Guide

Protect connections with mTLS

📘

Limited Availability

This feature is only available to select customers. Talk to your account team about eligibility.

The transport layer security (TLS) protocol is used to secure connections between a client and server. With a common TLS-secured web connection, only the client validates the identity of the server before allowing communications. With mutual TLS-secured (mTLS) web connections, both the client and the server validate the identity of one another, before allowing communication between the two. The client and server each present a TLS identity certificate to the other, with each side verifying the authenticity, during what's called the "TLS handshake”. Once verified, the identity information is used to authorize additional communication requests between the 2.

1. Create a client CA set

A certificate authority (CA) set is a collection of certificates that you use to verify the authenticity of clients requesting access to your content on the ​Akamai​​ edge network. It's specifically used to establish mTLS-authenticated connections. You'll use ​Akamai​'s mTLS Edge Truststore application for this.

Before you begin

You need to create the certificates you want to use for the client-to-​Akamai​ edge network connection in the mTLS transaction. You can use any trusted certificate authority (Let's Encrypt, DigiCert) to generate these certificates. When you add a certificate to a CA set, the mTLS Edge Truststore validates it against these requirements:

  • It needs to be a correctly-formed x509 (PEM-encoded) certificate.

  • It has valid x509 CA bits set.

  • It's within its validity period. (Make sure it's not near expiration.)

  • It's a self-signed root certificate or an intermediate certificate.

  • It uses the SHA-256 signature hash algorithm or better.

Create a new CA set

With your certificates ready, create a CA set to add them for use with mTLS:

  1. Access ​Akamai​ Control Center.

  2. Select > CDN > mTLS Edge Truststore.

  3. Click New CA certificate set.

  1. Give your CA set a name and optionally, enter a description.

📘

Make sure you're happy with the name you choose for your CA set. Once created, you can't change it. Also, make note of the name. You'll need it later.

  1. Click Submit. The CA set appears under CA Certificate sets.

  2. With your new set selected, click + Create Version 1 to create the first version of your CA set.

  1. Click Add certificates and select a method to add a certificate to your set:

    • Drag and drop. Pick a file from your local machine and drag it to the Paste certificate PEM(s) here field. You can select multiple certificate files to drag and drop.

    • Click browse. Navigate to and select the certificate file on your local machine. You can multi-select more than one certificate file to add.

    • Copy/Paste. Open the PEM-encoded certificate in a text editor and copy its entire contents. Paste into the Paste certificate PEM(s) here field.

  2. Click Validate and add to version. If you see an error message, check that your certificates meet the validation requirements and re-add them.

  3. If necessary, repeat steps 7-8 to add more certificates.

  4. Leave all other options at their default setting and click Create version.

Activate your CA set

Get your new CA set activated on the ​Akamai​ networks. It needs to be active on the same network where the server's mTLS-enabled edge certificate is active. The staging network is used for testing and production network is used to go live.

  1. in the mTLS Edge Truststore, select the CA set you just created.

  2. Select the CA set version to use.

  3. Click ... under Actions and select Activate.

  4. Review your CA set's details to make sure everything is OK.

  5. Click the Activate version... button for the applicable network, or click both.

📘

Activation time

This varies based on the ​Akamai​ network:

  • Staging. Up to 2 hours.

  • Production. Up to 30 minutes.

2. Set up a server certificate

This is the edge certificate your property shares with the client for mTLS support. You need to enable mTLS support in this certificate and then bind it to your CA set with ​​Akamai​'s Certificate Provisioning System (CPS).

  1. Access ​Akamai​ Control Center.

  2. Select > CDN > Certificates.

  3. Find your certificate based on its Common name and click ... under Actions and select View and edit deployment settings.

📘

If necessary, create a new certificate using your domain. Make sure it's the same type (domain validated, organization validated, or extended validation) and format (standard TLS or enhanced TLS) you used for the client certificates in your CA set.

  1. In 4 - Mutual Authentication, click Edit and set these options:

    • Certificate Set. Select the CA set you created and activated.

    • OCSP. Enable this if the certificates you've included in your CA set use the online certificate support protocol (OCSP). OCSP can determine the X.509 certificate revocation status during the TLS handshake.

    • Send CA list to client. With this enabled, the edge servers will also send the names of the CA sets you've included in your edge certificate back to the requesting client.

  1. Click Submit to update your edge certificate.

3. Enforce mTLS

Update your property configuration in Property Manager to apply support for mTLS. See the Enforce mTLS settings behavior.

Updated 3 days ago