Guide
TrainingSupportCommunity

Create a client certificate

Suggest Edits

When creating a client certificate, you can have either the account CA, or a third-party authority sign the certificate. Note that once a client certificate is created, only its name can be changed.

Before you begin

For both certificate types, it’s strongly suggested that you configure your origins to trust certificates signed by your CA. This includes the Account CA managed by Akamai or the third-party CA that signed the certificate. Configurations where the trust is established directly with the identity of the client certificate, such as certificate pinning, are strongly discouraged as they result in delivery configurations that are difficult to maintain and are likely to cause service disruptions when these client certificates are updated.

To create a client certificate:

  1. Log in to ​Control Center​, and select ☰ > CDN > mTLS Origin Keystore.
  2. On the Mutual TLS Origin Keystore landing page, click Create certificate.
  3. Enter the certificate information:
    • Name: Label for the certificate, which you can change at a later time.
    • Contract: Contract under your account.
    • Group: Group under your account and contract.
    • Common name: Typically, the fully qualified domain name you plan to use for your certificate.
  4. Select the certificate’s signer:
    • Akamai: When selected, the mTLS Origin Keystore application automatically manages the account CA certificate (see Account CA certificates) used to sign your client certificate. This means you can’t manage the lifecycle of the client certificate. If you need full control of the certificate, consider choosing a third-party CA to manage these certificates on your own.
    • Third-Party: When selected, you need to upload a CA signed third-party certificate before you can use it for mTLS authentication between the edge server and the origin. Do this after you create your client certificate, and the certificate’s version appears under Versions on the landing page.
  5. Select these options:
    • Secure Network: Select either Standard TLS or Enhanced TLS based on your requirements.
    • Geography: Select a geography. Note that you can only modify this field to include China or Russia if your ​Akamai​ contract specifies you can do so and you have approval from these governments.
  6. Enter the Notification recipients: These are the email addresses of the users you want to notify when a certificate is approaching expiration.
  7. Click Create. A client certificate version appears on the landing page under Versions.
  8. View the client certificate version.

Updated 4 months ago