Guide

Create a CA set to enable mTLS

Suggest Edits

A CA set is a collection of CA certificates that can be used to verify the authenticity of client certificates at the ​Akamai​ edge for the purpose of establishing TLS mutual authenticated connections.

Before you begin

Determine and collect the public CA certificates that issue the client certificates you want to authenticate and establish trust with. Avoid collecting more CA certificates than necessary.

Make sure your CA certificates meet the Mutual TLS Edge Truststore validation specifications in Best practices.

You can add multiple CA certificates at once and CA certificates are validated automatically.

🚧

If you cancel at anytime during this procedure, your changes will be lost.

How to

Create a CA set

Before creating a CA set, review Best practices.

  1. On the Mutual TLS Edge Truststore landing page, click New CA certificate set.

  2. Give your CA set a name.

  3. Optionally, enter a description.

  4. Click Submit. The CA set's name appear under CA Certificate sets.

    🚧

    After the CA set is created, the name can't be changed.

  5. Create a new version and add certificates.

Create a new version and add certificates

A newly created CA set doesn't have any associated versions for managing certificates. You can activate the CA set on staging and production networks only after you create a version.

Before creating a CA set version, review Best practices.

  1. To create a CA set version, click either:
    • Create Version 1 — to create the first version
    • New version — to create subsequent versions

🚧

Allow SHA-1 (insecure) setting

For best results, use SHA-256 or higher algorithms for certificates. Allow SHA-1 option is disabled by default. If you wish to use SHA-1 signed CA certificates for this version, enable this option.

  1. Click Add certificates.
  2. Select a method to add certificates to the set:
    • Drop or browse files to upload. Lets you browse, then upload certificates from your local machine into the entry field. For example, you can upload a PEM file that contains one or more certificates from your local machine.
    • Paste certificate PEM(s) here. Lets you copy and paste PEM encoded certificates into the entry field.
  3. When the upload is complete, click Validate and add to version. If validation fails, an error message pops up and the certificates are not added. See Validating added CA certificates to learn more about validation requirements.
  4. If the validation is successful, click Create version. The certificates are uploaded to your CA set version.

    📘

    Managing exiting CA set versions

    You can edit a CA set version (that is, add and remove certificates) as long as it’s not active on any network and wasn't activated previously.

  5. Activate the CA set version on network.

Activate the CA set version on network

A new CA set version needs to be activated on staging and production networks before it can be associated with any edge certificate. For existing CA sets, you can activate independent CA set versions to staging and production networks.

Before activating a CA set version, make sure your certificates meet the specifications in Best practices.

To activate a CA set version:

  1. Under CA certificate sets, select the CA set.
  2. Select the CA set version you want to activate.
  3. In the Actions menu select Activate . The Activate version x window pops up. Check the CA set details before activation.
  4. Click either Activate version x on staging or Activate version x on production (or both).

📘

Activation time

Activation in staging can take up to two hours, and 30 minutes in production. You can't remove the CA set while it's being activated.

  1. Click Close to return to the previous page.
  2. Set up mutual authentication.

Set up mutual authentication

After you activate your CA set on production, set up mutual in Certificate Provisioning System (CPS) to bind your CA certificates to the CA set.

Note that the concept of activation applies to CA set versions within Mutual Edge Truststore. This means specific configurations of certificates are enabled for use. Conversely, the Certificate Provisioning System establishes a link between a slot and the entire CA set, allowing the application to use any active version within that CA set.

  1. In Certificate Provisioning System, locate the CA certificate that you want to update for mutual authentication.
  2. In the certificate's Actions menu, select View and Edit Deployment Settings.
  3. In the Mutual Authentication section, click Edit.
  4. In the Certificate set menu, select a CA set. The CA certificates in your CA set are used to validate the client certificates during mutual authentication (TLS handshake) on the ​Akamai​ edge.
  5. Click Submit to activate your CA certificate on the ​Akamai​ network with these settings.

Next steps

Enforce mTLS settings. This ensures requests processed by your property come from TLS connections.

Updated 9 months ago