Guide
TrainingSupportCommunity

Edit deployment settings

Suggest Edits

You may want to edit your network deployment settings for a certificate that is in progress or active on the network. If the certificate is active on the network, the new certificate with your modifications automatically redeploys to the network.

How to

  1. Locate the certificate that has network deployment settings you want to edit.

  2. Select View and Edit Deployment Settings in the Actions menu next to the certificate.

  3. Click Edit next to the Select Certificate Details Adherence section to edit the following settings (some settings are available only for specific certificate deployment type):

    • Hostname Must Match CN. If you set this to Yes, it requires that hostnames match the common name (CN) specified in your certificate. Leaving this set to Yes is the preferred option. This option is only available for VIP-deployed certificates.

    • Client TLS Renegotiation. This option allows Transport Layer Security (TLS) to renegotiate during a live session. Client TLS Renegotiation allows either side of the TLS/SSL connection to start over and choose again which ciphers to use or whether to generate new session keys or reset any other information. If you select:

      • Secure. CPS allows renegotiation for connections using this certificate. You may want to avoid selecting this setting except in rare cases where you configured your site to request or require client certificates only for certain paths.
      • Warning. CPS allows an insecure style of renegotiation. You may want to avoid selecting this setting unless your connecting clients use devices which don’t support the secure method.
      • Disallow. CPS doesn’t allow client renegotiation during a live session. This is the preferred setting.

  4. Click Edit next to the Advanced Network Configuration section to edit the following settings:

    🚧

    Removing a SAN from a certificate may result in a disruption of your service for TLS connections

    • DNS Selection. By default, all SANs appear enabled on the certificate. Check Selected Only to enable only the SANs you select in the list. This allows you to selectively disable certain SANs, or limit wildcards, when moving traffic between certificates. This field only appears if you set the SNI-Only field to On when you created the certificate and you specified SANs in the SANs field

    • TLS Protocol Versions. If you set this to Enable deprecated TLS versions, CPS enables TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. If you set this to Enable all TLS versions, CPS allows the use of any TLS protocols, including any future TLS protocols. If you set this to Disable specific TLS versions, you select the TLS protocols that you do not want to allow. You can select TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. You must select at least one version.

    • Dual Stack RSA+ECDSA. Enabling this allows the use of multiple certificates on a slot. CPS can then use the best certificate for each client connecting to your site. You must have one RSA certificate per slot. Not all clients can accept ECDSA certificates and CPS automatically downgrades and serves an alternate certificate when required by an individual client. This takes effect on the next renewal.

    • OCSP Stapling. Leave OCSP Stapling enabled if you want to improve performance by allowing the visitors to your site to query the Online Certificate Status Protocol (OCSP) server at regular intervals to obtain a signed time-stamped OCSP response. This response must be signed by the CA, not the server, therefore ensuring security. Disable OCSP Stapling if you want visitors to your site to contact the CA directly for an OCSP response. OCSP allows you to obtain the revocation status of a certificate.

    • FIPS mode. This setting enables Federal Information Processing Standards (FIPS) for this certificate. In this mode, Akamai edge servers present only those cipher suites from the selected cipher profile that have been validated for FIPS 140-2. Cipher suites that have not been validated for FIPS 140-2 are not presented to connecting clients, even if those suites are listed as part of the selected cipher profile. Enabling FIPS mode will disable the QUIC protocol for this certificate.

      📘

      To ensure end-to-end FIPS-validated traffic on Akamai’s network for the property and applications that require FIPS certification, you need to enable this setting in Property Manager. For assistance, contact your Akamai support team.

      📘

      Public and private key pair generation in CPS , after March 1, 2024, always uses FIPS 140-2 validated functions. All current cipher profiles include at least one FIPS 140-2 validated cipher suite for ECDSA certificates, and one for RSA certificates. Deprecated and end-of-life (EOL) cipher profiles aren't suitable for FIPS 140-2 traffic. FIPS mode requires that TLS 1.2, TLS 1.3, or both, are enabled on the certificate. For details, see Update SSL/TLS cipher profiles.

  5. Click Edit in the Select Cipher Profiles section and leave the default cipher profiles or select new ones in the Required Ciphers field and the Preferred Ciphers fields.

  6. Click Edit in the Mutual Authentication section and select a certificate set. To create a new certificate set, click Manage certificate sets.

    📘

    When enabling or disabling mutual authentication for hostnames, ensure that the configuration for these hostnames is completed in Property Manager.

    📘

    TLS 1.3 does not work if Mutual Authentication is configured for "optional" client certificates.

  7. Click Submit.

Your certificate redeploys to the network with these settings.

Next steps

If you want CPS to automatically deploy your certificate, but you do not want the deployment to occur before a certain date and time, you can set a deploy after date in the dialog box that appears now. The time you specify is in Greenwich Mean Time (GMT).

CPS does not deploy the certificate until after the date and time you specify. It may not deploy the certificate at the exact time and date you specify, but it will not deploy it before that time and date.

If you set a deploy after date and specify that you want to deploy to the staging network before deploying to the production network, CPS does not deploy the certificate unless you explicitly push it to production. Then CPS checks the deploy-after date and time and if the deployment date and time is in the past when you push to production, CPS deploys the certificate. If the date is not in the past, CPS does not deploy the certificate until after the scheduled deployment date.

If Always test on Staging before deployment is set to "Yes" and you have set Date & Time for deployment on production. After you push the certificate deployed to staging, the status on "deploying to production" would be shown with To-Do. This To-Do would presented with 2 options "Release to Scheduled Deployment on yyyy-mm-dd hh:mm gmt" or "Reject". Make sure to review the set Date/Time & Acknowledge by clicking "Release to Scheduled deployment" on the certificate To-Do. This is important step , only after all To-Do is completed/resolved the certificate in order for the deployment to start on selected date and time.

Updated about 1 month ago