To make your CPS experience more effective and satisfying, get familiar with the following concepts and terms first:

Secure delivery

The SSL/TLS certificates that you obtain using CPS let you set up secure web properties and authenticate the secure connection that the browser makes during content delivery. CPS generates and secures the private key of each certificate.

Certificate authority

A certificate authority (CA) is a trusted entity that signs certificates and can vouch for the identity of a website. If a certificate is like a license or a passport, then a CA is like the Department of Motor Vehicles or the government, in that it is the trusted agency that issues the identification and verifies your identity before issuing identification.

📘

CPS-supported CAs

CAs supported by CPS include DigiCert, and Let's Encrypt. If you want to use a different CA, you must use a third-party certificate and CA.

Certificate

A digital certificate contains an electronic document that includes a company's identification information (such as the name of the company and address), a public key, and the digital signature of a CA based on that certification authority's private key. Public keys may be disseminated widely, but they are paired with private keys which are known only to the owner. In a public-key encryption system, any person can encrypt content using the public key of the receiver, but the content can be decrypted only with the receiver's private key.

You can think of a certificate as you would a license or passport that identifies your website. Having a certificate provides a way for users to authenticate with a website. Authentication is a method for establishing the identity of a browser connecting to a website and establishing the identity of a website to a browser. A certificate contains the common name (CN) you want to use for the certificate. This is often the fully qualified domain name for which you plan to use your certificate.

To learn about the types of certificates supported by CPS, see View certificate types.

Validation

When a CA gets a request for a certificate and verifies your identity, it validates the certificate request. There are three types of validation:

• Domain Validation (DV). This is the lowest level of validation. The CA validates that you have control of the domain. An ​Akamai​-managed DV certificate expires in 90 days. Customer supplied DV certificates can expire whenever the CA you acquire the certificate from determines it expires. CPS support DV certificates issued by Let's Encrypt, an automated and open CA run for public benefit.

• Organization Validation (OV). This is a higher level of validation. The CA validates whether or not the company is valid, if it is registered, and if the business contact is a full-time employee at the company. The CA uses your organization information to verify you legally own or have the legal right to use the domains listed in your certificate. OV certificates obtained through CPS expire in one year.

• Extended Validation (EV). This is the highest level of validation in which you must have signed letters and notaries sent to the CA before signing. EV certificates obtained through CPS expire in one year. EV certificates enable the green bar in web browsers.

Certificate pinning

​Akamai​ does not support customers pinning, or hard-coding any part of the SSL/TLS certificates or their trust chains in applications or client software. If your applications are sensitive to trust chain changes, use third-party certificates in CPS, and obtain certificates from a CA whose policies are aligned with your business and product goals. Our selection of root certificates does not change often, however intermediate certificates in each trust chain are subject to change without notice.