Certificates

Increase your customers' trust, encrypt sensitive information, and improve SEO rankings using TLS domain validation or third-party certificates that securely deliver content to and from your site.

Akamai managed certificates

Akamai managed enrollments provide certificates that verify ownership of the domains you provide.

When you create a domain validation enrollment, we automatically verify your domains and set a certificate expiry of 90 days.

Create new

Use your contract ID to send an enrollment object with all required parameters as a variable or JSON string in the new enrollment command.

ParameterDescription
Required
raThe registration or certificate authority you want to use for your certificate. Choose one of symantec, lets-encrypt, or third-party.
validationTypeThe type of validation performed for your certificate. Values are:
  • dv. Domain validation.
  • ev. Extended validation.
  • ov. Organization validation.
  • third-party. Third-party validation.
certificateTypeThe type of certificate. Values are
  • san. Subject alternative names.
  • single. Single domain.
  • wildcard.Primary domain and its subdomains.
  • wildcard-san. Multiple domains and their subdomains.
  • third-party. Varies depending on user needs and the certificate authority used.
networkConfigurationAn object that contains your network settings. Required parameters:
  • geography. Where to deploy your certificate. Values are core, china+core, and russia+core. China and Russia deployments require respective government permissions.
  • secureNetwork. The type of secure network for deployment. Values are standard-tls for non-PCI compliant or enhanced-tls for PCI compliant.
  • sniOnly. Whether you want to enable SNI-only extension for the enrollment.
  • quicEnabled. Whether to use the QUIC transport layer network protocol.
  • dnsNameSettings. An object with your DNS name options. Contains a required cloneDnsNames property that enables traffic direction to all the SANs listed in the SANs parameter.
changeManagementManages the deployment of your certificate.
  • false automatically deploys your certificate to both the staging and production networks.
  • true allows you to acknowledge you're ready to deploy the certificate beforehand.
You can test the certificate outside of CPS on the Edge Staging Network (ESN) to make sure it works in your environment and then deploy the certificate using the Set-CPSDeploymentSchedule cmdlet.
csrAn object containing your certificate signing request specifics.
  • cn. The common name for your certificate.
  • c. The country code for your company's location.
  • st. The state or province in which your company is located.
  • l. The city in which your company is located.
  • o. Your company's name.
  • sans. An array of your SANs.
orgAn object containing your company's address information.
  • name. Your company's name.
  • addressLineOne. Your company's street address.
  • city. The city in which your company is located.
  • region. The state or province your in which your company is located.
  • postalCode. Your company's zip or postal code.
  • country. The country cod for your company's location.
  • phone. Your company's main phone number in ITU-T E.164 format, +{country-code}{area-code}{subscriber-number}.
adminContactAn object containing the contact information for your admin representative.
  • firstName. Your contact's given name.
  • lastName. Your contacts surname.
  • phone. Your contact's phone number in ITU-T E.164 format, +{country-code}{area-code}{subscriber-number}.
  • email
  • . Your contact's email address.
techContactAn object containing the contact information for your technical representative.
  • firstName. Your contact's given name.
  • lastName. Your contacts surname.
  • phone. Your contact's phone number in ITU-T E.164 format, +{country-code}{area-code}{subscriber-number}.
  • email
  • . Your contact's email address.
enableMultiStackedCertificatesWhether to enable Dual-Stacked certificate deployment for your enrollment.
signatureAlgorithmYour digital signature hash designation. Values are SHA-1 or SHA-256.
Optional
networkConfiguration.disallowedTlsVersionsAn array of TLS protocol versions to disallow.
networkConfiguration.dnsNameSettings.dnsNamesAn array of DNS names served by SNI-only enabled enrollments.
networkConfiguration.mustHaveCiphersMust use ciphers to use while your certificate deploys to the network. Default is ak-akamai-default.
networkConfiguration.oscpStaplingEnables OSCP stapling for your enrollment. Values are on, off, not-set.
networkConfiguration.preferredCiphersCiphers you prefer to use while your certificate deploys to the network. Default is ak-akamai-default.
orgIdThe Digicert identifier for your company. If you use this, leave null the org, techContact, and adminContact parameters.
$body = @{
  ra = "lets-encrypt"
  validationType = "dv"
  certificateType = "san"
  networkConfiguration = @{
    geography = "core"
    secureNetwork = "standard-tls"
    sniOnly = $true
    quicEnabled = $false
    dnsNameSettings = @{
      cloneDnsNames = $true
    }
  }
  changeManagement = $true
  csr = @{
    cn = "example.enrollment.net"
    c = "US"
    st = "Cambridge"
    l = "Cambridge"
    o = "Akamai"
    sans = @(
      "example.enrollment.net"
    )
  }
  org = @{
    name = "Akamai"
    addressLineOne = "1234 Main Street"
    city = "Boston"
    region = "MA"
    postalCode = "02142"
    country = "US"
    phone = "(617) 555-1234"
  }
  adminContact = @{
    firstName = "John"
    lastName = "Smith"
    phone = "(617) 555-1234"
    email = "jsmith@example.com"
  }
  techContact = @{
    firstName = "John"
    lastName = "Smith"
    phone = "(617) 555-1234"
    email = "jsmith@example.com"
  }
  enableMultiStackedCertificates = $false
  signatureAlgorithm = "SHA-256"
}

New-CPSEnrollment -ContractID "ctr_C-0N7RAC7" -Body $body
New-CPSEnrollment -ContractID "ctr_C-0N7RAC7" -Body '{@{"ra": "lets-encrypt", "validationType": "dv", "certificateType": "san", "networkConfiguration": {"geography": "core", "secureNetwork": "standard-tls", "sniOnly": true"quicEnabled": false, "dnsNameSettings": {"cloneDnsNames": true}}, "changeManagement": true, "csr": {"cn": "example.enrollment.net", "c": "US", "st": "Cambridge", "l": "Cambridge", "o": "Akamai", "sans": ["example.enrollment.net"]}, "org": {"name": "Akamai", "addressLineOne": "1234 Main Street", "city": "Boston", "region": "MA", "postalCode": "02142", "country": "US", "phone": "(617) 555-1234"}, "adminContact": {"firstName": "John", "lastName": "Smith", "phone": "(617) 555-1234", "email": "jsmith@example.com"}, "techContact": {"firstName": "John", "lastName": "Smith", "phone": "(617) 555-1234", "email": "jsmith@example.com"}, "enableMultiStackedCertificates": false, "signatureAlgorithm": "SHA-256"}}'

Akamai automatically verifies your domain and deploys it to both the staging and production networks when you set changeManagement to false.

If you would rather test on staging before deploying to production, set the value to true, run your tests, and then use the Set-CPSDeploymentSchedule cmdlet to deploy your certificate to the production network.

New from existing

To create a new domain validation certificate from an existing enrollment, get the enrollment, make changes, and send your enrollment object as a variable or JSON string in the new enrollment command.

  1. Get your enrollments to find the ID of the one you want to use as your starting point.

    Get-CPSEnrollment
    
    id                             : 123456
    productionSlots                : {112233}
    stagingSlots                   : {112233}
    assignedSlots                  : {112233}
    location                       : /cps/v2/enrollments/123456
    ra                             : lets-encrypt
    validationType                 : dv
    certificateType                : san
    certificateChainType           : default
    networkConfiguration           : @{geography=core; secureNetwork=enhanced-tls; 
                                    mustHaveCiphers=ak-akamai-default; 
                                    preferredCiphers=ak-akamai-default; 
                                    disallowedTlsVersions=System.Object[]; sniOnly=True; 
                                    quicEnabled=True; dnsNameSettings=; ocspStapling=on; 
                                    clientMutualAuthentication=}
    signatureAlgorithm             : SHA-256
    changeManagement               : False
    csr                            : @{cn=example.enrollment.net; c=US; st=Cambridge; l=Cambridge; 
                                    o=Akamai; ou=; sans=System.Object[]; 
                                    preferredTrustChain=dst-root-ca-x3}
    org                            : @{name=Akamai; addressLineOne=1234 Main Street; 
                                    addressLineTwo=; city=Cambridge; region=MA; 
                                    postalCode=02142; country=US; phone=+1-6175551234}
    orgId                          : 
    adminContact                   : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    techContact                    : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    thirdParty                     : 
    enableMultiStackedCertificates : False
    autoRenewalStartTime           : 12/31/2023 11:42:25 PM
    pendingChanges                 : {}
    maxAllowedSanNames             : 100
    maxAllowedWildcardSanNames     : 25
    
    id                             : 234567
    productionSlots                : {}
    stagingSlots                   : {}
    assignedSlots                  : {}
    location                       : /cps/v2/enrollments/234567
    ra                             : lets-encrypt
    validationType                 : dv
    certificateType                : san
    certificateChainType           : default
    networkConfiguration           : @{geography=core; secureNetwork=standard-tls; 
                                    mustHaveCiphers=ak-akamai-default; 
                                    preferredCiphers=ak-akamai-default; 
                                    disallowedTlsVersions=System.Object[]; sniOnly=True; 
                                    quicEnabled=False; dnsNameSettings=; ocspStapling=on; 
                                    clientMutualAuthentication=}
    signatureAlgorithm             : SHA-256
    changeManagement               : False
    csr                            : @{cn=example.enrollment2.net; c=US; st=Cambridge; l=Cambridge; 
                                    o=Akamai; ou=; sans=System.Object[]; 
                                    preferredTrustChain=dst-root-ca-x3}
    org                            : @{name=Akamai; addressLineOne=1234 Main Street; 
                                    addressLineTwo=; city=Cambridge; region=MA; 
                                    postalCode=02142; country=US; phone=+1-6175551234}
    orgId                          : 
    adminContact                   : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    techContact                    : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    thirdParty                     : 
    enableMultiStackedCertificates : False
    autoRenewalStartTime           : 
    pendingChanges                 : {@{location=/cps/v2/enrollments/234567/changes/901234; 
                                    changeType=new-certificate}}
    maxAllowedSanNames             : 100
    maxAllowedWildcardSanNames     : 25
    
  2. Use an enrollment ID and set it to a variable or send its contents to a file to edit the output. Remove the enrollment specific identifiers added by Akamai.

    • id
    • productionSlots
    • stagingSlots
    • assignedSlots
    • location
    • autoRenewalStartTime
  3. Send your enrollment object as the value for -Body in the new enrollment cmdlet.

    New-CPSEnrollment -ContractID "ctr_C-0N7RAC7" -Body $MyEnrollment
    

Akamai automatically verifies your domain and deploys it to both the staging and production networks when you set changeManagement to false.

If you would rather test on staging before deploying to production, set the value to true, run your tests, and then use the Set-CPSDeploymentSchedule cmdlet to deploy your certificate to the production network.

Certificate renewal

Thirty days before your certificate expires, we'll contact you to begin the renewal process. This communication is followed by a notice 16 days before the expiry to let you know the renewal period is open.

Enhanced TLS certificate renewal and deployment is an automatic process.

Standard TLS certificate renewal and deployment can be manual or automatic. During the open period for a renewal, your enrollment enters a change-in-progress state that you complete by adding your renewed certificate. If you don't want to manage the renewal process manually, add the autoDomainValidation behavior to your property's default rule.

  1. Copy, paste, and save the autoDomainValidation behavior JSON to a file.

    Note: The autodv parameter is sent empty.

    {
      "name": "autoDomainValidation",
      "options": {
          "autodv": ""
      }
    }
    
  2. Set the behavior.json content to a variable.

    $Behavior = Get-Content -Raw behavior.json | ConvertFrom-JSON
    
  3. Get and set your property's rule tree to a variable.

    $Rules = Get-PropertyRuleTree -PropertyName "MyProperty" -PropertyVersion "latest"
    
  4. Add the new behavior.

    $Rules.rules.behaviors += $Behavior
    
  5. Update your property.

    $Rules | Set-PropertyRuleTree -PropertyName "MyProperty" -PropertyVersion "latest"
    
  6. Activate your property to apply the changes on a network.

    New-PropertyActivation -PropertyName "MyProperty" -PropertyVersion "latest" -Network "Staging" -NotifyEmails "jsmith@email.com"
    

Third-party certificates

To use a certificate from an external certificate authority, create third-party enrollment and upload your certificate.

  1. Get your certificate signing request.

    Get-CPSCSR -EnrollmentID 12345 -ChangeID 9876543
    
    csrs
    ----
    
    {@{keyAlgorithm=RSA; csr=BEGIN CERTIFICATE REQUEST-----\n\n-----END CERTIFICATE REQUEST}
    
  2. Use your contract ID to send an enrollment object with all required parameters as a variable or JSON string in the new enrollment command. Returned to you are the enrollments and change management resource paths. Your enrollment and change IDs are in the paths. You'll need them for the next step.

    $body = @{
      ra = "third-party"
      validationType = "third-party"
      thirdParty = @{
      excludeSans = @false
      }
      certificateType = "third-party"
      networkConfiguration = @{
        geography = "core"
        secureNetwork = "standard-tls"
        sniOnly = $true
        quicEnabled = $false
        dnsNameSettings = @{
          cloneDnsNames = $true
        }
      }
      changeManagement = $true
      csr = @{
        cn = "example.enrollment.net"
        c = "US"
        st = "Cambridge"
        l = "Cambridge"
        o = "Akamai"
        sans = @(
          "example.enrollment.net"
        )
      }
      org = @{
        name = "Akamai"
        addressLineOne = "1234 Main Street"
        city = "Boston"
        region = "MA"
        postalCode = "02142"
        country = "US"
        phone = "(617) 555-1234"
      }
      adminContact = @{
        firstName = "John"
        lastName = "Smith"
        phone = "(617) 555-1234"
        email = "jsmith@example.com"
      }
      techContact = @{
        firstName = "John"
        lastName = "Smith"
        phone = "(617) 555-1234"
        email = "jsmith@example.com"
      }
      enableMultiStackedCertificates = $false
      signatureAlgorithm = "SHA-256"
    }
    
    $ New-CPSEnrollment -ContractID "ctr_C-0N7RAC7" -Body $body
    
    $ New-CPSEnrollment -ContractID "ctr_C-0N7RAC7" -Body '{@{"ra": "third-party", "validationType": "third-party", "thirdParty": {"excludeSans": true}, "certificateType": "third-party", "networkConfiguration": {"geography": "core", "secureNetwork": "standard-tls", "sniOnly": true"quicEnabled": false, "dnsNameSettings": {"cloneDnsNames": true}}, "changeManagement": true, "csr": {"cn": "example.enrollment.net", "c": "US", "st": "Cambridge", "l": "Cambridge", "o": "Akamai", "sans": ["example.enrollment.net"]}, "org": {"name": "Akamai", "addressLineOne": "1234 Main Street", "city": "Boston", "region": "MA", "postalCode": "02142", "country": "US", "phone": "(617) 555-1234"}, "adminContact": {"firstName": "John", "lastName": "Smith", "phone": "(617) 555-1234", "email": "jsmith@example.com"}, "techContact": {"firstName": "John", "lastName": "Smith", "phone": "(617) 555-1234", "email": "jsmith@example.com"}, "enableMultiStackedCertificates": false, "signatureAlgorithm": "SHA-256"}}'
    
  3. Use your enrollment and change IDs to add your certificate to your property. Possible values for KeyAlorithm are RSA or ECDSA.

    Add-CPSThirdPartyCert -EnrollmentID 123456 -ChangeID 123456 -Certificate "--- BEGIN CERTIFICATE ------ END CERTIFICATE ---" -KeyAlgorithm RSA
    

Certificate renewal

Thirty days before your certificate expires, we'll contact you to begin the renewal process. This communication is followed by a notice 16 days before the expiry to let you know the renewal period is open. During the open period, your enrollment enters a change-in-progress state that you complete by adding your renewed certificate.

  1. Get your enrollment's change ID from the returned pendingChanges field.

    Get-CPSEnrollment -EnrollmentId 123456
    
    id                             : 234567
    productionSlots                : {}
    stagingSlots                   : {}
    assignedSlots                  : {}
    location                       : /cps/v2/enrollments/234567
    ra                             : third-party
    validationType                 : third-party
    certificateType                : third-party
    certificateChainType           : default
    networkConfiguration           : @{geography=core; secureNetwork=standard-tls; 
                                    mustHaveCiphers=ak-akamai-default; 
                                    preferredCiphers=ak-akamai-default; 
                                    disallowedTlsVersions=System.Object[]; sniOnly=True; 
                                    quicEnabled=False; dnsNameSettings=; ocspStapling=on; 
                                    clientMutualAuthentication=}
    signatureAlgorithm             : SHA-256
    changeManagement               : False
    csr                            : @{cn=example.enrollment2.net; c=US; st=Cambridge; l=Cambridge; 
                                    o=Akamai; ou=; sans=System.Object[]; 
                                    preferredTrustChain=dst-root-ca-x3}
    org                            : @{name=Akamai; addressLineOne=1234 Main Street; 
                                    addressLineTwo=; city=Cambridge; region=MA; 
                                    postalCode=02142; country=US; phone=+1-6175551234}
    orgId                          : 
    adminContact                   : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    techContact                    : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    thirdParty                     : 
    enableMultiStackedCertificates : False
    autoRenewalStartTime           : 
    pendingChanges                 : {@{location=/cps/v2/enrollments/234567/changes/901234; 
                                    changeType=new-certificate}}
    maxAllowedSanNames             : 100
    maxAllowedWildcardSanNames     : 25
    
  2. Use your enrollment and change IDs to add your certificate to your property. Possible values for KeyAlorithm are RSA or ECDSA.

    Add-CPSThirdPartyCert -EnrollmentID 234567 -ChangeID 901234 -Certificate "--- BEGIN CERTIFICATE ------ END CERTIFICATE ---" -KeyAlgorithm RSA
    

Update an enrollment

To update an existing enrollment, set an enrollment's output to a variable and make your changes.

  1. If you don't know your enrollment's ID, use the get enrollment command to return a list of your enrollments.

    Get-CPSEnrollment
    
    id                             : 123456
    productionSlots                : {112233}
    stagingSlots                   : {112233}
    assignedSlots                  : {112233}
    location                       : /cps/v2/enrollments/123456
    ra                             : lets-encrypt
    validationType                 : dv
    certificateType                : san
    certificateChainType           : default
    networkConfiguration           : @{geography=core; secureNetwork=enhanced-tls; 
                                    mustHaveCiphers=ak-akamai-default; 
                                    preferredCiphers=ak-akamai-default; 
                                    disallowedTlsVersions=System.Object[]; sniOnly=True; 
                                    quicEnabled=True; dnsNameSettings=; ocspStapling=on; 
                                    clientMutualAuthentication=}
    signatureAlgorithm             : SHA-256
    changeManagement               : False
    csr                            : @{cn=example.enrollment.net; c=US; st=Cambridge; l=Cambridge; 
                                    o=Akamai; ou=; sans=System.Object[]; 
                                    preferredTrustChain=dst-root-ca-x3}
    org                            : @{name=Akamai; addressLineOne=1234 Main Street; 
                                    addressLineTwo=; city=Cambridge; region=MA; 
                                    postalCode=02142; country=US; phone=+1-6175551234}
    orgId                          : 
    adminContact                   : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    techContact                    : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    thirdParty                     : 
    enableMultiStackedCertificates : False
    autoRenewalStartTime           : 12/31/2023 11:42:25 PM
    pendingChanges                 : {}
    maxAllowedSanNames             : 100
    maxAllowedWildcardSanNames     : 25
    
    id                             : 234567
    productionSlots                : {}
    stagingSlots                   : {}
    assignedSlots                  : {}
    location                       : /cps/v2/enrollments/234567
    ra                             : lets-encrypt
    validationType                 : dv
    certificateType                : san
    certificateChainType           : default
    networkConfiguration           : @{geography=core; secureNetwork=standard-tls; 
                                    mustHaveCiphers=ak-akamai-default; 
                                    preferredCiphers=ak-akamai-default; 
                                    disallowedTlsVersions=System.Object[]; sniOnly=True; 
                                    quicEnabled=False; dnsNameSettings=; ocspStapling=on; 
                                    clientMutualAuthentication=}
    signatureAlgorithm             : SHA-256
    changeManagement               : False
    csr                            : @{cn=example.enrollment2.net; c=US; st=Cambridge; l=Cambridge; 
                                    o=Akamai; ou=; sans=System.Object[]; 
                                    preferredTrustChain=dst-root-ca-x3}
    org                            : @{name=Akamai; addressLineOne=1234 Main Street; 
                                    addressLineTwo=; city=Cambridge; region=MA; 
                                    postalCode=02142; country=US; phone=+1-6175551234}
    orgId                          : 
    adminContact                   : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    techContact                    : @{firstName=John; lastName=Smith; phone=+1-6175551234; 
                                    email=jsmith@example.com; addressLineOne=; 
                                    addressLineTwo=; city=; country=; organizationName=; 
                                    postalCode=; region=; title=}
    thirdParty                     : 
    enableMultiStackedCertificates : False
    autoRenewalStartTime           : 
    pendingChanges                 : {@{location=/cps/v2/enrollments/234567/changes/901234; 
                                    changeType=new-certificate}}
    maxAllowedSanNames             : 100
    maxAllowedWildcardSanNames     : 25
    
  2. Assign the enrollment you want to a variable and make your changes.

    $MyEnrollment = Get-Enrollment -EnrollmentID 123456
    $MyEnrollment.csr.networkConfiguration.geography = "china+core"
    
  3. Use your contract ID to send your enrollment object as a variable or JSON string in the set enrollment command.

    Set-CPSEnrollment -Body $MyEnrollment
    

Akamai automatically verifies your domain and deploys it to both the staging and production networks when you set changeManagement to false.

If you would rather test on staging before deploying to production, set the value to true, run your tests, and then use the Set-CPSDeploymentSchedule cmdlet to deploy your certificate to the production network.

Delete enrollment

To delete an enrollment, send its ID in the remove enrollment command.

Remove-CPSEnrollment -EnrollmentID 123456