Prepare your edge certificate
This certificate protects the first stage of the request flow—the request from an end user (client) that's received by Akamai edge servers. In some cases, you may need to create this certificate before you create your property.
Understand the levels of security
There are various levels of security you can apply:
| Security option | Description |
|---|---|
| Enhanced TLS | This security provides a rich set of TLS, HTTPS, and security functionality engineered to meet the needs of sites and content with high-assurance security requirements, such as FedRAMP and PCI compliance (HTTPS L3). It also supports custom or very old clients that don't send a TLS SNI header, which requires a VIP hosted certificate. This is the level of security you'll need if requests or delivered content include any personally identifiable information (PII). Behind the scenes, Enhanced TLS adds edgekey.net suffix to your hostname but it's not visible in the URL. |
| Standard TLS | This security enables the delivery of sites, content, and video streaming over HTTPS using customer-branded certificates as a standard feature of delivery and performance products. It is secure (HTTPS L1), but not as rigorous as Enhanced TLS certificate delivery. Standard TLS is not FedRAMP or PCI compliant, but it is Sarbanes Oxley (SOX) and International Standards Organization (ISO) compliant. So, if you're looking for secure delivery, but are not transferring personally identifiable information (PII), Standard TLS could work for you. Behind the scenes, Standard TLS adds edgesuite.net suffix to your hostname but it's not visible in the URL. |
| Akamai shared certificate | This method enables the delivery of objects, downloads, and video streaming over HTTPS, without the need to provision and manage a certificate. While it's quicker and easier to set up, you need to use a hostname within the Akamai-owned domains such as example.akamaized.net or example-a.akamaihd.net, and it's not recommended if you're exchanging or delivering PII. Use Enhanced TLS, instead. |
For a more detailed comparison, see Compare the security options.
Use the default certificate method
Also referred to as "secure by default," this method supports both Standard TLS and Enhanced TLS security. This is an automated approach to creating the certificate. When you set up the connection between your website or app and the Akamai edge network—this is called a "property hostname"—you select the level of security you want to use. Akamai automatically creates and provisions the certificate for you and applies it to your Ion property.
You don't need to create a certificate ahead of time or perform any additional prerequisites. Later, when you're creating your Ion property, you'll set a couple of options to apply this method.
Secure by default is LA
This is an additional service for Property Manager that needs to be added to your contract. However, it hasn't been released to general availability yet. So only a select number of customers can use it. Contact your account team to see if you're eligible. Otherwise, you need to use a custom certificate.
Use the custom certificate method
If you don't have access to the secure by default method, or you want your own custom certificate, you can create one manually. This method supports both Enhanced TLS and Standard TLS securities.
Custom certificates can take a while to provision, and you need one before you can set up your Ion property for secure delivery. So, we recommend that you create one first.
Custom certificates via the Certificate Provisioning System (CPS)
CPS is a separate Akamai utility you can use to generate a custom certificate. All certificates are signed by a Certificate Authority that is known to be trusted by every major browser or operating system. See the Certificate Provisioning System user documentation for instructions on this process. There are multiple phases of the process, and you need to apply specific settings:
-
When you enter certificate information, you'll set your hostname as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.
-
During the select network setting phase, set Deployment Network to the desired level of security, Standard TLS or Enhanced TLS.
-
Set all other options for all other phases of the certificate creation process as desired.
Certificates can take upwards of three hours to provision, based on the level of security you've chosen. The email address set for the Control Center account that created the certificate will receive an email when it's ready.
Custom certificates via a third-party vendor
Talk to your Akamai account team for information on supported third-party vendors. Work with a supported vendor to set up an Enhanced TLS or Standard TLS certificate. Then, you need to:
- Make note of the exact domain used to access it from the third-party vendor.
- Provide the certificate to your account team.
Your account team will contact you when the certificate has been fully provisioned for use.
Use the Akamai shared certificate
This lets you quickly incorporate HTTPS delivery by selecting this certificate type while applying the hostname for your site or app in a property hostname. Its level of security is comparable to Standard TLS.
You don't need to create a certificate ahead of time or perform any additional prerequisites.
Compare the security options
There are various security options available for your configuration, based on the level of HTTPS security you apply in your edge certificate. Review the table here to make sure you're choosing the right level of security.
Consider these points:
Specific details may vary in corner cases and for older products that aren't listed. Check with your account team for details. Security properties listed should be taken as rough suggestions and may not apply to all scenarios.
All that's listed is also supported with plain text HTTP requests to the same hostname. No security properties are obtained unless HTTP traffic is redirected to HTTPS. Once you commit to HTTPS-only, HSTS can be used to indicate to clients that HTTP is no longer supported. But, there is no going back.
Non-secure HTTP is also available, but it's not recommended. It's included in this table for comparison.
| Support/feature | Enhanced TLS Certificate | Standard TLS Certificate | Shared Certificate | HTTP only |
|---|---|---|---|---|
| Supports HTTPS to encrypt data in transit and validate the identity of the delivery server using TLS certificates. Prevents network-based attackers (such as malware on open Wi-Fi) from viewing and modifying HTTPS requests and responses. | ✅ | ✅ | ✅ | ❌ |
| Engineered to meet the high-security demands of banking, e-commerce, healthcare, and similar industries for protecting data in-transit, while also providing high-performance, scale, and a global footprint. | ✅ | ❌ | ❌ | ❌ |
| Engineered to provide high-performance, and massively scalable delivery of media assets as well as many types of websites. | ❌ | ✅ | ✅ | ✅ |
| Enables web browsers to indicate that a page is "secure" (such as by a lock icon in the browser address bar) when all page resources are delivered over HTTPS. | ✅ | ✅ | ✅ | ❌ |
| TLS server certificate private keys managed securely to protect against loss. | ✅ | ✅ | ✅ | N/A |
| Support for some very old or custom clients that do not send TLS SNI (Server Name Indication). | ✅ (with VIP cert) | ❌ | ✅ | N/A |
| HTTPS traffic supports Compliance Management for FedRAMP, HIPAA, ISO 27002, PCI and SOC2. Note that additional configuration constraints may apply. | ✅ | ❌ | ❌ | ❌ |
| Uses a common/default <> certificate that supports clients which do not send SNI. | ❌ | ❌ | ✅ | ❌ |
| Includes a DV SAN SNI certificate by default, with other SNI certificate types available as add-ons. | ❌ | ✅ | ❌ | ❌ |
| Included with products: Ion, DSA, DSD, AMD, Download Delivery, Object Delivery, and ACE. | ❌ | ✅ | ❌ | ✅ |
| Supports HTTP/2 | ✅ | ✅ | ✅ | ❌ |
| Supports IPv6+IPv4 dual-stack and uses it as the default for new configurations. | ✅ | ✅ | ✅ | ✅ |
| Supports protocol downgrade from HTTPS to HTTP (with restrictions and limitations). | Strongly discouraged and additional limitations apply. | ✅ | ✅ | N/A |
| Supports China CDN (Additional terms apply). | ✅ | ✅ | ❌ | ✅ |
| Supports delivery within Russia. | Only with "Russia CDN Secure" opt-in. | ✅ | ✅ | ✅ |
| Supports Edge IP Binding. | ✅ | ✅ | ✅ | ✅ |
| Supports Client Access Control. | ✅ | ❌ | ❌ | ❌ |
| Supports ESN Staging. | ✅ | ✅ | ✅ | ✅ |
| Supports "Instant Config" / MDC. | ❌ | ❌ | ❌ | ✅ |
Updated 3 months ago