Auto Domain Validation

This behavior automatically renews Standard TLS Domain Validated (DV) certificates.

Why you need it

If youโ€™re using Standard TLS DV certificates for the hostnames in your property, include this behavior to enable automatic renewal of the certificates. Apply the behavior after using Certificate Provisioning System to request a certificate for a hostname. If you leave this behavior out, the certificate may expire and result in HTTPS traffic being served with certificate errors.

๐Ÿ“˜

You don't need this behavior for Enhanced TLS certificates.

How it works

With Domain Validation, the applicable certificate authority (CA) validates that you have control of the domain. DV is the lowest level of validation. Certificate Provisioning System supports DV certificates issued by Letโ€™s Encrypt, an automated and open CA that is run for public benefit.

โ€‹Akamaiโ€‹-managed DV certificates expire after 90 days. Renewals for โ€‹Akamaiโ€‹-managed DV certificates start 16 days prior to expiration.

A third party, customer-supplied, DV certificate can expire whenever the applicable certificate authority determines it expires. Donโ€™t include this behavior if youโ€™re using customer-supplied DV certificates.

Implementation

This behavior doesn't include any options. Specifying the behavior itself enables it.

You can include this behavior in your property in multiple ways:

  • You can include it in the Default Rule. In this case, itโ€™s applied to all requests for all resources associated with this property.
  • You can include it in a supplemental rule. This allows you to set up a custom rule that only applies to specific requests for resources associated with this property. This rule needs to use the Hostname match.
  • It can be applied in multiple rules. Rule priority applies, with rules lower in the order taking precedence. Remember that the Default Rule applies to all requests. If youโ€™ve set this behavior there, but not in any other rules, what you set in the Default Rule will be used.
  • There might be an issue if an incoming request matches another redirect behavior. Assume that the incoming request matches another behavior you have in your property that results in a redirect operation similar to what applies with this behavior. If so, the operation that takes precedence depends on where the behavior is in the property.
    • If you are using a similar behavior, ensure that behavior exists in a rule that is higher in ordering.
    • You should test on your configuration on staging by making a request to www.yourdomain.com/well-known/acme-challenge/some_random_token.

Related topics

See the Serve content over HTTPS, Hostname, and Certificate Provisioning System topics.


Did this page help you?