Create a domain-validated certificate
In this tutorial, you'll set up a domain-validated (DV) certificate that uses Let's Encrypt as the certificate authority. It will use Akamai's secure network to transfer your content between requesting clients and the Akamai edge network. It's relatively easy to set up, it's available to all Akamai delivery customers, and it applies to most delivery scenarios.
Before you begin
Make sure you get your technical contact if you haven't done so yet.
1. Create the certificate
- Log into Akamai Control Center.
- Select ☰ > CDN > Certificates.
- Click Create New Certificate. A wizard launches.
- Select Domain Validation (DV) from the Akamai Managed Certificate options and click Next.
- In Select Certificate Settings make sure these options are enabled and then click Next:
- Certificate Type: Subject Alternative Names (SAN)
- Certificate Authority (CA): Let's Encrypt
If a certificate type is greyed out or un-selectable in the UI, it could be because you have an issue with your certificate quota. See the link on the same page in the UI to take a closer look at your contract details.
- In Enter Certificate Information, set these options and then click Next:
- Common Name (CN). This is the primary domain that a client uses to access your site or app. If you only have a single domain, this is the only field you need. Your organization needs to legally own this domain and once you submit your certificate in CPS, you can't change its Common Name.
- SANs (optional). Are there alternate domains that a client can use to access your site or app? If so, you can enter up to 99 of them here.
- Company Information. All fields not labeled "optional" are required. Have a look at the in-app instructions and fill in each accordingly.
- Review the Enter Certificate Information details. Click Edit to fix any problems.
- In Enter Company Information, make sure that Same as certificate information is enabled and click Next.
- Set these options in Enter Contact Information panel and then click Next:
- Administrator Contact Information. Review the in-app help and enter contact details for your local certificate administrator.
- Akamai Technical Contact Information. This is your Akamai account representative.
- In the Select Network Settings panel, set Deployment Network to Standard TLS or Enhanced TLS based on your requirements. Leave all other options at their default and click Next.
Enhanced TLS versus Standard TLS
The difference in security between Enhanced TLS and Standard TLS is physical, not electronic or software-related. The physical security of the servers is more advanced for Enhanced TLS but the software protection is no different for Standard TLS.
If your site exchanges PII, your certificate needs to use Enhanced TLS.
- In Select trust chain, leave this set to the default option.
- Click Review. Run through each of the sections, verifying your settings are correct and make sure that each is marked with a green check icon.
- Click Submit.
Your certificate request is submitted and a certificate signing request is sent to Let's Encrypt. When it's ready to progress, your administrator contact and your Akamai technical contact will receive an email. Once you submit and your certificate is created, you have 7 days before the token expires.
2. Optionally, push your cert to staging
A newly provisioned certificate is automatically pushed to both the staging network and the production network, simultaneously. It's live and ready to start protecting the client-to-edge network connection. If you need to test your delivery configuration on Akamai's staging network before the certificate is pushed to production follow the steps below to tell CPS to always test on staging before deployment.
-
If necessary, access Akamai Control Center, log in with your primary admin user, and go to ☰ > CDN > Certificates.
-
Locate the certificate you just created in the table, click No under Always test on Staging before deployment.
-
Set Test Certificate to Yes and click Submit.
3. Validate your domains
Before Let's Encrypt can sign your certificate, they need to validate that you control all of the domains you set as the CN and any SANs in your cert. You can do this in multiple ways, but we'll use the HTTP Token method here because it doesn't have additional requirements.
-
If necessary, access Akamai Control Center, log in with your primary admin user, and go to ☰ > CDN > Certificates.
-
Locate your cert, click To-Do under Submitting to CA, and then click Validate Control over Domain(s).
-
Select a domain from the list.
-
Select HTTP Token.
-
Under Your domain / folder / filename (path), note the complete path after your domain. This is where you'll store the file with the token.
-
Copy the complete token under Content of the file (token).
-
Create an HTML file that contains the copied token. Save it on your website using the complete path you noted, and name it using the last value in that path.
The token created for this process is valid until the Token expires date and time. Make sure you complete step 7 before it expires.
-
Once you’ve set up the file on your site, you can access it here again and click Check status now to push the validation request.
-
Repeat steps 3-8 for each remaining domain.
When each domain’s validation request is successful, the Administrator Contact will receive an email. Plus, the “To-Do” link will be removed from the dashboard in this interface. You’re ready to go!
Different validation methods
In CPS you can validate your domains for a domain-validated certificate in three ways. You can use a different way for each domain on the certificate.
- URL Redirect
- HTTP Token (This is covered here.)
- DNS Token
Certificate renewal
A DV certificate has a lifecycle of 90 days. 20 days before the certificate is due to expire, the renewal process will become available. To complete this renewal process you must make the same validation steps that were required to create the certificate. See Auto Domain Validation to learn more about auto-renewing your certificates.
Other certificate methods
While it works for this basic tutorial, a domain-validated enhanced TLS certificate may not fit your needs.
Method | Description |
---|---|
If requests for your content don't require the exchange of personally identifiable information (PII) consider using a Standard TLS version of your certificate. It is slightly faster and easier to set up than Enhanced TLS. | |
This is a separate method that automates the creation of a TLS certificate, either Standard TLS or Enhanced TLS. Currently, it’s in limited availability. | |
Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended. Browsers will present warnings to your users if they connect to a site that doesn't support HTTPS. |
We offer a detailed comparison of each of these security options.
Updated 3 months ago