Set up a secure certificate

When delivering through ‚ÄčAkamai‚Äč, a request for your site or app's domain is rerouted to an ‚ÄčAkamai‚Äč edge server that's geographically closest to the requesting client, to help speed up delivery. You should secure this connection using HTTPS. We'll start by creating a transport layer security certificate ("TLS cert") that uses a pair of encryption keys, one public and one private.


Do you need to exchange PII?

Personally identifiable information, or PII for short, describes sensitive data like credit card information or personal identification numbers. If your site exchanges this kind of information, you'll need the heightened security that an Enhanced TLS connection offers. See Other certificate methods for more information.

Where the cert applies

Here's how this cert fits in to secure the request:

  1. A client‚ÄĒlike a browser‚ÄĒmakes a request for your site and it's rerouted to an edge server.

  2. The edge server sends the certificate to the client. The certificate includes:

    • The public key.
    • A list of sites where the cert is valid. These are referred to as subject alternate names (SANs).
    • An expiration date for the certificate.
    • A signature from a Certificate Authority that proves that the key is legitimate for a SAN listed in the certificate.
  3. The client then checks the following:

    • Does the signature match the certificate?
    • Does the certificate come from a Certificate Authority it trusts?
    • Is the certificate actually for the site it requested?
    • Has the certificate expired?
  4. If the checks succeed, the client encrypts the items from step 2 using the public key and sends the encrypted data to the edge server. This sets a shared key for the session.

  5. Since the edge server holds the corresponding private key, it can decrypt the information, read the shared key, and ultimately prove its identity to the requesting client.

1. Create a certificate enrollment

Here, we'll walk you through how to create a domain-validated certificate enrollment that uses Let's Encrypt as the certificate authority and ‚ÄčAkamai‚Äč's secure Standard TLS network. This is relatively easy to set up, it's available to all ‚ÄčAkamai‚Äč delivery customers, and it applies to most delivery scenarios.

Get your ‚ÄčAkamai‚Äč contact

You need a technical contact, outside of your organization. This should be the person from your ‚Äč‚ÄčAkamai‚Äč‚Äč account team that you work with the most. Someone you designate as your local administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your ‚ÄčAkamai‚Äč account team to get:

  • A first and last name
  • A valid, ‚ÄčAkamai‚Äč domain email address
  • A phone number

Get your contractId

A certificate enrollment is one of the many "objects" that you create and manage via your ‚ÄčAkamai‚Äč contract. To create a new enrollment, you need the unique identifier that ‚ÄčAkamai‚Äč generates for your contract. You can get this value using the list contract operation in PAPI.

Create the enrollment

Now, you can use the CPS API to generate a new certificate "enrollment."

2. Validate the certificate

At this phase, you need the certificate authority (Let's Encrypt) to validate your enrollment request. There are a few ways you can do this, but they require interaction with your DNS. The method we cover here is self-service. You'll apply a token in a file and add it to your site or app.

Get tokens for your site

Any operation that updates or creates something in the CPS API is referred to as a "change." Here, you review the change that was created for your enrollment and store some data from the response. You'll use this data to create the tokens used for validation.

Add tokens to your site

Use the values you stored from the get a change operation to create an HTML file and store it on your site:

  • responseBody. Use a text editor to create a file and include this as the content of the file.

  • token. This is the name of the file. Save it using the .html extension.

  • fullPath. Note the subdirectories after the domain. Create this same path on your site and save the html file you created in this path.

If you've included multiple domains (SANs) in your enrollment, repeat this same process for each one.

Wait for CPS

The last phase is automated. CPS will periodically check for the tokens on your site and ask Let's Encrypt to complete the validation. Once this happens, the administrator you set up in your enrollment will receive an email confirmation.

You're ready to go!

Other certificate methods

While it works for this tutorial, a domain-validated Standard TLS certificate may not fit your needs.


Enhanced TLS

Do requests for your content require the exchange of personally identifiable information (PII)? If they do, you’ll need the heightened protection offered with Enhanced TLS.

The Default Certificate (‚ÄúSecure by Default‚ÄĚ)

This is a separate method that automates the creation of a secure certificate‚Äďeither Standard TLS or Enhanced TLS.


This is currently in limited availability

You'll need to check with your ‚ÄčAkamai‚Äč account team to see if you can access this certificate method.

Non-secure HTTP

Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended.

What’s Next