Guide
TrainingSupportCommunity

Create an origin certificate

Suggest Edits

Before you start configuring properties for secure delivery, you need to install a certificate on your origin server. There are three ways you can set up certificates for use with ​Akamai​.

Use a publicly trusted CA

​Akamai​ uses Let's Encrypt as the default Certificate Authority. You can obtain and configure a certificate for your origin from Let's Encrypt, or from other trusted authorities.

How to

Follow the Let's Encrypt guidelines for obtaining and configuring certificates for your server. You can also install a certificate obtained from another trusted CA. See Digicert documentation for other popular trusted authorities, for example:

Considerations

AdvantagesDisadvantages
The list of trusted certificate authorities is kept up to date for you.

  • If any of the trusted certificate authorities in the set is compromised, your site may be vulnerable until that certificate authority is removed from your custom trusted list for you. You don't need to change your configuration, just make sure that your new cert is signed by a certificate authority in the set.

  • You need to rotate a certificate that is close to expiring. If you don't, and it expires, an edge server will no longer trust it and won't be able to connect to your origin. After renewal, ensure that the new certificate is also signed by one of the trusted certificate authorities, and that it's valid for the same hostnames. See Periodic origin certificate rotation.

Use a custom CA

You can specify which Certificate Authorities you want ​Akamai​ to trust for your site. This can even be a CA that you set up yourself.

How to

  1. Provision an origin certificate using a custom CA, and install it on your origin server. If you want to set up your own CA and sign the origin certificate yourself, you can do that using multiple tools, for example:

  2. Install the certificate on your origin server, very similar to how you'd install a certificate from any other CA, for example Apache or Nginx.

Considerations

AdvantagesDisadvantages
If your origin certificate is going to expire soon, you can rotate it (create a new certificate) on your origin without needing to change any additional settings.

  • If any of the trusted certificate authorities are compromised, your site may be vulnerable until you remove that certificate authority from your custom trusted list.

  • If the certificate authority itself is going to expire soon, you'll need to rotate it. This also includes changing various ​Akamai​-related settings. If you don't, and it expires, an edge server will no longer trust it and won't be able to connect to your origin.

  • You need to rotate a certificate that is close to expiring. If you don't, and it expires, an edge server will no longer trust it and won't be able to connect to your origin. See Periodic origin certificate rotation

Pin an exact certificate

You can create and — later on, in your property configuration — specify the exact certificate(s) that ​Akamai​ should trust for your origin, including self-signed. This is also known as "pinning" a certificate.

How to

In this case, edge servers just check that the origin sent the right certificate and skip other usual checks, such as the signature, the SAN list of sites the cert is valid for, and the expiration date.

  1. If you want to create a self-signed certificate, you can do that using multiple tools, for example:

  2. Install that certificate on your origin server, very similar to how you'd install a certificate from any other CA, for example Apache or Nginx.

Considerations

AdvantagesDisadvantages

  • This establishes a direct trust relationship between your origin server and edge servers, without depending on any intermediaries.

  • Since the expiration date is not checked, you can continue to use this certificate indefinitely. However, it is recommended that you rotate your certificate regularly, to ensure the best security. See Periodic origin certificate rotation.

  • If the certificate is compromised, your site may be vulnerable until you rotate it.

  • Every time you rotate your certificate, you need to make a change to your settings.

  • There may be security implications associated with pinning that make it undesirable in your environment. You can review them on the OWASP website.

Origin server behavior settings

Later on, when you configure your property, in the obligatory Origin Server behavior you need to specify your origin certificate details and select validation options that correspond to the decisions you made at this prerequisite stage. Edge servers use this information to establish a secure connection through an SSL handshake.

Updated over 1 year ago