Get your edge certificate

When delivering through ‚Äč‚ÄčAkamai‚Äč, a request for your site's domain is rerouted to an edge server that's geographically closest to the requesting client, to help speed up delivery. We'll secure this connection using HTTPS through an edge certificate ("edge cert").


1. Create an enrollment

Here, we'll generate a custom certificate enrollment that uses:

  • Let's Encrypt as the certificate authority.
  • Domain validation (DV)
  • ‚ÄčAkamai‚Äč's secure enhanced transport layer security (TLS) network.

This combination supports the exchange of personally identifiable information (PII) that's typically required for an e-commerce or protected site. We'll use ‚ÄčAkamai‚Äč's Certificate Provisioning System (CPS) interface for this process.

Before you begin

You'll need some things before you can set up this level of secure certificate:

RequirementDetail

Domain owner information

You need to provide some information in your enrollment that Let's Encrypt uses to verify that you own the domain:

  • Company name. This has to be the company that registered the domain and owns it, or a company that has legal access to use it.
  • Address
  • Country. Where the company's registered headquarters are.
  • City
  • State, region, or territory (as necessary)
  • Zip code (as necessary)
  • A main business phone number. You'll name someone to serve as your administrator contact for the certificate. You need a valid contact phone number for this individual.

ūüďė

This needs to be the same domain you used to set up your Linode.

‚ÄčAkamai‚Äč technical contact

You need a technical contact, outside of your organization. This should be the person from your ‚Äč‚ÄčAkamai‚Äč‚Äč account team that you work with the most. Both your administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your ‚ÄčAkamai‚Äč account team to get:

  • A first and last name
  • A valid, ‚ÄčAkamai‚Äč domain email address
  • A phone number

Your contractId

A certificate enrollment is one of the many "objects" that you create and manage via your ‚ÄčAkamai‚Äč contract. To create a new enrollment, you need the unique identifier that ‚ÄčAkamai‚Äč generates for your contract. You can get this value using the list contract operation in PAPI.

Create the enrollment

Now, you can use the CPS API to generate a new certificate "enrollment."


2. Validate the certificate

At this phase, you need the certificate authority (Let's Encrypt) to validate your enrollment request. There are a few ways you can do this, but they require interaction with your DNS. The method we cover here is self-service. You'll apply a token in a file and add it to your site or app.

Get data for your DNS

Any operation that updates or creates something in the CPS API is referred to as a "change." Here, you review the change that was created for your enrollment and store some data from the response. You'll use this data to create a DNS entry for your domains.

ūüďė

The token is valid for seven days

Make sure you complete this process before it expires, or you'll have to restart it.

Update your DNS configuration

You need to include a TXT record, using the values you noted. DNS configuration tools can vary, but it should look something like this:

  • Host name. Set this to the fullPath you stored from the get a change operation.

  • Type. Set this to a TXT record.

  • TTL. Set this to 60 seconds.

  • Data. Set this to the token you stored.

Repeat this for each domain, to accommodate your CN and all SANS you included in your edge cert.

Wait for CPS

The last phase is automated. CPS will periodically check your domains and ask Let's Encrypt to complete the validation. Once a token has been validated, the administrator you set up in your enrollment will receive an email confirmation.


Other certificate methods

While it works for this basic workflow, a domain-validated Standard TLS certificate may not fit your needs.

MethodDescription

Custom Standard TLS DV certificate

Are you just looking for a secure HTTPS connection, but you don't need to exchange PII? Then Standard TLS security is what you're looking for. We offer an example of this same process, using a Standard TLS cert in the Delivery your first site tutorial.

Default DV certificate

This is an automated way to create either a Standard TLS or Enhanced TLS certificate while you create a property hostname for your delivery configuration. Currently, it’s in limited availability.

Non-secure HTTP (no certificate)

Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended. Browsers will present warnings to your users if they connect to a site that doesn't support HTTPS.

ūüĎć

Looking for more security information?

Here's a detailed comparison of the various security options.