via the Cloudflare Dashboard. To learn more about SNI, see our provider's article, "What is SNI?"
Note: If you already have a Dedicated Certificate with Custom Hostnames, these non-SNI clients will continue to be supported.
I am unsure how to proceed. Can you help me?
Yes. If you have any questions about this, please contact Acquia Support by logging in to accounts.acquia.com and visiting the Acquia Help Center.