Client certificates
This section describes the actions used to manage your client certificates.
View a client certificate
The mTLS Origin Keystore UI lists client certificates on the Client certificates tab based on the last certificate modified. Client certificate Details and Versions appear on the right side of the landing page.
To view a client certificate, you filter on these details, with the exception of Secure network, Geography, or Created date:
- Id: Deployment identifier of the certificate.
- Name: Label given to the certificate.
- Common name: Typically, the fully qualified domain name given.
- Signer: Chosen CA that signs the certificate.
- Secure network: Chosen traffic class for the certificate.
- Geography: Chosen deployed network combination for the certificate.
- Notification recipients: Users’ emails to notify when a certificate is approaching expiration.
- Created by: User who created the certificate.
- Created date: When the certificate was created.
The Versions section lists the client certificate’s versions in the order they're created (see View a client certificate version).
View a client certificate version
Your client certificate versions are listed in the landing page’s Versions section in the order they're created. It shows the version’s status, when it was issued, and the expiration date. To view additional information about a version, click the expand icon.
You can rotate a client certificate and manage versions using the tasks listed on the Actions menu.
Create a client certificate version
See Rotate a client certificate.
Rotate a client certificate
When you rotate a client certificate, a new version of the certificate is created, preserving its properties for an extended period of time. Use these procedures to rotate your client certificate.
Akamai signed client certificates are automatically rotated on a specific date. When third-party signed client certificates approach expiration, users are responsible for rotating certificates.
To rotate an Akamai signed client certificate:
- From the mTLS Origin Keystore landing page, select the Akamai client certificate you want to renew.
- Under Versions, click Rotate certificate, then click Rotate certificate again. The oldest version is deleted and a new version appears first on the list with the Deployment pending status. Notification recipients receive an email.
To rotate a third-party signed certificate:
- From the mTLS Origin Keystore landing page, select the third-party client certificate you want to renew.
- Under Versions, click Rotate certificate, then click Rotate certificate again. The oldest version is deleted and a new version appears first on the list with the Awaiting signed certificate status.
- On the Actions menu, click View CSR, download the certificate request, and use it to obtain a signed certificate from your CA of choice.
- Once you have the signed certificate from your CA, on the Actions menu, click Upload certificate.
- Select either Text to copy/paste the certificate and trust chain, or select File to choose your certificate and trust chain files.
- Click Upload.
Delete a client certificate version
The mTLS Origin Keystore application tracks your active property delivery configurations for references to your client certificate version. If you try to delete a certificate version that’s referenced in any of your active properties, you’ll get an error message. Note that this doesn’t apply to client certificates referenced outside of Property Manager. For example Advanced Metadata.
Before you begin
Check your properties for a reference to the client certificate you want to delete. If the client certificate is referenced, select a different certificate.
To delete a client certificate version:
- From the mTLS Origin Keystore landing page, select the client certificate.
- Under Versions, on the Actions menu, select Delete.
- Click Delete. Users on the Notification recipients list get an email notification that the version is deleted.
Deleting a version may result in gaps in sequences of version numbers. For example, if you delete the latest or highest version number, any subsequent creation of a version skips that number.
Upload a third-party signed certificate
To upload a signed third-party client certificate:
- From the mTLS Origin Keystore landing page, select the third-party client certificate.
- On the Actions menu, click View CSR, download the certificate request, and use it to obtain a signed certificate from your CA of choice.
- Once you have the signed certificate from your CA, on the Actions menu, click Upload certificate.
- Select either Text to copy/paste the certificate and trust chain, or select File to choose your certificate and trust chain files.
- Click Upload.
Updated 2 months ago