Welcome to Mutual TLS Origin Keystore

The Mutual TLS Origin Keystore, also referred to as, mTLS Origin Keystore, lets you create, control, and manage client certificates. Client certificates are used to establish mTLS authentication between the Akamai edge server and the origin. This ensures the requests to your origin server come directly from the Akamai network.

Client certificates are similar to the class of certificates used for server authentication. But in comparison, their characteristics are considerably different. For example, server certificates created and managed in Certificate Provisioning System (CPS), Mutual TLS Edge Truststore, or the Default DV certificates in Property Manager are often subject to browser validation rules, which in most cases don’t apply to client certificates.

Another difference is client certificates let you control the behavior of both parties when establishing an mTLS session between the edge server and the origin. You can be strict or lenient with the validation of the client certificate, which is typically problematic in a server certificate configuration.

Benefits

When using a client certificate to authenticate a connecting edge server, your origin server can verify the:

  • Connecting client is a deployed edge server
  • Edge server belongs to a specific traffic class (standard or enhanced TLS) and network partition (Core, Core+Russia, or Core+China)
  • Edge server follows the ARL file’s rules configured to present a specific client certificate when proxying incoming requests
  • Client certificate and the ARL file belong to the same account

With mTLS Origin Keystore, you have the freedom to combine client certificates with your supported delivery products within the same account, as defined in the access control model. The mTLS Edge Server to Origin behavior in Property Manager uses your client certificate as a reference in your delivery configurations (properties) to authenticate Akamai edge servers with the origin it forwards requests to.

📘

Limited access

Mutual TLS Origin Keystore is only available for selected customers at this time.

mTLS authentication workflow

Use this workflow to set up mTLS authentication between the edger server and your origin server.

  1. Create a client certificate in the Mutual TLS Origin Keystore application.
  2. In your property manager configuration:
    1. Enable the mTLS Edge Server to Origin behavior.
    2. Select your client certificate.
    3. If your origin isn’t configured for mTLS sessions, turn off the Require client authentication option, configure your origin for mTLS, then turn on the Require client authentication option.

Get started

Log in to ​Control Center​, go to ☰ > CDN > mTLS Origin Keystore, and Create a client certificate.

What's new

Release notes