When delivering through Akamai, a request for your site or app's domain is rerouted to an Akamai edge server that's geographically closest to the requesting client, to help speed up delivery. You should secure this connection using HTTPS. We'll start by creating a transport layer security certificate ("TLS cert") that uses a pair of encryption keys, one public and one private.
Do you need to exchange PII?
Personally identifiable information, or PII for short, describes sensitive data like credit card information or personal identification numbers. If your site exchanges this kind of information, you'll need the heightened security that an Enhanced TLS connection offers. See Other certificate methods for more information.
Here's how this cert fits in to secure the request:
A client—like a browser—makes a request for your site and it's rerouted to an edge server.
The edge server sends the certificate to the client. The certificate includes:
- The public key.
- A list of sites where the cert is valid. These are referred to as subject alternate names (SANs).
- An expiration date for the certificate.
- A signature from a Certificate Authority that proves that the key is legitimate for a SAN listed in the certificate.
The client then checks the following:
- Does the signature match the certificate?
- Does the certificate come from a Certificate Authority it trusts?
- Is the certificate actually for the site it requested?
- Has the certificate expired?
If the checks succeed, the client encrypts the items from step 2 using the public key and sends the encrypted data to the edge server. This sets a shared key for the session.
Since the edge server holds the corresponding private key, it can decrypt the information, read the shared key, and ultimately prove its identity to the requesting client.
Here, we'll walk you through how to create a domain-validated certificate enrollment that uses Let's Encrypt as the certificate authority and Akamai's secure Standard TLS network. This is relatively easy to set up, it's available to all Akamai delivery customers, and it applies to most delivery scenarios.
You need a technical contact, outside of your organization. This should be the person from your Akamai account team that you work with the most. Someone you designate as your local administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your Akamai account team to get:
- A first and last name
- A valid, Akamai domain email address
- A phone number
A certificate enrollment is one of the many "objects" that you create and manage via your Akamai contract. To create a new enrollment, you need the unique identifier that Akamai generates for your contract. You can get this value using the list contract operation in PAPI.
Now, you can use the CPS API to generate a new certificate "enrollment."
At this phase, you need the certificate authority (Let's Encrypt) to validate your enrollment request. There are a few ways you can do this, but they require interaction with your DNS. The method we cover here is self-service. You'll apply a token in a file and add it to your site or app.
Any operation that updates or creates something in the CPS API is referred to as a "change." Here, you review the change that was created for your enrollment and store some data from the response. You'll use this data to create the tokens used for validation.
Use the values you stored from the get a change operation to create an HTML file and store it on your site:
responseBody. Use a text editor to create a file and include this as the content of the file.
token. This is the name of the file. Save it using the
fullPath. Note the subdirectories after the domain. Create this same path on your site and save the html file you created in this path.
If you've included multiple domains (SANs) in your enrollment, repeat this same process for each one.
The last phase is automated. CPS will periodically check for the tokens on your site and ask Let's Encrypt to complete the validation. Once this happens, the administrator you set up in your enrollment will receive an email confirmation.
You're ready to go!
While it works for this basic workflow, a domain-validated Standard TLS certificate may not fit your needs.
Do requests for your content require the exchange of personally identifiable information (PII)? If they do, you’ll need the heightened protection offered with Enhanced TLS.
This is a separate method that automates the creation of a secure certificate–either Standard TLS or Enhanced TLS. Currently, it’s in limited availability.
Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended.
Updated 4 months ago