Guide
  1. User Interface tutorial

3. Get your edge certificate

When delivering through ​Akamai​, a request for your site's domain is rerouted to an edge server that's geographically closest to the requesting client to help speed up delivery. This connection gets secured by configuring HTTPS via an edge certificate, or "edge cert".

How long will this take? Approximately 2 hours

  • Set up: 15 minutes. Create a certificate in Control Center and set it up for validation.
  • Provisioning: 1-2 hours. Akamai generates the certificate, and a certificate authority validates it. You also need to make some updates to your website. This time can vary depending on what you need to do to make these updates.

The edge cert process

Below is how an edge cert is used to secure a request from a client to the ​Akamai​ edge network:

  1. A clientlike a browserrequests your site, and it's rerouted to an edge server.

  2. The edge server sends the certificate to the client. The certificate includes:

    • The public key.
    • A list of sites where the cert is valid. These are referred to as subject alternate names (SANs).
    • An expiration date for the certificate.
    • A signature from a certificate authority that proves that the key is legitimate for a SAN listed in the certificate.

  3. The client then checks for these factors:

    • Does the signature match the certificate?
    • Does the certificate come from a certificate authority it trusts?
    • Is the certificate actually for the site it requested?
    • Has the certificate expired?

  4. If the checks succeed, the client encrypts the items from step 2 using the public key and sends the encrypted data to the edge server. This sets a shared key for the session.

  5. The edge server holds the corresponding private key. It decrypts the information, reads the shared key, and ultimately proves its identity to the requesting client.

  6. Access is granted.

1. Create an enrollment

In this step, a custom certificate enrollment is generated that uses:

  • Let's Encrypt as the certificate authority.
  • Domain validation (DV)
  • ​Akamai​'s secure enhanced transport layer security (TLS) network.

This combination supports the exchange of personally identifiable information (PII) that's typically required for an e-commerce or protected site. ​Akamai​'s Certificate Provisioning System (CPS) interface is used for this process.

Before you begin

You'll need some things before you can set up this level of secure certificate:

RequirementDetail

Domain owner information

You need to provide some information in your enrollment that Let's Encrypt uses to verify that you own the domain:
  • Company name. This has to be the company that registered the domain and owns it, or a company that has legal access to use it.
  • Address
  • Country. Where the company's registered headquarters are.
  • City
  • State, region, or territory (as necessary)
  • Zip code (as necessary)
  • A main business phone number. You'll name someone to serve as your administrator contact for the certificate. You need a valid contact phone number for this individual.

📘

This needs to be the same domain used when setting up your Linode.

​Akamai​ technical contact

You need a technical contact outside of your organization. This should be the person from your ​​Akamai​​ account team that you work with the most. Both your administrator contact and this technical contact receive communications while the certificate is being validated. Talk to your ​Akamai​ account team to get:
  • A first and last name
  • A valid, ​Akamai​ domain email address
  • A phone number

Create the cert

  1. Access ​Akamai Control Center​.

  2. Log in with an Admin-level user such as your primary Admin user.

  3. Select > CDN > Certificates.

  4. Click Create New Certificate. CPS launches.

  5. Under Akamai Managed Certificate, select Domain Validation (DV), and click Next.

  6. In Select Certificate Settings select these options, and click Next:

    • Certificate Type: Subject Alternative Names (SAN)
    • Certificate Authority (CA): Let's Encrypt

  7. Under Enter Certificate Information, fill in these options, and click Next:

    • Common Name (CN). This is the primary domain that a client uses to access your site. If you only have a single domain, this is the only field you need. Your organization needs to legally own this domain and have access to the domain management system used to edit your domain settings. Once you submit your cert in CPS, the Common Name can't be changed.

    • SANs (optional). This is where you can add any alternate domains used by clients to access your site or app. You can enter up to 99 SANs.

    • Company Information. Fill each field with of your company's contact information. This should match the domain owner information. Make sure the main business phone number field includes a number that DigiCert can use to verify ownership of the domain.

  8. Review all of the Enter Certificate Information details you entered. Click Edit to fix any problems or Next to proceed.

  9. In Enter Company Information, make sure that Same as certificate information is enabled, and click Next.

  10. In the Enter Contact Information panel, enter contact details for both your administrator and ​Akamai​ technical contact, and click Next:

    • Administrator Contact Information. Enter contact details for your local cert administrator. This can be you if you want to be contacted once the certificate is complete.
    • ​Akamai​ Technical Contact Information. Fill these fields with the information you gathered for your ​Akamai​ technical contact.

  11. In the Select Network Settings panel, set Deployment Network to Enhanced TLS. Leave all other options at their default, and click Next.

  12. Click Review. Verify your settings are correct, and make sure that each is marked with a green check icon.

  13. Click Submit.

Once submitted, you should expect an email notification stating a new order for the certificate has begun. Log into ​Control Center​ and navigate to your certificate (CDN > Certificates) under the In Progress tab to check the status.

2. Push your cert to staging

A newly provisioned certificate is automatically pushed to the production network. It's live and ready to start protecting the client-to-edge network connection. Later in this workflow, you’ll test to make sure everything with your site is ready. Prepare for this by pushing your new certificate to the staging network now, so it's ready to go when you need to test.

  1. If necessary, access ​Control Center​, log in with your primary admin user, and go to > CDN > Certificates.

  2. Locate the cert you just created in the table, and check the entry under Always test on Staging before deployment:

    • It’s set to No. Click No, and continue to the next step.
    • It’s set to Yes. No action is needed.

  3. If it was set to No, set Test Certificate to Yes, and click Submit.

    A screenshot displaying options for testing a certificate on the staging network.

3. Validate your domains

Before Let's Encrypt can sign your certificate, they need to validate that you control all of the domains you set as the CN and any SANs in your cert. This step uses the DNS Token method for validation since it supports automatic renewal of your certificate. The DNS Token method involves creating and editing a TXT record in your DNS configuration, which requires access to your domain’s DNS settings.

  1. If you haven't already, access ​Control Center​, log in with your primary admin user, and go to > CDN > Certificates.

  2. Locate your cert, click To-Do under Submitting to CA, and then click Validate Control Over Domain(s).

    A screenshot from CPS showing the validate control over domains to-do task.

  3. This should bring you to the CPS Dashboard. Select a domain from the list.

  4. Select DNS Token as the method for validating control over your domain.

  5. Make note of these values:

    • Name. When you create a new record in your DNS configuration, use this value as the name. It should be: _acme-challenge.YOUR_DOMAIN

    • TTL. Time to live (TTL). This will be need to be set to 60 seconds for your new domain record.

    • Type. Text record. When setting up your new domain record, set the record type to TXT.

    • Value (Record Data). This is text data you need to include in the record. It's a unique token that Let's Encrypt will verify.

📘

The Value (Record Data) token is valid for seven days

Make sure you complete this process before it expires, or you'll have to restart.

  1. Update your DNS configuration to include a TXT record using the values provided in the CPS dashboard. DNS configuration tools can vary across DNS providers, but it should resemble the example below:

    An example of a txt record.

    It may take some time for your TXT record to fully propagate. To check propagation, you can use the below dig command from a local terminal application, replacing docassociates.com with your domain:

    dig -t txt _acme-challenge.docassociates.com +short

    This should return the example value you added:

    “aB1c-D2C34dEFGhijk5Lmno678pQR9R0stUvWYxz”
    📘

    Keep this entry in your DNS

    This let's Certbot automatically renew your certificate.

  2. Once your TXT record has propagated, return to your domain in the CPS dashboard, and click Check status now to push the validation request. Let's Encrypt will begin the validation.

  3. Repeat the process for each remaining domain.

  4. Return to the CPS dashboard. Deploying to Staging is listed as Pending. Wait a few minutes for it to update. Your certificate is ready and you can proceed when you see:

    • In Progress. Contains a green check.

    • Receiving certificate. Contains a green check.

    • Deploying to Staging. Contains a green check.

    • Deploying to Production. Shows the To Do link.

      A screenshot displaying a verified certificate in CPS ready on staging.

Different validation methods

Along with DNS Token validation, CPS supports two additional methods of certificate validation:

You can use any of the three methods to validate each domain on the certificate.

Other certificate methods

While it works for this specific workflow, a domain-validated Enhanced TLS certificate may not fit your needs.

MethodDescription

Custom Standard TLS DV certificate

Are you just looking for a secure, HTTPS connection, but you don't need to exchange personally identifiable information (PII) or other sensitive info? Then Standard TLS security is what you're looking for. We offer an example of this same process using a Standard TLS cert in the Delivery your first site tutorial.

Default DV certificate

This is an automated way to create either a Standard TLS or Enhanced TLS certificate while you create a property hostname for your delivery configuration.

Non-secure HTTP (no certificate)

Secure hypertext transfer protocol (HTTPS) has become the standard for access on the internet. While non-secure HTTP is still supported, it's not recommended and is more susceptible to bad actors. Browsers will present warnings to your users if they connect to a site that doesn't support HTTPS.

👍

Looking for more security information?

See our detailed comparison of the various security options.

Updated 17 days ago

What’s Next