Guide

Select network settings

Suggest Edits

🚧

After you create a new certificate, FIPS is the only setting you can change. The other network settings can't be changed.

How to

To choose the network settings for your certificate:

  1. Leave Excludes China and Russia selected under Geographical Deployment, or select Includes China, Excludes Russia or Includes Russia, Excludes China.

    📘

    You can only modify this field to include China if your ​Akamai​ contract specifies your ability to do so and you have approval from the Chinese government. You can only modify this field to include Russia if your ​Akamai​ contract specifies your ability to do so. You do not need approval from the Russian government. CPS automatically includes Russia for a standard TLS contract.

  2. Select one of the following in the Deployment Network section to choose the type of ​Akamai​ network to which you want to deploy your certificate:

    • Standard TLS: Provides a rich set of TLS and HTTPS functionality architected to provide high-performance, and massively scalable delivery of media assets and website content using customer branded certificates supporting SNI compatible devices.

    • Enhanced TLS: Provides a rich set of TLS and HTTPS functionality architected for sites and content with high-assurance security requirements, such as PCI compliance, using customer branded certificates.

    📘

    To use this certificate with a configuration in Property Manager, the selected deployment network on the certificate must match the selected security option in the property configuration.

  3. Enable SNI in the SNI-Only field (if your contract allows it) and allow a server to present multiple certificates on the same IP address and TCP port number and, therefore, allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate.

    If this option appears grayed out, your contract does not allow this. If you enable SNI-Only, CPS directs traffic using all the SANs listed in the SANs field. If you want to change this after you finish creating your certificate, edit your deployment settings to change the SANs. If you change the SANs at a later time, be aware that this generates a new certificate signing request (CSR).

  4. Enable FIPS to allow Akamai edge servers to present only those cipher suites from the selected cipher profile that have been validated for FIPS 140-2. Cipher suites that have not been validated for FIPS 140-2 are not presented to connecting clients, even if those suites are listed as part of the selected cipher profile.

    📘

    To ensure end-to-end FIPS-validated traffic on Akamai’s network for the property and applications that require FIPS certification, you need to enable this setting in Property Manager. For assistance, contact your Akamai support team.

    📘

    Public and private key pair generation in CPS , after March 1, 2024, always uses FIPS 140-2 validated functions. All current cipher profiles include at least one FIPS 140-2 validated cipher suite for ECDSA certificates, and one RSA certificates. Deprecated and end of life (EOL) cipher profiles aren't suitable for FIPS 140-2 traffic. FIPS mode requires that TLS 1.2, TLS 1.3, or both are enabled on the certificate. For details, see Update SSL/TLS cipher profiles.

  5. Click Review.

You can review all your choices before submitting the CSR to the CA.

Next steps

Continue to Review your choices and submit the request.

Updated 9 months ago