This certificate protects the first stage of the request flow—the request from an end user (client) that's received by Akamai edge servers. In some cases, you may need to create this certificate before you create your property.
There are various levels of security you can apply:
This is intended for sites and content with high-assurance security requirements, such as FedRAMP and PCI compliance (HTTPS L3). It also supports custom or very old clients that don't send a TLS SNI header, which requires a VIP hosted certificate.
This is what you need if the initial client request or content delivered back to the client include any personally identifiable information (PII). Behind the scenes, Enhanced TLS adds the
This security enables the delivery of sites, content, and video streaming over HTTPS using customer-branded certificates. It's secure (HTTPS L1), but not as rigorous as Enhanced TLS. Standard TLS is not FedRAMP or PCI compliant, but it is Sarbanes Oxley (SOX) and International Standards Organization (ISO) compliant.
If you're looking for secure delivery, but aren't transferring PII, Standard TLS could work for you. Behind the scenes, Standard TLS adds the
Akamai shared certificate
This method supports secure access and delivery over HTTPS, without the need to provision and manage a certificate.
While it's quicker and easier to set up, you need to use a hostname within the Akamai-owned domains such as
For a more detailed comparison, see Compare the security options.
This method supports both Enhanced TLS and Standard TLS secure delivery and it's available to all Akamai customers.
Custom certificates can take a while to provision, and you need one before you can fully set up your Property Manager property for secure delivery. So, you should create one first.
The Certificate Provisioning System (CPS) is a separate Akamai utility you can use to generate a custom certificate. All certificates are signed by a Certificate Authority that is known to be trusted by every major browser or operating system.
Akamai offers a separate user interface in Control Center that you use to create custom certificates. See the Certificate Provisioning System user documentation for instructions on this process. There are multiple phases of the process, and you need to apply specific settings:
When you enter certificate information, you'll set your domain name as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.
During the select network setting phase, set Deployment Network to the desired level of security, Standard TLS or Enhanced TLS.
Set all other options for all other phases of the certificate creation process as desired.
A newly-provisioned certificate is automatically pushed to the production network. It's live and ready to start protecting the client-to-edge network connection. This is in place to ensure a certificate is available as fast as possible for renewals. However, if you want to test your certificate to make sure everything with your delivery is ready, you'll need to push it to the staging network.
If necessary, access Akamai Control Center, login with an admin-level user and go to ☰ > CDN > Certificates.
Locate the cert you just created in the table, click No under Always test on Staging before deployment.
Set Test Certificate to Yes and click Submit.
You can't move a certificate to staging once it's been provisioned to the production network. If you apply these steps after this, the certificate won't be moved to staging until it's up for renewal.
After you perform all of your testing, you'll come back to CPS to push it to production to go live.
Akamai also offers an application programming interface (API) that you can use to create your certificate, too. Have a look at the developer documentation for CPS for details.
Regardless of the tool you used, a certificate can take from 3 - 6 hours to provision, based on the level of security you've chosen. The email address set for the Control Center account that you used to create the certificate will receive an email when it's ready.
Talk to your Akamai account team for information on supported third-party vendors. Work with a supported vendor to set up an Enhanced TLS or Standard TLS certificate. Then, you need to:
- Make note of the exact domain used to access it from the third-party vendor.
- Provide the certificate to your Akamai account team.
Your account team will contact you when the certificate has been fully provisioned for use.
Also referred to as "secure by default, it supports both Standard TLS and Enhanced TLS security. This is an automated approach to creating the certificate. When you set up the connection between your website or app and the Akamai edge network—this is called a "property hostname"—you select the level of security you want to use. Akamai automatically creates and provisions the certificate for you and applies it to your Property Manager property.
You don't need to create a certificate or perform any additional prerequisites.
Secure by default is LA
This is an additional service for Property Manager that needs to be added to your contract. However, it hasn't been released to general availability yet. So only a select number of customers can use it. Contact your account team to see if you're eligible. Otherwise, you need to use a custom certificate.
This lets you quickly incorporate HTTPS delivery by selecting this certificate type while applying the hostname for your site or app in a property hostname. Its level of security is comparable to Standard TLS
You don't need to create a certificate or perform any additional prerequisites.
There are various security options available for your configuration, based on the level of HTTPS security you apply in your edge certificate. Review the table here to make sure you're choosing the right level of security.
Consider these points:
Specific details may vary in corner cases and for older products that aren't listed. Check with your account team for details. Security properties listed should be taken as rough suggestions and may not apply to all scenarios.
All that's listed is also supported with plain text HTTP requests to the same hostname. No security properties are obtained unless HTTP traffic is redirected to HTTPS. Once you commit to HTTPS-only, HSTS can be used to indicate to clients that HTTP is no longer supported. But, there is no going back.
Non-secure HTTP is also available, but it's not recommended. It's included in this table for comparison.
|Support/feature||Enhanced TLS Certificate||Standard TLS Certificate||Shared Certificate||HTTP only|
Supports HTTPS to encrypt data in transit and validate the identity of the delivery server using TLS certificates. Prevents network-based attackers (such as malware on open Wi-Fi) from viewing and modifying HTTPS requests and responses.
Engineered to meet the high-security demands of banking, e-commerce, healthcare, and similar industries for protecting data-in-transit, while also providing high-performance, scale, and a global footprint.
Engineered to provide high-performance, and massively scalable delivery of media assets as well as many types of websites.
Enables web browsers to indicate that a page is "secure" (such as by a lock icon in the browser address bar) when all page resources are delivered over HTTPS.
TLS server certificate private keys are managed securely to protect against loss.
Support for some very old or custom clients that do not send TLS SNI (Server Name Indication).
|✅ (with VIP cert)||❌||✅||❌|
HTTPS traffic supports Compliance Management for FedRAMP, HIPAA, ISO 27002, PCI and SOC2. Note that additional configuration constraints may apply.
Uses a common/default Akamai certificate that supports clients which do not send SNI.
Includes a DV SAN SNI certificate by default, with other SNI certificate types available as add-ons.
Supports IPv4 and IPv6+IPv4 dual-stack.
Supports protocol downgrade from HTTPS to HTTP between the Akamai edge and an origin.
Strongly discouraged and additional limitations apply.
Supports China CDN. (Additional terms apply.)
Supports delivery within Russia.
Only with "Russia CDN Secure" opt-in.
Supports Edge IP Binding.
Supports Client Access Control.
Supports ESN Staging.
Supports Instant Config hostnames (
Updated 6 days ago