Create an organization-validated certificate

In this tutorial, you'll set up an organization-validated (OV) certificate that uses DigiCert as the certificate authority. It will use ​Akamai​'s secure network to transfer your content between requesting clients and the ​Akamai​ edge network.

An organization-validated certificate is a higher level of validation than the domain-validated certificate. A certificate authority (CA) validates whether or not the company is valid, if it is registered, and if the business contact legitimately works at the company. The CA uses your organization information to verify you legally own or have the legal right to use the domains listed in your certificate. An OV certificate generally expires in one year.

Before you begin

You need a technical contact, outside your organization. This should be the person from your ​Akamai​ account team that you work closest with. Both your local administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your ​​Akamai​ account team to get:

  • A first and last name
  • A valid, ​Akamai​ domain email address
  • A phone number

1. Create the certificate

  1. Log into ​Akamai Control Center​.
  2. Select > CDN > Certificates.
  3. Click Create New Certificate. A wizard launches.
  4. Select Organization Validation (OV) from the Akamai Managed Certificate options and click Next.

  1. In Select Certificate Settings, select the certificate type and certificate authority and click Next:
    • Certificate Type options:
      • Subject Alternative Names (SAN)
      • Single
      • Wildcard
      • Wildcard SAN
    • Certificate Authority (CA) options:
      • DigiCert


If a certificate type is greyed out or un-selectable in the UI, it could be because you have an issue with your certificate quota. See the link on the same page in the UI to take a closer look at your contract details.

  1. In Enter Certificate Information, set these options and then click Next:


You can either create a new OrgID and enter the required information or you can begin typing to find and select an OrgID, which will then autocomplete all of the required information from a previously used organization.

  • Common Name (CN). This is the primary domain that a client uses to access your site or app. If you only have a single domain, this is the only field you need. Your organization needs to legally own this domain and once you submit your certificate in CPS, you can't change its Common Name.
  • SANs (optional). Are there alternate domains that a client can use to access your site or app? If so, you can enter up to 99 of them here.
  • Company Information. All fields not labeled "optional" are required. Have a look at the in-app instructions and fill in each accordingly.
  1. Review the Enter Certificate Information details. Click Edit to fix any problems.
  2. In Enter Company Information. If applicable, you can enable the Same as certificate company information checkbox. Then click Next.
  3. Set these options in Enter Contact Information panel and then click Next:
    • Administrator Contact Information. Review the in-app help and enter contact details for your local certificate administrator.
    • ​Akamai​ Technical Contact Information. This is your ​Akamai​ account representative.
  4. In the Select Network Settings panel, set Deployment Network to Standard TLS or Enhanced TLS based on your requirements. Leave all other options at their default and click Next.


Enhanced TLS versus Standard TLS

The difference in security between Enhanced TLS and Standard TLS is physical, not electronic or software-related. The physical security of the servers is more advanced for Enhanced TLS but the software protection is no different for Standard TLS.

If your site exchanges PII, your certificate needs to use Enhanced TLS.

  1. Click Review. Run through each of the sections, verifying your settings are correct and make sure that each is marked with a green check icon.
  1. Click Submit.

Your certificate request is submitted and a certificate signing request is sent to DigiCert. When it's ready to progress, your administrator contact and your ​Akamai​ technical contact will receive an email.

2. Optionally, push your cert to staging

A newly provisioned certificate is automatically pushed to both the staging network and the production network, simultaneously. It's live and ready to start protecting the client-to-edge network connection. If you need to test your delivery configuration on ​Akamai​'s staging network before the certificate is pushed to production follow the steps below to tell CPS to always test on staging before deployment.

  1. If necessary, access ​Akamai​ Control Center, log in with your primary admin user, and go to > CDN > Certificates.

  2. Locate the certificate you just created in the table, click No under Always test on Staging before deployment.

  3. Set Test Certificate to Yes and click Submit.

3. Validate your domains

After you submit your enrollment (at the end of Step 1. Create the certificate, above) DigiCert will contact you to validate your organization information submitted with the certificate. When each domain’s validation request is successful, the Administrator Contact will receive an email.

Certificate renewal

An OV certificate has a lifecycle of one year. 60 days before the certificate is due to expire, the renewal process will become available. To complete this renewal process you must make the same validation steps that were required to create the certificate.

Other certificate methods

An organization-validated enhanced TLS certificate may not fit your needs.


Standard TLS certificate

If requests for your content don't require the exchange of personally identifiable information (PII) consider using a Standard TLS version of your certificate. It is slightly faster and easier to set up than Enhanced TLS.

Default DV certificate (“Secure by Default”)

This is a separate method that automates the creation of a TLS certificate, either Standard TLS or Enhanced TLS. Currently, it’s in limited availability.

Non-secure HTTP (no certificate)

Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended. Browsers will present warnings to your users if they connect to a site that doesn't support HTTPS.


We offer a detailed comparison of each of these security options.