Use standard TLS (HTTPS)

Standard TLS enables secure delivery over HTTPS with a level 1 (L1) certificate. It isn't FedRAMP or PCI compliant, but it is Sarbanes Oxley (SOX) and International Standards Organization (ISO) compliant. So, if you're looking for secure delivery, but you're not transferring personally identifiable information (PII), Standard TLS could work for you.

How Edge IP Binding works with Standard TLS

You create a secure property hostname and enable Edge IP Binding. During creation, you also set up your edge hostname which uses the fixed domain, edgesuite.net. Once your property is activated, your edge hostname and several Edge IP Binding addresses are used as follows:

  • You set up a CNAME record in your DNS that directs from your actual request URL to the edge hostname. End-user requests to your URL are redirected to the edgesuite.net edge hostname, where your property is read and content is delivered, accordingly.

  • You provide the Edge IP Binding IP addresses to your third party. They use them for zone-rated billing. Requests to these IP addresses access your property in the same way the edge hostname does.

Understand the connections

With HTTPS delivery, there are two connections involved in a request using the ‚ÄčAkamai‚Äč platform:

  • The client to ‚ÄčAkamai‚Äč edge server. This is the initial connection between the end user and the edge server to get your property. The property determines how to deliver the requested content. To secure this connection, an ‚Äúedge certificate‚ÄĚ is used that's verified between the client and the edge server. This is the connection you're configuring here, in the property hostname to support Edge IP Binding.

  • The ‚ÄčAkamai‚Äč edge server to origin. This is the connection between the edge server and your designated origin, to get your content and deliver it to the end user. To configure this connection, you set options in the Origin Server behavior in your property. More on this later.

Implementation

There are multiple ways you can set up Edge IP Binding with Standard TLS.

Use the default certificate for Standard TLS

This method automatically creates the certificate behind the scenes while you add a new secure property hostname to your property in Property Manager.

ūüďė

Default certificate is Limited Availability

This is an additional service for Property Manager that needs to be added to your contract. However, it hasn't been released to general availability yet. So only a select number of customers can use it. Contact your account team to see if you're eligible. Otherwise, you need to use a custom certificate.

Create the property hostname

Follow these steps to set up your hostname with the default certificate to use Edge IP Binding:

  1. In the Property Hostnames panel, click Add.

  2. In the Add Hostname(s) field, enter a value to serve as a label for your property hostname. This label is how you'll associate settings in your property to this specific property hostname. The following usage requirements apply to this field:

    • Hostname formatting. A hostname can contain alphanumeric and hyphen characters. It can't contain subdomains and you don't need to include https:// or www. Just include the domain. For example, if end users request your content at https://www.myvideos.sports.baseball.com, you could set the Hostname to myvideos-sports-baseball. You'll also define an "edge hostname" in this property hostname. Later, you'll set up a CNAME record in your DNS that directs from your actual request URL to this edge hostname.

    • Multiple hostnames. Add multiple hostnames by separating each with a space or comma, or include each on a separate line. Duplicate names aren't supported.

  3. With your Hostname set, click Next.

  4. Select the appropriate IP version, based on what your application or site can support, and click Next.

  5. To request a new certificate, make sure Automatically request certificates is set to On.

  6. Set the Deployment network to Standard TLS.

  7. Click Validate Certificate Domains to verify that you own the domain of the hostnames you're adding. The list displays the ACME CNAME records you need to add to your DNS.

  8. Click Copy all DNS Records. The records are copied in a comma-separated format.

  9. Copy the records to your DNS. You'll do more in your DNS with these records, once you finish your property and activate it on the ‚ÄčAkamai‚Äč networks. This is discussed later.

  10. Click Next.

  11. Select Edge IP Binding as the Mapping Solution and click Next.

ūüďė

If you're using Adaptive Media Delivery or Download Delivery, you'll also have access to the Use Case option, Segmented Media Mode or FOREGROUND, respectively. These are not supported for use with Edge IP Binding.

  1. Click Next. A table displays. Make note of the edge hostname values.

  2. Review the instructions in the Success message, and click Close when you're done.

The Standard TLS certificate will be automatically generated and applied to this property hostname, once you activate it on the ‚ÄčAkamai‚Äč network. See Verify status and finish your property for more information.

Use a custom certificate for Standard TLS

This process uses a custom edge certificate, issued either by ‚ÄčAkamai‚Äč's Certificate Provisioning System (CPS) or a third-party certificate authority.

Create a Standard TLS certificate

Certificates can take a while to provision, and you need one before you can set up a property hostname to support Edge IP Binding. So, we recommend that you create one first.

Use the Certificate Provisioning System

See the Certificate Provisioning System user documentation for instructions on this process. There are multiple phases of the process, and you need to apply specific settings to support Edge IP Binding:

  1. When you enter certificate information, you'll set a domain as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.

  2. During the select network setting phase, these options must be set as follows:

    • Deployment Network. Set this to Standard TLS.
    • SNI Only. Set this to Enable SNI. This option is default enabled in a new standard TLS certificate.
  3. Set all other options for all other phases of the certificate creation process as desired.

Use a third-party certificate

Talk to your ‚ÄčAkamai‚Äč account representative for information on supported third-party vendors. Work with a supported vendor to set up a standard TLS certificate. Then, you need to:

  • Make note of the exact domain used to access it from the third-party vendor.
  • Provide the certificate to your account representative.

Create the property hostname

Follow these steps to set up your hostname with your custom certificate to use Edge IP Binding:

  1. Ensure that Standard TLS ready is selected in Security Options.
  1. In the Property Hostnames panel, click Add.

  2. In the Add Hostname(s) field, enter a value to serve as a label for your property hostname. This label is how you'll associate other settings in your property to this specific property hostname. The following usage requirements apply to this field:

    • Hostname formatting. A hostname can contain alphanumeric and hyphen characters. It can't contain subdomains and you don't need to include https:// or www. Just include the domain. For example, if end users request your content at https://www.myvideos.sports.baseball.com, you could set the Hostname to myvideos-sports-baseball. During this process, you'll also define an "edge hostname" in the property hostname. Later, you'll set up a CNAME record in your DNS that directs from your actual request URL to this edge hostname.

    • Multiple hostnames. Add multiple hostnames by separating each with a space or comma, or include each on a separate line. Duplicate names aren't supported.

  3. With your Hostname set, click Next.

  4. Select the appropriate IP version, based on what your site or app can support, and click Next.

  5. Select Edge IP Binding as the Mapping Solution and click Next.

ūüďė

If you're using Adaptive Media Delivery or Download Delivery, you'll also have access to the Use Case option, Segmented Media Mode or FOREGROUND, respectively. These are not supported for use with Edge IP Binding.

  1. Click the pencil icon () and determine how you want to define your edge hostname:
MethodProcess
Create a new edge hostname

  1. Select Create.

  2. Set the appropriate Edge Hostname:
    • If you used CPS to create the certificate. The Edge Hostname field needs to contain a domain you set as either a CN or a SAN in that certificate.

    • If you're using a third-party custom certificate. The Edge Hostname field needs to contain the exact domain associated with the certificate you've provided to your account representative.



  3. Set the file extension to akamaized.net.

  4. Click Update.

Select an existing edge hostname

  1. Click Select existing.

  2. Select the appropriate Edge Hostname:

    • The hostname must already have a standard TLS certificate created and applied to it. The domain set for the edge hostname needs to be applied as the CN or a SAN in a CPS-created certificate, or the domain must apply to a third-party secure certificate that's been shared with your account representative.

    • Edge hostnames in the drop-down will be limited to the same IP Version. You'll only see edge hostnames that use the same IP Version you selected when setting up this property hostname.


  3. Click Update.

Use a custom CNAME targetYou'd only select this option if you're not using an ‚ÄčAkamai‚Äč edge hostname. This is something you work with your account representative to set up and it's only used in very special circumstances.
  1. Click Submit to add the property hostname.

  2. Review the Success message and click Close.

  3. Make note of your resulting edge hostname.

The certificate will be applied to this property hostname, once you activate it on the ‚ÄčAkamai‚Äč network. See Verify status and finish your property for more information.

Verify status and finish your property

The status of your new Edge IP Binding configuration is shown in the Property Hostnames panel:

  • The Status icon is gray. Activation of your Edge IP Binding addresses is pending.

  • The Status icon is green. Your addresses have been provisioned and are ready. You can use them after your property has been activated on ‚ÄčAkamai‚Äč's staging (testing) or production (live) networks.

ūüďė

It can take from 30 - 40 minutes to generate your Edge IP Binding addresses.

Perform these steps to finish your property:

  1. You can optionally add variables.

  2. You need to define property configuration settings that include rules to match requests and the behaviors that should be applied. Available rules and behaviors vary, based on the product you're using:

  1. There are two connections in a request. The process here addressed the first connection between the end user and ‚ÄčAkamai‚Äč edge servers. You need to configure the second connection between an edge server and the origin server to get content. Set up this connection using the Origin Server behavior in a rule in your property.

  2. Activate the property on the staging network where you can test it, and then activate it on production.

  3. Set up a CNAME record in your DNS that directs from your actual request URL to the edge hostname you noted.

  4. Optionally, you can create the following alerts:

    • DNS does not contain an authorized certificate authority.
    • Domain validation failed.
    • Certificate‚Äôs domain is blocked.
    • Expired default certificate.
    • Expired default certificate removal.