Create a CA set to enable mTLS

A CA set is a collection of CA certificates that can be used to verify the authenticity of client certificates at the ​Akamai​ edge for the purpose of establishing TLS mutual authenticated connections.

Before you begin

Determine and collect the public CA certificates that issue the client certificates you want to authenticate and establish trust with. Avoid collecting more CA certificates than necessary.

You can add multiple CA certificates at once and CA certificates are validated automatically.

Make sure your CA certificate meets the Mutual TLS Edge Truststore validation requirements.


If you cancel at anytime during this procedure, your changes will be lost.

How to

Create a new CA set

  1. On the Mutual TLS Edge Truststore landing page, click New CA certificate set.

  2. Give your CA set a name. Optionally, enter a description.

  3. Click Submit. The CA set's name appear under CA Certificate sets.


    After the CA set is created, the name can't be changed.

  4. Create a new version and add certificates.

Create a new version and add certificates

When you create a CA set, it has no versions. You can activate the CA set on staging and production networks only after you create a version.

  1. To create a CA set version, click either:
    • Create Version 1 — to create the first version
    • New version — to create subsequent versions


Allow SHA-1 (insecure) setting

​Akamai​ recommends SHA-256 or higher algorithms for certificates. Allow SHA-1 option is disabled by default. If you wish to use SHA-1 signed CA certificates for this version, enable this option.

  1. Click Add certificates.
  2. Select a method to add certificates to the set:
    • Drop or browse files to upload. Lets you browse, then upload certificates from your local machine into the entry field. For example, you can upload a PEM file that contains one or more certificates from your local machine.
    • Paste certificate PEM(s) here. Lets you copy and paste PEM encoded certificates into the entry field.
  3. When the upload is complete, click Validate and add to version. If validation fails, an error message pops up and the certificates are not added. See Validating added CA certificates to learn more about validation requirements.
  4. If the validation is successful, click Create version. The certificates are uploaded to your CA set.


    Managing exiting CA set versions

    You can edit a CA set version (that is, add and remove certificates) as long as it’s not active on any network and wasn't activated previously.

  5. Activate the CA set version on network.

Activate the CA set version on network

A new CA set version must be activated on staging and production networks before it can be associated with any edge certificate. For existing CA sets, you can activate independent CA set versions to staging and production networks.

To activate a CA set:

  1. Under CA certificate sets, select the CA set.
  2. Select the CA set version you want to activate.
  3. In the Actions menu select Activate . The Activate version x window pops up. Check the CA set details before activation.
  4. Click either Activate version x on staging or Activate version x on production (or both).


Activation time

Activation in staging can take up to two hours, and 30 minutes in production. You can't remove the CA set while it's being activated.

  1. Click Close to return to the previous page.
  2. Set up mutual authentication.

Set up mutual authentication

After you activate your CA set on production, set up mutual authentication in Certificate Provisioning System (CPS) to bind your CA certificates to the CA set.

  1. In Certificate Provisioning System, locate the CA certificate that you want to update for mutual authentication.
  2. In the certificate's Actions menu, select View and Edit Deployment Settings.
  3. In the Mutual Authentication section, click Edit.
  4. In the Certificate set menu, select a CA set. The CA certificates in your CA set are used to validate the client certificates during mutual authentication (TLS handshake) on the ​Akamai​ edge.
  5. Click Submit to activate your CA certificate on the ​Akamai​ network with these settings.

Next steps

Enforce mTLS settings. This ensures requests processed by your property come from TLS connections.