Guide
Start typing to search…
  1. Get started

Protect connections with mTLS

A certificate authority (CA) set is a collection of CA certificates that you use to verify the authenticity of client certificates requesting access to your content on the ​Akamai​ edge network. It's specifically used to establish mTLS-authenticated connections.

Before you begin

Create the CA certificates and corresponding signed client certificates you want to use for the client-to-​​Akamai​​ edge network connection in the mTLS transaction. You can use any trusted certificate authority (Let's Encrypt, DigiCert) or a self-signed CA to generate CA certificates and sign client certificates. Avoid collecting more CA certificates than necessary.

Make sure your CA certificates meet the Mutual TLS Edge Truststore validation specifications in Best practices.

You can add multiple CA certificates at once and CA certificates are validated automatically.

🚧

If you cancel at anytime during this procedure, your changes will be lost.

How to

Create a CA set

Before creating a CA set, review Best practices.

  1. On the Mutual TLS Edge Truststore landing page, click New CA certificate set.

  2. Give your CA set a name and optionally enter a description.

🚧

Make sure you're happy with the name you choose for your CA set. Once created, you can't change it.

  1. Click Submit. The CA set's name appear under CA Certificate sets.

  2. Create a new version and add certificates.

Create a new version and add certificates

A newly created CA set doesn't have any associated versions for managing certificates. You can activate the CA set on staging and production networks only after you create a version.

Before creating a CA set version, review Best practices.

  1. To create a CA set version, click either:
    • Create Version 1 — to create the first version.
    • New version — to create subsequent versions.
🚧

Allow SHA-1 (insecure) setting

For best results, use SHA-256 or higher algorithms for certificates. Allow SHA-1 option is disabled by default. If you wish to use SHA-1 signed CA certificates for this version, enable this option.

  1. Click Add certificates.
  2. Select a method to add certificates to the set:
    • Drop or browse files to upload. Lets you browse, then upload certificates from your local machine into the entry field. For example, you can upload a PEM file that contains one or more certificates from your local machine.
    • Paste certificate PEM(s) here. Lets you copy and paste PEM encoded certificates into the entry field.
  3. When the upload is complete, click Validate and add to version. If validation fails, an error message pops up and the certificates are not added. See Validating added CA certificates to learn more about validation requirements.
  4. If necessary, repeat steps 2-4 to add more certificates.
  5. If the validation is successful, click Create version. The certificates are uploaded to your CA set version.

    📘

    Managing exiting CA set versions

    You can edit a CA set version (that is, add and remove certificates) as long as it’s not active on any network and wasn't activated previously.

  6. Activate the CA set version on network.

Activate the CA set version on network

Get your new CA set version activated on the Akamai networks. It needs to be active on the same network where the server's mTLS-enabled edge certificate is active. For existing CA sets, you can activate independent CA set versions to staging and production networks.

Before activating a CA set version, make sure your certificates meet the specifications in Best practices.

To activate a CA set version:

  1. Under CA certificate sets, select the CA set.
  2. Select the CA set version you want to activate.
  3. In the Actions menu select Activate . The Activate version x window pops up. Check the CA set details before activation.
  4. Click either Activate version x on staging or Activate version x on production (or both). Even though you can activate a CA set version directly on production, consider activating it on staging first for testing purposes.
📘

Activation time

Activation in staging and in production can take up to 30 minutes. You can't remove the CA set while it's being activated.

  1. Click Close to return to the previous page.
  2. Set up mutual authentication.

Set up mutual authentication

After you activate your CA set on staging and production, set up mutual authentication in Certificate Provisioning System (CPS) to bind your CA set to the CPS/edge certificate.

Note that the concept of activation applies to CA set versions within Mutual Edge Truststore. This means specific configurations of CA certificates are enabled for use. Conversely, the Certificate Provisioning System establishes a link between a slot and the entire CA set, allowing the application to use any active version within that CA set.

  1. In Certificate Provisioning System, locate the CA certificate that you want to update for mutual authentication.
  2. In the certificate's Actions menu, select View and Edit Deployment Settings. Read more.
📘

If necessary, create a new certificate using your domain. Make sure it's the same type (domain validated, organization validated, or extended validation) and format (standard TLS or enhanced TLS) you used for the client certificates in your CA set.

  1. In the Mutual Authentication section, click Edit. and set these options:
    • Certificate Set. Select the CA set you created and activated.
    • OCSP. Enable this if the certificates you've included in your CA set use the online certificate support protocol (OCSP). OCSP can determine the X.509 certificate revocation status during the TLS handshake.
    • Send CA list to client. With this enabled, the edge servers will also send the names of the CA sets you've included in your edge certificate back to the requesting client.
  2. Click Submit to activate your CA certificate on the ​Akamai​ network with these settings.

Next steps

Enforce mTLS settings. This ensures requests processed by your property come from TLS connections.

Updated 24 minutes ago