Guide
TrainingSupportCommunity

Key concepts and terms

Suggest Edits

Get familiar with Mutual TLS Origin Keystore terminology:

  • Client certificate. Also referred to as certificate in this document, it consists of an X.509 certificate securely managed on behalf of our customers. It’s used to identify the Akamai edge server during an mTLS session with the origin. After it’s created, the certificate is immutable.

    The mTLS Origin Keystore application includes these types of client certificates:
    • Akamai. The Akamai-signed client certificate provides a fully automated certificate lifecycle management solution. For this type of certificate, a CA is created under the account and is used to sign all certificates of the same type in that account. The client certificates are automatically rotated before their expiration. Manual action is only needed when the CA itself approaches expiry, which occurs on a 5-year cadence; Portal notifications will be generated when action is needed.
    • Third-party. Alternatively, a third-party signed client certificate can be managed by the application as well. In this mode, the application generates a CSR to be signed by any CA, out of band. When the signed certificate is uploaded to the application, it then becomes available for use in delivery configurations. Since the process for signing the certificate happens externally, for this type of certificate users take on the responsibility of rotating the certificate before their expiration. This option provides fine-grained control over the client certificate and its signing authority, but also implies on the lifecycle management to be performed externally.
  • Certificate authority (CA). A trusted entity, also referred to as CA in this document, signs certificates and can vouch for the identity of a website. If a certificate is like a license or a passport, then a CA is like the Department of Motor Vehicles or the government, in that it is the trusted agency that issues the identification and verifies your identity before issuing identification.
  • Certificate signing request (CSR). Presented to the CA, and contains all the information the CA needs to sign and issue your client certificate.
  • Account CA. The Akamai account-specific CA provides an automated certificate management workflow. When creating a client certificate, you can have the underlying digital certificate signed by the account CA, or a third-party authority. When you create your first Akamai-signed client certificate, the mTLS Origin Keystore application generates an account CA certificate. This CA certificate identifies the account CA, and includes a public key and the digital signature based on the account CA’s private key. Note that an account CA is not created when only third-party certificates are managed in the account.
  • Mutual TLS authentication (mTLS). A process where both the client and the server present certificate identities to one another, and each verifies the authenticity of the other's claimed identity using locally configured trusted CA certificates. This is in contrast to common TLS server authentication on the Web, where only the server presents its certificate identity claim and the client verifies the authenticity of that claim using its local truststore.
  • Origin server. Also referred to as origin, it’s the server where you maintain your content for delivery, such as your website assets, streaming media files, downloadables, etc. ​Akamai​ edge servers regularly ping your origin server to get the most up-to-date content to hold it in cache for quicker delivery.
  • Edge server. The ​Akamai​ network server.
  • Version. The lifecycle of a client certificate includes versions that correspond to its renewal. Each time a client certificate is rotated, a new version of that certificate is created. The rotation preserves the certificate’s properties while extending its validity period. This concept is similar to Let’s Encrypt’s certificate lineage. Multiple versions of a client certificate can be deployed at the same time. This gives you flexibility when rotating your client certificates, without disrupting your service. Learn more.

Updated 4 months ago