View and edit deployment settings

You may want to edit your network deployment settings for a certificate that is in progress or active on the network. If the certificate is active on the network, the new certificate with your modifications automatically redeploys to the network.

How to

  1. Locate the certificate that has network deployment settings you want to edit.

  2. Select View and Edit Deployment Settings in the Actions menu next to the certificate.

  3. Click Edit next to the Select Certificate Details Adherence section to edit the following settings (some settings are available only for specific certificate deployment type):

    • Hostname Must Match CN. If you set this to Yes, it requires that hostnames match the common name (CN) specified in your certificate. We recommend leaving this option set to Yes. This option is only available for VIP-deployed certificates.

    • Client TLS Renegotiation. This option allows Transport Layer Security (TLS) to renegotiate during a live session. Client TLS Renegotiation allows either side of the TLS/SSL connection to start over and choose again which ciphers to use or whether to generate new session keys or reset any other information. If you select:

      • Secure. CPS allows renegotiation. We do not recommend selecting this except in rare cases where you configured your site to request or require client certificates.
      • Warning. CPS allows an insecure style, but writes an entry to the log. If you use f5 load balancers or other equipment that does not support the secure method, you could select this option.
      • Disallow. CPS does not allow renegotiation during a live session. We recommend using this default.
  4. Click Edit next to the Advanced Network Configuration section to edit the following settings:

    • DNS Selection. By default, all SANs appear enabled on the certificate. Check Selected Only to enable only the SANs you select in the list. This allows you to selectively disable certain SANs, or limit wildcards, when moving traffic between certificates. This field only appears if you set the SNI-Only field to On when you created the certificate and you specified SANs in the SANs field

    • TLS Protocol Versions. If you set this to Use Akamai Defaults, CPS uses the TLS protocols that Akamai currently supports as a best practice. If you set this to Enable all TLS versions, CPS allows the use of any TLS protocols, including any future TLS protocols. If you set this to Disable specific TLS versions, you select the TLS protocols that you do not want to allow. You can select TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. You must select at least one version.

    • Dual Stack RSA+ECDSA. Enabling this allows the use of multiple certificates on a slot. CPS can then use the best certificate for each client connecting to your site. You must have one RSA certificate per slot. Not all clients can accept ECDSA certificates and CPS automatically downgrades and serves an alternate certificate when required by an individual client.

    • OCSP Stapling. Leave OSCP Stapling enabled if you want to improve performance by allowing the visitors to your site to query the Online Certificate Status Protocol (OCSP) server at regular intervals to obtain a signed time-stamped OCSP response. This response must be signed by the CA, not the server, therefore ensuring security. Disable OSCP Stapling if you want visitors to your site to contact the CA directly for an OSCP response. OCSP allows you to obtain the revocation status of a certificate.

  5. Click Edit in the Select Cipher Profiles section and leave the default cipher profiles or select new ones in the Required Ciphers field and the Preferred Ciphers fields.

  6. Click Edit in the Mutual Authentication section and select a certificate set. To create a new certificate set, click Manage certificate sets.

šŸ“˜

TLS 1.3 does not work if Mutual Authentication is configured for "optional" client certificates.

  1. Click Submit.

Your certificate redeploys to the network with these settings.

Next steps

If you want CPS to automatically deploy your certificate, but you do not want the deployment to occur before a certain date and time, you can set a deploy after date in the dialog box that appears now. The time you specify is in Greenwich Mean Time (GMT). CPS does not deploy the certificate until after the date and time you specify. It may not deploy the certificate at the exact time and date you specify, but it will not deploy it before that time and date.

If you set a deploy after date and specify that you want to deploy to the staging network before deploying to the production network, CPS does not deploy the certificate unless you explicitly push it to production. Then CPS checks the deploy-after date and time and if the deployment date and time is in the past when you push to production, CPS deploys the certificate. If the date is not in the past, CPS does not deploy the certificate until after the scheduled deployment date.