To understand this API’s various URL resources and the data it exchanges, you need to familiarize yourself with these concepts:
Client certificate
Also referred to as certificate in this document, it consists of an X.509 certificate securely managed on behalf of our customers. It’s used to identify the Akamai edge server during an mTLS session with the origin. After it’s created, the certificate is immutable. Learn more.
The mTLS Origin Keystore application includes these types of client certificates:
Akamai
This certificate is automatically signed and managed by the application.
Third-party
This certificate is signed by a CA of the user’s choice and managed by the user.
Certificate authority (CA)
A trusted entity, also referred to as CA in this document, signs certificates and can vouch for the identity of a website. If a certificate is like a license or a passport, then a CA is like the Department of Motor Vehicles or the government, in that it is the trusted agency that issues the identification and verifies your identity before issuing identification.
Certificate signing request (CSR)
Presented to the CA, and contains all the information the CA needs to sign and issue your client certificate.
Account CA
The Akamai account-specific CA provides an automated certificate management workflow. When creating a client certificate, you can have the underlying digital certificate signed by the account CA, or a third-party authority. When you create your first Akamai-signed client certificate, the mTLS Origin Keystore application generates an account CA certificate. This CA certificate identifies the account CA, and includes a public key and the digital signature based on the account CA’s private key.
An account CA is not created when only third-party certificates are managed in the account.
Mutual TLS authentication (mTLS)
A process where both the client and the server present certificate identities to one another, and each verifies the authenticity of the other's claimed identity using locally configured trusted CA certificates. This is in contrast to common TLS server authentication on the Web, where only the server presents its certificate identity claim and the client verifies the authenticity of that claim using its local truststore.
Origin server
Also referred to as origin, it’s the server where you maintain your content for delivery, such as your website assets, streaming media files, downloadables, etc. Akamai edge servers regularly ping your origin server to get the most up-to-date content to hold it in cache for quicker delivery.
Edge server
The Akamai network server.
Version
The lifecycle of a client certificate includes versions that correspond to its renewal. Each time a client certificate is rotated, a new version of that certificate is created. The rotation preserves the certificate’s properties while extending its validity period. This concept is similar to Let’s Encrypt’s certificate lineage. Multiple versions of a client certificate can be deployed at the same time. This gives you flexibility when rotating your client certificates, without disrupting your service. Learn more.