Manage certificate authority sets
Currently, mTLS Edge Truststore is available only to selected customers.
Create and activate certificate authority (CA) sets, also known as virtual certificate truststores, which store CA certificates used to validate client TLS certificates. By binding a CA set with your edge certificates, you enable a secure, mutual authentication (mTLS) session between a client and Akamai edge servers.
You can configure up to 200 CA sets per account, 100 versions per CA set, and 300 certificates per CA set version.
What you'll do
Set up an mTLS session by creating a CA set and then binding it to your edge certificate and property.
What you need
To create and use CA sets for an mTLS session, you need:
- Properties from the Property Manager (PAPI) API.
- Edge certificates from the Certificate Provisioning System (CPS) API.
1. Create a CA set
Use the New-METSCASet operation to create a new CA set by providing a name for it and an optional description.
With this operation, you can:
-
Specify the CA set's details using individual parameters.
New-METSCASet -CASetName 'my-ca-set' -Description 'Testing a CA set'accountId : A-CCT1234 caSetId : 12345 caSetLink : /mtls-edge-truststore/v1/ca-sets/12345 caSetName : my-ca-set createdBy : jsmith createdDate : 2025-09-16T13:18:51.594288387Z deletedBy : deletedDate : description : Testing a CA set isDeleted : False latestVersionLink : productionVersionLink : stagingVersionLink : versionsLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/ -
Specify the CA set's details in a variable as a hashtable,
PSCustomObject, or JSON string, and then pass the variable in the-Bodyparameter.$myCASet = @{ caSetName = "my-ca-set" description = "Testing a CA set" } New-METSCASet -Body $myCASet$myCASet = '{ "caSetName": "my-ca-set", "description": "Testing a CA set" }' New-METSCASet -Body $myCASet
2. Create a CA set version
Once you have a CA set, you can add valid, PEM-formatted certificates to it using the New-METSCASetVersion operation. Provide the CA set's name or ID to which you want to add one or more certificates. Then, specify certificates in one of these ways:
-
Provide a path to a file containing one or more certificates.
# For a CA set name New-METSCASetVersion -CASetName 'my-ca-set' -CertificatesFile './my-cert.pem' -Comments 'Creating CA set version 1' # For a CA set ID New-METSCASetVersion -CASetID 12345 -CertificatesFile './my-cert.pem' -Comments 'Creating CA set version 1'allowInsecureSha1 : False certificates : {@{certificateId=98765; certificatePem=-----BEGIN CERTIFICATE----- MIID <sample - removed for readability> .... Mweq -----END CERTIFICATE-----; createdBy=jsmith; createdDate=2025-09-16T13:58:48.579104936Z; description=; endDate=9/16/2026 1:37:57 PM; fingerprint=abc12345def6ghi78jklm9no012pqr456stu6vwx7yz89ab012cd34efghijklm56n; issuer=EMAILADDRESS=jsmith@example.com, CN=example.com, OU=IT, O=Akamai, L=Cambridge, ST=MA, C=US; serialNumber=ab12c345def6gh7i8jklm9no012pqr3; signatureAlgorithm=SHA256WITHRSA; startDate=9/16/2025 1:37:57 PM; subject=EMAILADDRESS=jsmith@example.com, CN=example.com, OU=IT, O=Akamai, L=Cambridge, ST=MA, C=US}} clonedFromVersionNumber : comments : Creating CA set version 1 createdBy : jsmith createdDate : 2025-09-16T13:58:48.629687489Z modifiedBy : modifiedDate : productionStatus : INACTIVE stagingStatus : INACTIVE validationResults : versionId : 23456 versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456 versionNumber : 1 -
Provide a path to a directory containing one or more certificate files.
# For a CA set name New-METSCASetVersion -CASetName 'my-ca-set' -CertificatesDirectory './my-certs-directory' -Comments 'Creating CA set version 1' # For a CA set ID New-METSCASetVersion -CASetID 12345 -CertificatesDirectory './my-certs-directory' -Comments 'Creating CA set version 1' -
Provide the certificates in a variable as a hashtable,
PSCustomObject, or JSON string, and then pass the variable in the-Bodyparameter.$myCerts = @{ certificates = @( { certificatePem = "-----BEGIN CERTIFICATE REQUEST-----\nMIID <sample - removed for readability> .... Mweq\n-----END CERTIFICATE REQUEST-----" } ) allowInsecureSha1 = $false comments = "Creating CA set version 1" } # For a CA set name New-METSCASetVersion -CASetName 'my-ca-set' -Body $myCerts # For a CA set ID New-METSCASetVersion -CASetID 12345 -Body $myCerts$myCerts = '{ "certificates": [ { "certificatePem": "-----BEGIN CERTIFICATE REQUEST-----\nMIID <sample - removed for readability> .... Mweq\n-----END CERTIFICATE REQUEST-----" } ], "allowInsecureSha1": false, "comments": "Testing a CA set version" }' # For a CA set name New-METSCASetVersion -CASetName 'my-ca-set' -Body $myCerts # For a CA set ID New-METSCASetVersion -CASetID 12345 -Body $myCerts
By default, the CA set version's certificates need a signature algorithm of SHA-256 or better. If you want to use certificates with SHA-1 (insecure) signatures, you can enable them with the -AllowInsecureSha1 switch parameter.
Optionally, you can provide any additional comments when creating or updating a CA set version.
You can have up to 100 versions on a single CA set. If you reach the limit, you need to create a new CA set.
Tip
A signed certificate that you add to the CA set version must be issued by a certificate authority (CA). This includes recognized global CAs, like DigiCert, GlobalSign, or Entrust. Alternatively, you can use certificates issued by your organization's internal CA.
3. Activate a CA set version
A new CA set version needs to be activated on staging and production networks before it can be linked to any edge certificate.
You can activate the version with the New-METSCASetActivation operation or its alias Deploy-METSCASet by specifying the CA set's name or ID, version ID, and network of activation (STAGING or PRODUCTION).
Here are several things to take into account when activating a CA set version:
- The
New-METSCASetActivationoperation can only activate a CA set version on one network, staging or production. To activate on both, you need to instantiate two separate operations. - Processing the CA set activation takes about 12–15 minutes on each network.
- A new activation automatically replaces an old activation.
# For a CA set name
Deploy-METSCASet -CASetName 'my-ca-set' -VersionID 23456 -Network 'STAGING'
# For a CA set ID
Deploy-METSCASet -CASetID 12345 -VersionID 23456 -Network 'STAGING'
activationId : 654321
activationLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456/activations/654321
caSetId : 12345
caSetLink : /mtls-edge-truststore/v1/ca-sets/12345
createdBy : jsmith
createdDate : 9/16/2025 2:16:25 PM
modifiedBy :
modifiedDate :
network : STAGING
status : IN_PROGRESS
type : ACTIVATE
validationResults :
versionId : 23456
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456
versionNumber : 1
To check the status of a given activation, run the Get-METSCASetActivation command by specifying the CA set's name or ID as well as version and activation IDs.
# For a CA set name
Get-METSCASetActivation -CASetName 'my-ca-set' -VersionID 23456 -ActivationID 654321
# For a CA set ID
Get-METSCASetActivation -CASetID 12345 -VersionID 23456 -ActivationID 654321
activationId : 654321
activationLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456/activations/654321
caSetId : 12345
caSetLink : /mtls-edge-truststore/v1/ca-sets/12345
createdBy : jsmith
createdDate : 9/16/2025 2:16:25 PM
modifiedBy : jsmith
modifiedDate : 9/16/2025 2:22:01 PM
network : STAGING
status : COMPLETE
type : ACTIVATE
validationResults :
versionId : 23456
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456
versionNumber : 1
4. Set up mutual authentication
After you activate your CA set, set up mutual authentication in Certificate Provisioning System (CPS) to bind your CA certificates to the CPS enrollment. CPS establishes a link between a slot and the entire CA set, allowing the application to use any active version within that CA set. You can do this by adding the CA set ID to the networkConfiguration.clientMutualAuthentication.setId argument of your enrollment.
Currently, you can perform this binding only if the CA set has active versions on both the staging and production networks. This includes scenarios where the same version is active on both networks or different versions are active on each network.
Notes:
- You can't set up your mTLS configuration on the staging network only, including activating the property and CA set solely on staging. This is because, for a CPS enrollment to work properly, the CA set must be activated on the production network.
- If you want to remove your mTLS Truststore configuration at some point, first delete the enrollment. Only then can you remove both CA set activations. This order is necessary because the enrollment uses data from both staging and production CA set activations.
To update your enrollment with the CA set ID:
-
If you don't know your enrollment's ID, use the
Get-CPSEnrollmentcommand to return a list of your enrollments. -
Assign the enrollment you want to a variable and make your changes.
$MyEnrollment = Get-CPSEnrollment -EnrollmentID 54321 $MyEnrollment.networkConfiguration.clientMutualAuthentication.setId = "12345" -
Use your enrollment ID to pipe your updated enrollment object variable to the
Set-CPSEnrollmentcommand.$MyEnrollment | Set-CPSEnrollment -EnrollmentID 123456enrollment changes enrollmentId changeIds ---------- ------- ------------ --------- /cps/v2/enrollments/123456 {/cps/v2/enrollments/123456/changes/9876543} 543210 {9876543}
5. Add property behaviors
Configure your property to point to the CA set ID you want to use to establish an mTLS session.
First, get your property's rule tree as JSON snippets. The output is a directory at your current location containing your rule's configurations.
Get-PropertyRules -PropertyName 'my-property-1' -PropertyVersion 'latest' -OutputSnippets -OutputDirectory './my-property-rules'
Basic settings
You can apply a simple rule to deny requests to a specific hostname if they don't properly apply mTLS. In this case, to your property rules' main.json file:
-
Add the hostname criterion and define the hostname you've added to your property. The hostname needs to use the edge certificate where you've enabled mTLS for the server.
{ "criterion": [ { "name": "hostname", "options": { "matchOperator": "IS_ONE_OF", "values": [ "example.com" ] } } ] } -
Add the enforceMtlsSettings behavior. For this behavior:
- Set the
enableAuthSetargument totrueto enforce CA sets. - In the
certificateAuthoritySetargument, provide the CA set IDs that are bound to the edge certificate in CPS. - Enable the optional online certificate support protocol (OCSP) status if the certificates you're using in your CA set (for client requests) and your edge certificates in CPS (for the server response) use OCSP.
- Enable the optional deny request setting to deny any request for the specified secure hostname that doesn't match the settings applied in this behavior. A request doesn't match and isn't allowed if both of the following apply:
- The CA sets you've provided in this behavior aren't bound to the edge certificate you've included in your secure hostname.
- The OCSP setting in your edge certificate doesn't match what you've set in this behavior. For example, if it's disabled in this behavior but enabled in your edge certificate, then the request is denied.
{ "behaviors": [ { "name": "enforceMtlsSettings", "options": { "certificateAuthoritySet": [ "12345" ], "enableAuthSet": true, "enableDenyRequest": true, "enableOcspStatus": true } } ] } - Set the
Custom settings
You can apply some custom rules to your mTLS settings. That includes:
- A parent rule to enforce mTLS settings.
- Two nested child rules to handle mismatched requests.
With this setup, successful requests pass through client certificate information via headers for transitive trust between the client and your origin server. Also, non-matching requests are allowed but logged for analysis in the Log Delivery Service report.
To set this up:
-
Add the
hostnamecriterion. -
Add the
enforceMtlsSettingsbehavior. In this case:- Set the
enableAuthSetargument totrueto enforce CA sets. - In the
certificateAuthoritySetargument, provide the CA set IDs that are bound to the edge certificate in CPS. - Enable the optional online certificate support protocol (OCSP) status if the certificates you're using in your CA set (for client requests) and your edge certificates in CPS (for the server response) use OCSP.
- Disable the optional deny request setting to allow any request for the specified secure hostname that matches or doesn't match the settings applied in this behavior. For requests that don't match the settings, you'll incorporate custom settings through other rules. A request doesn't match and isn't allowed if either of the following applies:
- The CA sets you've provided in this behavior aren't bound to the edge certificate you've included in your secure hostname.
- The OCSP setting in your edge certificate doesn't match what you've set in this behavior. For example, if it's disabled in this behavior but enabled in your edge certificate, then the request is denied.
{ "behaviors": [ { "name": "enforceMtlsSettings", "options": { "certificateAuthoritySet": [ "12345" ], "enableAuthSet": true, "enableDenyRequest": false, "enableOcspStatus": true } } ] } - Set the
-
Add the
clientCertificatecriterion. For this criterion:- Set the
isCertificatePresentargument totrueto execute rule behaviors only if a client certificate authenticates requests. - Set the
isCertificateValidargument toVALIDto match when the certificate is valid. - Set the
enforceMtlsargument totrueto specify custom handling of requests if any of the checks in theenforceMtlsSettingsbehavior fail.
{ "criterion": [ { "name": "clientCertificate", "options": { "isCertificatePresent": true, "isCertificateValid": "VALID", "enforceMtls": true } } ] } - Set the
-
Add the
clientCertificateAuthbehavior as a child rule to forward client certificate details to your origin server as headers. For this behavior:- Set the
enableargument totrueso that the property can build theClient-To-Edgeauthentication header using information from the client to edge mTLS handshake and forward it to your origin. - If you disable the
enableCompleteClientCertificateattribute, specifyclientCertificateAttributesto include in theClient-To-Edgeauthentication header that's sent to your origin server. - Set the
enableClientCertificateValidationStatusargument totrueto include the current validation status of the client certificate in theClient-To-Edgeauthentication header.
{ "behaviors": [ { "name": "clientCertificateAuth", "options": { "clientCertificateAttributes": [ "SHA256_FINGERPRINT" ], "enable": true, "enableClientCertificateValidationStatus": true, "enableCompleteClientCertificate": false } } ] } - Set the
-
Add the
logCustombehavior as another child rule to generate log data for mismatched mTLS certificate requests. For this behavior:- Set the
logCustomLogFieldargument totrueto include what's set in the custom log field. - In the
customLogFieldargument, specify the additional data field you want to append to each log line.
{ "behaviors": [ { "name": "logCustom", "options": { "logCustomLogField": true, "customLogField": "invalid_mTLS" } } ] } - Set the
Full mTLS setting
{
"name": "default",
"children": [
"#include:basic-mtls-settings.json"
],
"behaviors": [
{
"name": "origin",
"options": {
"cacheKeyHostname": "ORIGIN_HOSTNAME",
"compress": true,
"enableTrueClientIp": true,
"forwardHostHeader": "REQUEST_HOST_HEADER",
"hostname": "example.com",
"httpPort": 80,
"httpsPort": 443,
"ipVersion": "IPV4",
"minTlsVersion": "DYNAMIC",
"originCertificate": "",
"originSni": true,
"originType": "CUSTOMER",
"ports": "",
"tlsVersionTitle": "",
"trueClientIpClientSetting": false,
"trueClientIpHeader": "True-Client-IP",
"verificationMode": "PLATFORM_SETTINGS"
}
},
{
"name": "http3",
"options": {
"enable": false
}
},
{
"name": "originCharacteristics",
"options": {
"authenticationMethod": "AUTOMATIC",
"authenticationMethodTitle": "",
"country": "UNKNOWN",
"originLocationTitle": ""
}
},
{
"name": "cpCode",
"options": {
"value": {
"id": 12345
}
}
},
{
"name": "caching",
"options": {
"behavior": "MAX_AGE",
"mustRevalidate": false,
"ttl": "50000s"
}
}
],
"options": {},
"variables": "#include:pmVariables.json"
}
{
"name": "Basic mTLS enforcement settings",
"children": [
"#include:custom-mtls-settings.json"
],
"behaviors": [
{
"name": "enforceMtlsSettings",
"options": {
"certificateAuthoritySet": [
"12345"
],
"enableAuthSet": true,
"enableDenyRequest": false,
"enableOcspStatus": true
}
}
],
"criteria": [
{
"name": "hostname",
"options": {
"matchOperator": "IS_ONE_OF",
"values": [
"example.com"
]
}
}
],
"criteriaMustSatisfy": "any"
}
{
"name": "Custom mTLS enforcement settings",
"children": [],
"behaviors": [
{
"name": "clientCertificateAuth",
"options": {
"clientCertificateAttributes": [
"SHA256_FINGERPRINT"
],
"enable": true,
"enableClientCertificateValidationStatus": true,
"enableCompleteClientCertificate": false
}
},
{
"name": "logCustom",
"options": {
"customLogField": "invalid_mTLS",
"logCustomLogField": true
}
}
],
"criteria": [
{
"name": "clientCertificate",
"options": {
"enforceMtls": true,
"isCertificatePresent": true,
"isCertificateValid": "VALID"
}
}
],
"criteriaMustSatisfy": "all"
}
Add rules to a property
Add your updated rules to your property, pointing to the appropriate directory.
Send your entire rule tree back. Rules not returned are removed from your property.
Set-PropertyRules -PropertyName 'my-property-1' -PropertyVersion 'latest' -InputDirectory './my-property-rules' -VersionNotes 'Adding an mTLS Truststore setting'
The output returns your rule tree along with any errors or warnings upon upload.
6. Activate your property
To activate the property containing your newly added mTLS Truststore settings, provide a value for the network ( STAGING or PRODUCTION) and activate your property using the New-PropertyActivation command or its alias Deploy-Property.
Deploy-Property -PropertyName 'my-property' -PropertyVersion 'latest' -Network 'STAGING' -NotifyEmails 'jsmith@email.com'
activationLink activationId
-------------- ------------
/papi/v1/properties/prp_12345/activations/atv_67890?contractId=ctr_C-0N7RAC7&groupId=grp_12345 atv_67890
Other actions
Update a CA set and version
In the created CA set, you can't update its name or description. You can only update its non-activated version.
Note that you can't modify a CA set version when:
- It's already active on the staging or production network.
- It was activated and then deactivated.
- There are deployment requests in progress for the version on a network. If the deployment fails, you can make changes to the version.
If you don't know your CA set's version ID, run the Get-METSCASetVersion command to return all available versions for a given CA set. To get a specific CA set version, pass its ID in the command.
# Get all versions for a CA set name
Get-METSCASetVersion -CASetName 'my-ca-set'
# Get all versions for a CA set ID
Get-METSCASetVersion -CASetID 12345
# Get one version for a CA set name
Get-METSCASetVersion -CASetName 'my-ca-set' -VersionID 23456
# Get one version for a CA set ID
Get-METSCASetVersion -CASetID 12345 -VersionID 23456
allowInsecureSha1 : False
certificates : {}
clonedFromVersionNumber :
comments :
createdBy : jsmith
createdDate : 8/11/2025 1:16:07 PM
modifiedBy : jsmith
modifiedDate : 9/16/2025 3:51:51 PM
productionStatus : INACTIVE
stagingStatus : INACTIVE
validationResults :
versionId : 34567
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/34567
versionNumber : 1
allowInsecureSha1 : False
certificates : {}
clonedFromVersionNumber : 1
comments : test cert
createdBy : jsmith
createdDate : 8/12/2025 9:39:00 AM
modifiedBy : jsmith
modifiedDate : 9/16/2025 3:51:51 PM
productionStatus : ACTIVE
stagingStatus : ACTIVE
validationResults :
versionId : 23456
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456
versionNumber : 2
allowInsecureSha1 : False
certificates : {@{certificateId=98765; certificatePem=-----BEGIN CERTIFICATE-----
MIID <sample - removed for readability> .... Mweq
-----END CERTIFICATE-----; createdBy=jsmith; createdDate=8/11/2025 1:16:06 PM; description=Test
certificate; endDate=8/11/2026 12:54:16 PM;
fingerprint=abc12345def6ghi78jklm9no012pqr456stu6vwx7yz89ab012cd34efghijklm56n;
issuer=EMAILADDRESS=jsmith@example.com, CN=example.com, OU=IT, O=Akamai, L=Cambridge,
ST=MA, C=US; serialNumber=ab12c345def6gh7i8jklm9no012pqr3;
signatureAlgorithm=SHA256WITHRSA; startDate=8/11/2025 12:54:16 PM;
subject=EMAILADDRESS=jsmith@example.com, CN=example.com, OU=IT, O=Akamai, L=Cambridge,
ST=MA, C=US}}
clonedFromVersionNumber : 1
comments : test cert
createdBy : jsmith
createdDate : 8/12/2025 9:39:00 AM
modifiedBy : jsmith
modifiedDate : 9/16/2025 3:51:51 PM
productionStatus : ACTIVE
stagingStatus : ACTIVE
validationResults :
versionId : 23456
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456
versionNumber : 2
Before updating a CA set version, use the Get-METSCASetVersionCertificate operation to check whether the CA set has any expired or about-to-expire certificates. In the command, provide the CA set's name or ID, and the version ID for which you want to list certificates.
# For a CA set name
Get-METSCASetVersionCertificate -CASetName 'my-ca-set' -VersionID 23456
# For a CA set ID
Get-METSCASetVersionCertificate -CASetID 12345 -VersionID 23456
certificateId : 98765
certificatePem : -----BEGIN CERTIFICATE-----
MIID <sample - removed for readability> .... Mweq
-----END CERTIFICATE-----
createdBy : jsmith
createdDate : 9/16/2025 1:58:48 PM
description :
endDate : 9/16/2026 1:37:57 PM
fingerprint : abc12345def6ghi78jklm9no012pqr456stu6vwx7yz89ab012cd34efghijklm56n
issuer : EMAILADDRESS=jsmith@example.com, CN=example.com, OU=IT, O=Akamai, L=Cambridge, ST=MA,
C=US
serialNumber : ab12c345def6gh7i8jklm9no012pqr3
signatureAlgorithm : SHA256WITHRSA
startDate : 9/16/2025 1:37:57 PM
subject : EMAILADDRESS=jsmith@example.com, CN=example.com, OU=IT, O=Akamai, L=Cambridge, ST=MA,
C=US
To update a non-activated version, run the Set-METSCASetVersion command by specifying the CA set's name or ID, version ID, and PEM-formatted certificates. You can run this operation in one of these ways:
-
Provide a path to a file containing one or more certificates.
# For a CA set name Set-METSCASetVersion -CASetName 'my-ca-set' -VersionID 23456 -CertificatesFile './my-cert.pem' -Comments 'Updating a CA set version' # For a CA set ID Set-METSCASetVersion -CASetID 12345 -VersionID 23456 -CertificatesFile './my-cert.pem' -Comments 'Updating a CA set version'allowInsecureSha1 : False certificates : {@{certificateId=98765; certificatePem=-----BEGIN CERTIFICATE----- MIID <sample - removed for readability> .... Mweq -----END CERTIFICATE-----; createdBy=jsmith; createdDate=2025-09-17T11:17:32.223428333Z; description=; endDate=9/17/2026 9:56:00 AM; fingerprint=a1234bc5def67ghi8jklm901no24pqr56stu6vwx7yz89ab01cd234efghi5jklm6n; issuer=EMAILADDRESS=jsmith@example.com, CN=example-2.com, OU=IT, O=Akamai, L=Cambridge, ST=MA, C=US; serialNumber=a1bc2d345ef6gh7ijklm89no012pq3r; signatureAlgorithm=SHA256WITHRSA; startDate=9/17/2025 9:56:00 AM; subject=EMAILADDRESS=jsmith@example.com, CN=example-2.com, OU=IT, O=Akamai, L=Cambridge, ST=MA, C=US}} clonedFromVersionNumber : 1 comments : createdBy : jsmith createdDate : 9/17/2025 11:08:48 AM modifiedBy : jsmith modifiedDate : 2025-09-17T11:17:32.573419592Z productionStatus : INACTIVE stagingStatus : INACTIVE validationResults : versionId : 34567 versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/34567 versionNumber : 2 -
Provide a path to a directory containing one or more certificate files.
# For a CA set name Set-METSCASetVersion -CASetName 'my-ca-set' -VersionID 23456 -CertificatesDirectory './my-certs-directory' -Comments 'Updating a CA set version' # For a CA set ID Set-METSCASetVersion -CASetID 12345 -VersionID 23456 -CertificatesDirectory './my-certs-directory' -Comments 'Updating a CA set version' -
Provide the certificates in a variable as a hashtable,
PSCustomObject, or JSON string, and then pass the variable in the-Bodyparameter.$myCerts = @{ certificates = @( { certificatePem = "-----BEGIN CERTIFICATE REQUEST-----\nMIID <sample - removed for readability> .... Mweq\n-----END CERTIFICATE REQUEST-----" } ) allowInsecureSha1 = $false comments = "Updating a CA set version" } # For a CA set name Set-METSCASetVersion -CASetName 'my-ca-set' -VersionID 23456 -Body $myCerts # For a CA set ID Set-METSCASetVersion -CASetID 12345 -VersionID 23456 -Body $myCerts$myCerts = '{ "certificates": [ { "certificatePem": "-----BEGIN CERTIFICATE REQUEST-----\nMIID <sample - removed for readability> .... Mweq\n-----END CERTIFICATE REQUEST-----" } ], "allowInsecureSha1": false, "comments": "Testing a CA set version" }' # For a CA set name et-METSCASetVersion -CASetName 'my-ca-set' -VersionID 23456 -Body $myCerts # For a CA set ID Set-METSCASetVersion -CASetID 12345 -VersionID 23456 -Body $myCerts
If you need to make updates on an activated CA set version, clone it with the Copy-METSCASetVersion command or create a new version with the New-METSCASetVersion command.
Deactivate a CA set version
Before deactivating a CA set version from all networks, make sure the CA set that this version belongs to is unbound from a slot in Certificate Provisioning System (CPS). To verify if the CA set is bound to any certificate in CPS, run the List CA set associations operation. If the enrollments attribute returns any records, the CA set is in use.
Use the New-METSCASetDeactivation operation or its alias Disable-METSCASet to deactivate a CA set version by specifying the CA set's name or ID, version ID, and network of deactivation (STAGING or PRODUCTION).
# For a CA set name
Disable-METSCASet -CASetName 'my-ca-set' -VersionID 23456 -Network 'STAGING'
# For a CA set ID
Disable-METSCASet -CASetID 12345 -VersionID 23456 -Network 'STAGING'
activationId : 543210
activationLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456/activations/543210
caSetId : 12345
caSetLink : /mtls-edge-truststore/v1/ca-sets/12345
createdBy : jsmith
createdDate : 9/17/2025 9:07:18 AM
modifiedBy :
modifiedDate :
network : STAGING
status : IN_PROGRESS
type : DEACTIVATE
validationResults :
versionId : 23456
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456
versionNumber : 1
Run the Get-METSCASetActivation command to check the status of a given deactivation. In the command, specify the CA set's name or ID as well as version and activation IDs.
# For a CA set name
Get-METSCASetActivation -CASetName 'my-ca-set' -VersionID 23456 -ActivationID 543210
# For a CA set ID
Get-METSCASetActivation -CASetID 12345 -VersionID 23456 -ActivationID 543210
activationId : 543210
activationLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456/activations/543210
caSetId : 12345
caSetLink : /mtls-edge-truststore/v1/ca-sets/12345
createdBy : jsmith
createdDate : 9/17/2025 9:07:18 AM
modifiedBy : jsmith
modifiedDate : 9/17/2025 9:10:51 AM
network : STAGING
status : COMPLETE
type : DEACTIVATE
validationResults :
versionId : 23456
versionLink : /mtls-edge-truststore/v1/ca-sets/12345/versions/23456
versionNumber : 1
Delete a CA set
Before removing the CA set, first remove it from your property in the enforceMtlsSettings behavior. Next, unbind the CA set from the certificate in Certificate Provisioning System (CPS). If you don’t, your service will become disabled for requests to your property.
To verify if the CA set is currently bound to any certificate in CPS, run the List CA set associations operation. If the enrollments attribute returns any records, the CA set is in use. This operation also returns properties. However, this attribute only applies when a CA set is linked to property hostnames via a CCM (Cloud Certificate Manager) certificate.
Warning: Impact to Property Behavior
If you delete a certificate enrollment that's linked to a CA set and used in a property hostname, requests to your property may stop working correctly. CPS doesn't currently provide warnings before or after deleting an enrollment.
To avoid unintentionally removing a certificate from a property, delete items in this order:
- Delete the property hostname.
- Remove the
enforceMtlsSettingsbehavior from the property's rule tree.- Delete the CPS enrollment.
- Deactivate the CA set and remove it.
You can delete a CA set only after deactivating its versions. If there are active versions, first deactivate them from staging and production networks, then delete the CA set with the Remove-METSCASet command, specifying its name or ID.
# By a CA set name
Remove-METSCASet -CASetName "my-ca-set"
# By a CA set ID
Remove-METSCASet -CASetID 12345
deletions
---------
{@{caSetId=12345; caSetLink=/mtls-edge-truststore/v1/ca-sets/12345; createdBy=jsmith; createdDate=9/16/2025 01:58:48 PM;
The CA set removal is initiated separately for each network. If it's processed correctly on one network but fails on another network, you need to retry the delete.
When you delete the CA set, it's removed from both staging and production networks and marked as DELETED. The deleted CA set is rendered as read-only and can’t be reactivated.
Updated about 4 hours ago