Guide

Set up a secure certificate

Suggest Edits

When delivering through ​Akamai​, a request for your site or app's domain is rerouted to an ​Akamai​ edge server that's geographically closest to the requesting client, to help speed up delivery. You should secure this connection using HTTPS. We'll start by creating a transport layer security certificate ("TLS cert") that uses a pair of encryption keys, one public and one private.

📘

Do you need to exchange PII?

Personally identifiable information, or PII for short, describes sensitive data like credit card information or personal identification numbers. If your site exchanges this kind of information, you'll need the heightened security that an Enhanced TLS connection offers. See Other certificate methods for more information.

Where the cert applies

Here's how this cert fits in to secure the request:

  1. A clientlike a browsermakes a request for your site and it's rerouted to an edge server.

  2. The edge server sends the certificate to the client. The certificate includes:

    • The public key.
    • A list of sites where the cert is valid. These are referred to as subject alternate names (SANs).
    • An expiration date for the certificate.
    • A signature from a Certificate Authority that proves that the key is legitimate for a SAN listed in the certificate.

  3. The client then checks the following:

    • Does the signature match the certificate?
    • Does the certificate come from a Certificate Authority it trusts?
    • Is the certificate actually for the site it requested?
    • Has the certificate expired?

  4. If the checks succeed, the client encrypts the items from step 2 using the public key and sends the encrypted data to the edge server. This sets a shared key for the session.

  5. Since the edge server holds the corresponding private key, it can decrypt the information, read the shared key, and ultimately prove its identity to the requesting client.

1. Create a certificate enrollment

Here, we'll walk you through how to create a domain-validated certificate enrollment that uses Let's Encrypt as the certificate authority and ​Akamai​'s secure Standard TLS network. This is relatively easy to set up, it's available to all ​Akamai​ delivery customers, and it applies to most delivery scenarios.

Get your ​Akamai​ contact

You need a technical contact, outside of your organization. This should be the person from your ​​Akamai​​ account team that you work with the most. Someone you designate as your local administrator contact and this technical contact will receive communications while the certificate is being validated. Talk to your ​Akamai​ account team to get:

  • A first and last name
  • A valid, ​Akamai​ domain email address
  • A phone number

Get your contractId

A certificate enrollment is one of the many "objects" that you create and manage via your ​Akamai​ contract. To create a new enrollment, you need the unique identifier that ​Akamai​ generates for your contract. You can get this value using the list contract operation in PAPI.

PAPI: List contracts
Open Recipe

Create the enrollment

Now, you can use the CPS API to generate a new certificate "enrollment."

CPS: Create a certificate enrollment
Open Recipe

2. Validate the certificate

At this phase, you need the certificate authority (Let's Encrypt) to validate your enrollment request. There are a few ways you can do this, but they require interaction with your DNS. The method we cover here is self-service. You'll apply a token in a file and add it to your site or app.

Get tokens for your site

Any operation that updates or creates something in the CPS API is referred to as a "change." Here, you review the change that was created for your enrollment and store some data from the response. You'll use this data to create the tokens used for validation.

CPS: Get a change
Open Recipe

Add tokens to your site

Use the values you stored from the get a change operation to create an HTML file and store it on your site:

  • responseBody. Use a text editor to create a file and include this as the content of the file.

  • token. This is the name of the file. Save it using the .html extension.

  • fullPath. Note the subdirectories after the domain. Create this same path on your site and save the html file you created in this path.

If you've included multiple domains (SANs) in your enrollment, repeat this same process for each one.

Wait for CPS

The last phase is automated. CPS will periodically check for the tokens on your site and ask Let's Encrypt to complete the validation. Once this happens, the administrator you set up in your enrollment will receive an email confirmation.

You're ready to go!

Other certificate methods

While it works for this tutorial, a domain-validated Standard TLS certificate may not fit your needs.

MethodDescription

Enhanced TLS

Do requests for your content require the exchange of personally identifiable information (PII)? If they do, you’ll need the heightened protection offered with Enhanced TLS.

The Default Certificate (“Secure by Default”)

This is a separate method that automates the creation of a secure certificate–either Standard TLS or Enhanced TLS.

📘

This is currently in limited availability

You'll need to check with your ​Akamai​ account team to see if you can access this certificate method.

Non-secure HTTP

Secure hypertext transfer protocol (HTTPS) has become the standard for access on the Internet. While non-secure HTTP is still supported, it's not recommended.

Updated over 1 year ago

What’s Next