When delivering through Akamai, a request for your site's domain is rerouted to an edge server that's geographically closest to the requesting client, to help speed up delivery. We'll secure this connection using HTTPS through an edge certificate ("edge cert").
Here, we'll generate a custom certificate enrollment that uses:
- Let's Encrypt as the certificate authority.
- Domain validation (DV)
- Akamai's secure enhanced transport layer security (TLS) network.
This combination supports the exchange of personally identifiable information (PII) that's typically required for an e-commerce or protected site. We'll use Akamai's Certificate Provisioning System (CPS) interface for this process.
You'll need some things before you can set up this level of secure certificate:
Domain owner information
You need to provide some information in your enrollment that Let's Encrypt uses to verify that you own the domain:
Akamai technical contact
You need a technical contact, outside of your organization. This should be the person from your Akamai account team that you work with the most. Both your administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your Akamai account team to get:
A certificate enrollment is one of the many "objects" that you create and manage via your Akamai contract. To create a new enrollment, you need the unique identifier that Akamai generates for your contract. You can get this value using the list contract operation in PAPI.
Now, you can use the CPS API to generate a new certificate "enrollment."
At this phase, you need the certificate authority (Let's Encrypt) to validate your enrollment request. There are a few ways you can do this, but they require interaction with your DNS. The method we cover here is self-service. You'll apply a token in a file and add it to your site or app.
Any operation that updates or creates something in the CPS API is referred to as a "change." Here, you review the change that was created for your enrollment and store some data from the response. You'll use this data to create a DNS entry for your domains.
tokenis valid for seven days
Make sure you complete this process before it expires, or you'll have to restart it.
You need to include a
TXT record, using the values you noted. DNS configuration tools can vary, but it should look something like this:
Host name. Set this to the
fullPathyou stored from the get a change operation.
Type. Set this to a
TTL. Set this to 60 seconds.
Data. Set this to the
Repeat this for each domain, to accommodate your CN and all SANS you included in your edge cert.
The last phase is automated. CPS will periodically check your domains and ask Let's Encrypt to complete the validation. Once a token has been validated, the administrator you set up in your enrollment will receive an email confirmation.
While it works for this basic workflow, a domain-validated Standard TLS certificate may not fit your needs.
Custom Standard TLS DV certificate
Are you just looking for a secure HTTPS connection, but you don't need to exchange PII? Then Standard TLS security is what you're looking for. We offer an example of this same process, using a Standard TLS cert in the Delivery your first site tutorial.
Default DV certificate
This is an automated way to create either a Standard TLS or Enhanced TLS certificate while you create a property hostname for your delivery configuration. Currently, it’s in limited availability.
Non-secure HTTP (no certificate)
Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended. Browsers will present warnings to your users if they connect to a site that doesn't support HTTPS.
Looking for more security information?
Here's a detailed comparison of the various security options.
Updated about 1 month ago