Certificate Authority policy

All public-facing Akamai Identity Cloud endpoints are protected with HTTPS using newer versions of TLS. Akamai closely monitors security industry standards and works to make sure our systems are as secure as possible while maintaining reasonable compatibility with the majority of possible clients.

Akamai notifies customers about major changes that might cause disruption, like deprecating insecure TLS versions or changing supported ciphers. However, when it comes to public trusted certificate authorities, Akamai relies on an industry standard approach and assumes that customers use the default settings for the OS vendor and trust all certificates distributed with a particular operating system or software vendor.

A trusted Certificate Authority (CA), or commercial Certificate Authority, is a third-party entity that issues certificates for organizations that request them. They aren’t controlled by the person or organization that requests a certificate from them. A trusted CA issues publicly trusted digital certificates that meet the minimum regulatory standards.

When choosing a CA, Akamai chooses one that is trusted by all major software vendors.

• The trust list for Linux-based devices (including Google) is maintained by Mozilla.
• The trust list for Apple devices and OS is maintained by Apple Inc.
• The trust list for Microsoft devices and OS is maintained by Microsoft.
• Oracle maintains its own list for JRE users.

By default, certificates bought by Akamai are trusted by the vast majority of portable and stationary devices, frameworks, and applications. Akamai may choose to use another CA at any time. Also, the CA may change its certificate chain at its own discretion.

Akamai discourages overriding default trusted authorities lists. Doing so may lead to unpredictable downtime upon certificate renewal. For customers who proceed with a trusted public CA modification approach, Akamai advises them to provision a vanity CNAME and set up Akamai ION, which will provide customers with full control over the certificate issuing process and all available parameters.

Certificate algorithms

Although RSA is still the most widely used encryption algorithm, the majority of devices and clients now support a newer algorithm called ECDSA. The ECDSA algorithm offers the same level of encryption with much shorter keys than RSA, offering better performance. Most Certificate Authorities issue ECDSA certificates by default.

Akamai Identity Cloud will set the ECDSA algorithm as default for all new certificates (including certificate renewals) starting from 1 October 2023. Akamai will support a dual stack setup (ECDSA + RSA) for a time, but you should upgrade your system if it doesn't support ECDSA-signed certificates.

In order to test if your system works correctly with ECDSA-signed certificates, try this test URL: https://ecdsa.janrain.com.

If everything works correctly, you will receive an HTTP 200 response with ECDSA certificate test page in the response body. If your system doesn't support ECDSA, try this dual stack URL: https://ecdsa-rsa.janrain.com, which should return the same page and response. If either one of these URLs fails, contact Akamai support as soon as possible to avoid service disruption.