Guide

Add a hostname with a Default DV certificate (Limited Availability)

Suggest Edits

Easily secure client requests by creating and provisioning a Default Domain Validated (DV) certificate when you add a hostname to a property.

📘

Default DV certificates are currently in Limited Availability. To have this feature added to your contract, contact your Akamai representative.

Before you begin

In Property Manager, create a brand new property or edit an existing one.

How to

  1. In the Property Manager Editor, in the Property Hostnames panel, click +Hostnames>Add Hostname(s).

  2. In the Add Hostname(s) field, enter the hostnames you want to use and click Next. The names don't need to contain https://, just the domain.

👍

You can add multiple hostnames by pasting them into the field. If you do, each value needs to be separated by a space or comma, or contained on separate lines. Duplicate names are skipped.

  1. To request a new certificate, make sure Automatically request certificates is On.

  2. Select the Deployment network. You can choose Standard TLS or Enhanced TLS. Your network selection needs to match your Security Options settings in the Property Version Information section. For more information, see Compare the security levels.

  3. In the Validation section, you can continue with the recommended Auto DNS domain validation method that automatically renews the certificate, or decide to use alternative methods. See Domain Validation Methods for more information and detailed instructions for each validation type.

  4. Click Next.

  5. If applicable, specify the desired Mapping Solution. If none of the following apply to you, skip to the next step.

📘

You can only select one Mapping Solution—you can enable Edge IP Binding, or select a Use Case, but not both.

  1. Click Next. Select the checkboxes next to property hostnames you want to configure edge hostnames for. You can apply your edge hostname settings to multiple property hostnames at the same time. You can either configure separate edge hostnames for each property hostname, or have property hostnames with Default DV certificates share one common edge hostname.
  • Create. With this option selected, you can define a fully custom edge hostname and select a different domain.
  • Select existing. Select this option if you want to associate your property hostname with an existing edge hostname.
  • Custom. Select this option to manually input a CNAME target to be used in the association. Contact your account representative for further details on the proper use of this field, and whether it applies to your environment configuration.
  1. Select the appropriate IP version, based on what your application or site can support. Make sure the version you select is compatible with the domain validation method you want to use. As best practice, you should select the Dual-stack (IPv4+IPv6) option.
  2. Once you complete selecting your hostname options, click Submit.
  3. Review the information in the Success window and apply its instructions as required. Click Close.

You can view all details for a hostname in the Property Hostnames panel by expanding a particular row.

🚧

You can provision up to 50 Default DV certificates per hour. If you exceed that limit, Property Manager automatically queues and processes the remaining certificates in the next in a phased manner over the next few hours respecting rate limits.

Domain Validation Methods

Your preferable validation method may vary depending on the complexity of your configuration. ​Akamai​ offers four ways to prove you control the domains listed in the certificate request. For every property hostname that you add, the certificate system pre-checks if any of the recommended automatic methods apply.

Below you'll find an overview of each method. You can also determine the most suitable validation type in the Validate certificate domains window using the Validation Guidance panel.

Auto DNS

The most popular and recommended validation method. ​Akamai​ generates a CNAME record that you copy to your DNS to automatically handle domain validation challenges and certificate renewal. For example, _acme-challenge.www.example.com CNAME ac.blah.www.example.com.validate-akdv.net.

Advantages:

  • Create the _acme-challenge CNAME DNS record before activating the property.
  • Certificates renew automatically as long as the \_acme-challenge record in your DNS points to the provided target validation hostname.
  • Supports wildcard hostnames.

Constraints:

  • You need direct control over your DNS records.

How to

With Auto DNS domain validation method, create the _acme-challenge CNAME DNS record while setting up your property hostnames.

  1. In the Add Hostname(s) window, in the Certificate step, navigate to the Validation section and make sure the Recommended view is enabled. The table displays the _acme-challenge CNAME records you need to add to your DNS.
  2. Download all records. You can also copy records individually by clicking the icon in each row.
  3. Add the CNAME records to your DNS and make sure each record points to the target validation hostname.
  4. Click Next and continue setting up the rest of your property. The domain validation process completes once you activate a property version. Check the Status column in the Property Hostnames panel for more details.

See also Onboard a property with a Default DV certificate.

Auto HTTP

Once you activate your property, ​Akamai​ certificate system automatically checks whether this method is available for any of your property hostnames. To validate your domain, you only need to replace your existing CNAME record with a new one, setting its value to the edge hostname. For example www.example.com CNAME www.example.com.edgesuite.net.

Advantages:

  • Certificates renew automatically as long as the record in your DNS points to the ​Akamai​ edge hostname.
  • You don't need to set up any validation challenges.

Constraints:

  • You need to activate version 1 of your property to check if the method is available for your property hostnames. If you want to use this method for the initial certificate validation, not to renew the validation, you need to go live on ​Akamai Technologies, Inc.​ without a certificate. That means that HTTPS service will be down until the certificate is deployed. If you need to maintain continuous HTTPS service, use the Manual HTTP method instead.
  • Doesn't support wildcard hostnames.
  • Requires access to port 80/regular HTTP.
  • Akamai follows the HTTP redirects when verifying the HTTP tokens.
  • The .well-known/acme-challenge needs to be excluded from auto redirect/404 redirections.

How to

You don’t need to complete any additional steps to validate the domain using this method. As with every property, you only need to replace your existing DNS record with a new CNAME, setting its value to the edge hostname, for example www.example.com CNAME www.example.com.edgesuite.net.

If you want to use this method for the initial certificate validation, not to renew the validation, you'll need to go live on ​Akamai​ without a certificate.

🚧

  • To maintain continuous HTTPS service, use the Manual HTTP method.
  • For Standard TLS, the Auto Domain Validation module is required.

Manual DNS

In this method, ​Akamai​ provides a token that you use to set up a TXT record in your main DNS zone at acme-challenge.<property_hostname>.

Advantages:

  • Useful if you send your traffic to more than one Content Delivery Network (CDN) and want to manage domain validation through multiple TXT records in your DNS. This ensures that the validation requests from the CA succeed regardless of which CDN the hostname resolves to.
  • Supports wildcard hostnames.

Constraints:

  • You need to manually obtain the new challenge tokens from ​Akamai​ and add them to your DNS zone before the certificate expires. Otherwise, you risk the hostname’s certificate expiring, and a denial of service.
  • Challenge tokens are valid only for a certain number of days. Once the token expires, we will fetch a new token from the CA. If the current token expires before you are able to use it, then you can request a new token by clicking the button next to token expiration date.
  • You need to activate version 1 of your property to check if the method is available for your property hostnames.
  • Difficult to automate if your DNS provider doesn't offer an API.

How to

  1. Once you activate your property version, in the Property Manager Editor, in the Property Hostnames panel, click Actions>Validate certificate domains.

  2. In the Validate certificate domains window, click Advanced View. The table displays details for each domain validation method that's available for your hostnames.

  3. Download Manual DNS records. You can also copy challenges individually in each row.

  4. Use the copied challenges to set up TXT records in your main DNS zone at the _acme-challenge.<property_hostname> destination.

  5. Wait for ​Akamai​ to verify the updated record and display the Validated message in the Status column.

  6. If the status shows Paused, click the play icon to resume the domain validation process. If there are issues that you need to fix, you get a warning message with reasons why the process has been paused.

See also Onboard a property with Default DV certificate and advanced domain validation in Multi-CDN scenario.

Manual HTTP

You create a file containing a token and save it on your origin server at the provided URL.

Example of the plain text file with a token:

manual-http-file-token-v1

Advantages:

  • Useful for SaaS/PaaS/IaaS providers without direct access to DNS zones.
  • Useful if you send your traffic to more than one Content Delivery Network (CDN). In this Multi-CDN scenario, you need to manage domain validation through files on the origin server. This ensures that the validation requests from the CA succeed regardless of which CDN the hostname resolves to.
  • Easy to automate.

Constraints:

  • You need to manually obtain the new challenge tokens from ​Akamai​ and add them to a file on your origin server before the certificate expires. Otherwise, you risk the hostname’s certificate expiring, and a denial of service.
  • Challenge tokens are valid only for a certain number of days. Once the token expires, we will fetch a new token from the CA. If the current token expires before you are able to use it, then you can request a new token by clicking the button next to token expiration date.
  • You need to activate version 1 of your property to check if the method is available for your property hostnames.
  • Doesn't support wildcard hostnames.
  • Only works on port 80.
  • If you use multiple web servers, each one needs to host the file with the challenge.

How to

  1. Once you activate your property version, in the Property Manager Editor, in the Property Hostnames panel, click Actions>Validate certificate domains.

  2. In the Validate certificate domains window, click Advanced View. The table displays details for each domain validation method that's available for your hostnames.

  3. Download all challenges in the CSV format.

  4. From the CSV file, copy the Manual HTTP data to create a file containing a token and save it on your origin server at the provided URL.

  5. Wait for ​Akamai​ to verify the updated record and display the Validated message in the Status column.

  6. If the status shows Paused, click the play icon to resume the domain validation process. If there are issues that you need to fix, you get a warning message with reasons why the process has been paused.

See also:

Certificate renewal

The renewal process starts automatically 20 days before the certificate's 90 day lifecycle ends.

Certificates that uses the Auto DNS domain validation method will renew automatically as long as the _acme-challenge record in your DNS points to the provided target validation hostname.

Certificates on Standard TLS need the Auto Domain Validation in your property's rule.

If you’re using Manual DNS or Manual HTTP domain validation methods, you need to manually obtain the new challenges from Akamai and add them to your DNS zone or a file on your origin server before the certificate expires. Otherwise, you risk the hostname’s certificate expiring, and a denial of service.

You should configure the Expired default certificate alert to get notified each time a certificate expires.

Configure alerts for your certificates

After you activate the property, you need to set up certificate-related notifications.

🚧

While these alerts are automatically generated for CPS-managed certificates, you need to create them manually for Default DV certificates. Otherwise, you won't receive any notifications about certificate expiration or issues with domain validation.

In ​Control Center​, go to the Alerts application. In the Select alert type field, type these names:

  • Expired Default certificate – this alert notifies you that a Default DV certificate is expired. To make sure it renews automatically, verify your DNS includes the _acme-challenge CNAME record you copied in steps 5 through 7.
  • Expired Default certificate removal – this alert notifies you that an expired Default DV certificate will be removed from the network.
  • DNS does not contain an authorized certificate authority – this alert notifies you when the Default DV certificate cannot be issued because Let’s Encrypt is not an authorized certificate authority in your DNS.
  • Domain validation failed – this alert notifies you when a Default DV certificate cannot be issued because DNS validation failed.
  • Certificate’s domain is blocked – this alert notifies you when a Default DV certificate cannot be issued because the domain is blocked by the certificate authority Let’s Encrypt.

For complete steps, see Create an alert.

Default DV cipher and TLS information

Default DV certs are provisioned with TLS 1.2 and TLS 1.3, using the ak-akamai-2020q1 cipher profile.
Currently, the TLS configuration for Default DV certificates cannot be modified. If TLS configuration is required, you need to use a Custom certificate in CPS.

Updated about 21 hours ago