Create a domain-validated certificate

In this tutorial, you'll set up a domain-validated (DV) certificate that uses Let's Encrypt as the certificate authority. It will use ​Akamai​'s secure network to transfer your content between requesting clients and the Akamai edge network. It's relatively easy to set up, it's available to all ​Akamai​ delivery customers, and it applies to most delivery scenarios.

Before you begin

You need a technical contact, outside your organization. This should be the person from your ​Akamai​ account team that you work closest with. Both your local administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your ​​Akamai​ account team to get:

  • A first and last name
  • A valid, ​Akamai​ domain email address
  • A phone number

1. Create the certificate

  1. Log into ​Akamai Control Center​.
  2. Select > CDN > Certificates.
  3. Click Create New Certificate. A wizard launches.
  4. Select Domain Validation (DV) from the Akamai Managed Certificate options and click Next.
  1. In Select Certificate Settings make sure these options are enabled and then click Next:
    • Certificate Type: Subject Alternative Names (SAN)
    • Certificate Authority (CA): Let's Encrypt


If a certificate type is greyed out or un-selectable in the UI, it could be because you have an issue with your certificate quota. See the link on the same page in the UI to take a closer look at your contract details.

  1. In Enter Certificate Information, set these options and then click Next:
    • Common Name (CN). This is the primary domain that a client uses to access your site or app. If you only have a single domain, this is the only field you need. Your organization needs to legally own this domain and once you submit your certificate in CPS, you can't change its Common Name.
    • SANs (optional). Are there alternate domains that a client can use to access your site or app? If so, you can enter up to 99 of them here.
    • Company Information. All fields not labeled "optional" are required. Have a look at the in-app instructions and fill in each accordingly.
  1. Review the Enter Certificate Information details. Click Edit to fix any problems.
  2. In Enter Company Information, make sure that Same as certificate information is enabled and click Next.
  3. Set these options in Enter Contact Information panel and then click Next:
    • Administrator Contact Information. Review the in-app help and enter contact details for your local certificate administrator.
    • ​Akamai​ Technical Contact Information. This is your ​Akamai​ account representative.
  4. In the Select Network Settings panel, set Deployment Network to Standard TLS or Enhanced TLS based on your requirements. Leave all other options at their default and click Next.


Enhanced TLS versus Standard TLS

The difference in security between Enhanced TLS and Standard TLS is physical, not electronic or software-related. The physical security of the servers is more advanced for Enhanced TLS but the software protection is no different for Standard TLS.

If your site exchanges PII, your certificate needs to use Enhanced TLS.

  1. Click Review. Run through each of the sections, verifying your settings are correct and make sure that each is marked with a green check icon.
  1. Click Submit.

Your certificate request is submitted and a certificate signing request is sent to Let's Encrypt. When it's ready to progress, your administrator contact and your ​Akamai​ technical contact will receive an email. Once you submit and your certificate is created, you have 7 days before the token expires.

2. Optionally, push your cert to staging

A newly provisioned certificate is automatically pushed to both the staging network and the production network, simultaneously. It's live and ready to start protecting the client-to-edge network connection. If you need to test your delivery configuration on ​Akamai​'s staging network before the certificate is pushed to production follow the steps below to tell CPS to always test on staging before deployment.

  1. If necessary, access ​Akamai​ Control Center, log in with your primary admin user, and go to > CDN > Certificates.

  2. Locate the certificate you just created in the table, click No under Always test on Staging before deployment.

  3. Set Test Certificate to Yes and click Submit.

3. Validate your domains

Before Let's Encrypt can sign your certificate, they need to validate that you control all of the domains you set as the CN and any SANs in your cert. You can do this in multiple ways, but we'll use the HTTP Token method here because it doesn't have additional requirements.

  1. If necessary, access ​Akamai​ Control Center, log in with your primary admin user, and go to > CDN > Certificates.

  2. Locate your cert, click To-Do under Submitting to CA, and then click Validate Control over Domain(s).

  1. Select a domain from the list.

  2. Select HTTP Token.

  3. Under Your domain / folder / filename (path), note the complete path after your domain. This is where you'll store the file with the token.

  4. Copy the complete token under Content of the file (token).

  5. Create an HTML file that contains the copied token. Save it on your website using the complete path you noted, and name it using the last value in that path.


The token created for this process is valid until the Token expires date and time. Make sure you complete step 7 before it expires.

  1. Once you’ve set up the file on your site, you can access it here again and click Check status now to push the validation request.

  2. Repeat steps 3-8 for each remaining domain.

When each domain’s validation request is successful, the Administrator Contact will receive an email. Plus, the “To-Do” link will be removed from the dashboard in this interface. You’re ready to go!

Different validation methods

In CPS you can validate your domains for a domain-validated certificate in three ways. You can use a different way for each domain on the certificate.

Certificate renewal

A DV certificate has a lifecycle of 90 days. 16 days before the certificate is due to expire, the renewal process will become available. To complete this renewal process you must make the same validation steps that were required to create the certificate. See Auto Domain Validation to learn more about auto-renewing your certificates.

Other certificate methods

While it works for this basic tutorial, a domain-validated enhanced TLS certificate may not fit your needs.


Standard TLS certificate

If requests for your content don't require the exchange of personally identifiable information (PII) consider using a Standard TLS version of your certificate. It is slightly faster and easier to set up than Enhanced TLS.

Default DV certificate (“Secure by Default”)

This is a separate method that automates the creation of a TLS certificate, either Standard TLS or Enhanced TLS. Currently, it’s in limited availability.

Non-secure HTTP (no certificate)

Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended. Browsers will present warnings to your users if they connect to a site that doesn't support HTTPS.


We offer a detailed comparison of each of these security options.