Prepare your edge certificates

This certificate protects the first stage of the request flowβ€”the request from an end user (client) that's received by ​Akamai​ edge servers. In some cases, you may need to create this certificate before you create your property.

Understand the levels of security

There are various levels of security you can apply:

Security option

Description

Enhanced TLS

This is intended for sites and content with high-assurance security requirements, such as FedRAMP and PCI compliance (HTTPS L3). It also supports custom or very old clients that don't send a TLS SNI header, which requires a VIP hosted certificate.

This is what you need if requests or delivered content include any personally identifiable information (PII). Behind the scenes, Enhanced TLS adds the edgekey.net suffix to your hostname, but it's not visible to the end user.

Standard TLS

This security enables the delivery of sites, content, and video streaming over HTTPS using customer-branded certificates. It's secure (HTTPS L1), but not as rigorous as Enhanced TLS. Standard TLS is not FedRAMP or PCI compliant, but it is Sarbanes Oxley (SOX) and International Standards Organization (ISO) compliant.

If you're looking for secure delivery, but aren't transferring PII, Standard TLS could work for you. Behind the scenes, Standard TLS adds the edgesuite.net suffix to your hostname but it's not visible to the end user.

​Akamai​ shared certificate

This method supports secure access and delivery over HTTPS, without the need to provision and manage a certificate.

While it's quicker and easier to set up, you need to use a hostname within the ​Akamai​-owned domains such as example.akamaized.net or example-a.akamaihd.net. It's also not recommended if you're exchanging or delivering PII. Use Enhanced TLS, instead.

For a more detailed comparison, see Compare the security options.

Use the default certificate method

Also referred to as "secure by default," this method supports both Standard TLS and Enhanced TLS security. This is an automated approach to creating the certificate. When you set up the connection between your website or app and the ​Akamai​ edge networkβ€”this is called a "property hostname"β€”you select the level of security you want to use. ​Akamai​ automatically creates and provisions the certificate for you and applies it to your Property Manager property.

You don't need to create a certificate or perform any additional prerequisites. Later, when you're creating your Property Manager property, you'll apply a couple of options to use this method.

πŸ“˜

Secure by default is LA

This is an additional service for Property Manager that needs to be added to your contract. However, it hasn't been released to general availability yet. So only a select number of customers can use it. Contact your account team to see if you're eligible. Otherwise, you need to use a custom certificate.

Use the custom certificate method

If you don't have access to the secure by default method, or you want your own custom certificate, you can create one manually. This method supports both Enhanced TLS and Standard TLS securities.

🚧

Custom certificates can take a while to provision, and you need one before you can set up your Property Manager property for secure delivery. So, we recommend that you create one first.

Custom certificates via the Certificate Provisioning System (CPS)

CPS is a separate ​Akamai​ utility you can use to generate a custom certificate. All certificates are signed by a Certificate Authority that is known to be trusted by every major browser or operating system.

Use ​Akamai Control Center​ to create the certificate

​Akamai​ offers a separate user interface in ​Control Center​ that you use to create custom certificates. See the Certificate Provisioning System user documentation for instructions on this process. There are multiple phases of the process, and you need to apply specific settings:

  1. When you enter certificate information, you'll set your domain name as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.

  2. During the select network setting phase, set Deployment Network to the desired level of security, Standard TLS or Enhanced TLS.

  3. Set all other options for all other phases of the certificate creation process as desired.

Use an API to create the certificate

​Akamai​ also offers an application programming interface (API) that you can use to create your certificate, too. Have a look at the developer documentation for CPS for details.

Wait for the certificate to provision

Regardless of the tool you used, a certificate can take from 3 - 6 hours to provision, based on the level of security you've chosen. The email address set for the ​Control Center​ account that you used to create the certificate will receive an email when it's ready.

Custom certificates via a third-party vendor

Talk to your ​Akamai​ account team for information on supported third-party vendors. Work with a supported vendor to set up an Enhanced TLS or Standard TLS certificate. Then, you need to:

  • Make note of the exact domain used to access it from the third-party vendor.
  • Provide the certificate to your account team.

Your account team will contact you when the certificate has been fully provisioned for use.

Use the ​Akamai​ shared certificate

This lets you quickly incorporate HTTPS delivery by selecting this certificate type while applying the hostname for your site or app in a property hostname. Its level of security is comparable to Standard TLS

You don't need to create a certificate or perform any additional prerequisites.

Compare the security options

There are various security options available for your configuration, based on the level of HTTPS security you apply in your edge certificate. Review the table here to make sure you're choosing the right level of security.

πŸ“˜

Consider these points:

  • Specific details may vary in corner cases and for older products that aren't listed. Check with your account team for details. Security properties listed should be taken as rough suggestions and may not apply to all scenarios.

  • All that's listed is also supported with plain text HTTP requests to the same hostname. No security properties are obtained unless HTTP traffic is redirected to HTTPS. Once you commit to HTTPS-only, HSTS can be used to indicate to clients that HTTP is no longer supported. But, there is no going back.

  • Non-secure HTTP is also available, but it's not recommended. It's included in this table for comparison.

Support/featureEnhanced TLS CertificateStandard TLS CertificateShared CertificateHTTP only
Supports HTTPS to encrypt data in transit and validate the identity of the delivery server using TLS certificates. Prevents network-based attackers (such as malware on open Wi-Fi) from viewing and modifying HTTPS requests and responses.βœ…βœ…βœ…βŒ
Engineered to meet the high-security demands of banking, e-commerce, healthcare, and similar industries for protecting data in-transit, while also providing high-performance, scale, and a global footprint.βœ…βŒβŒβŒ
Engineered to provide high-performance, and massively scalable delivery of media assets as well as many types of websites.βŒβœ…βœ…βœ…
Enables web browsers to indicate that a page is "secure" (such as by a lock icon in the browser address bar) when all page resources are delivered over HTTPS.βœ…βœ…βœ…βŒ
TLS server certificate private keys managed securely to protect against loss.βœ…βœ…βœ…N/A
Support for some very old or custom clients that do not send TLS SNI (Server Name Indication).βœ… (with VIP cert)βŒβœ…N/A
HTTPS traffic supports Compliance Management for FedRAMP, HIPAA, ISO 27002, PCI and SOC2. Note that additional configuration constraints may apply.βœ…βŒβŒβŒ
Uses a common/default <> certificate that supports clients which do not send SNI.βŒβŒβœ…βŒ
Includes a DV SAN SNI certificate by default, with other SNI certificate types available as add-ons.βŒβœ…βŒβŒ
Included with products: Ion, DSA, DSD, AMD, Download Delivery, Object Delivery, and ACE.βŒβœ…βŒβœ…
Supports HTTP/2βœ…βœ…βœ…βŒ
Supports IPv6+IPv4 dual-stack and uses it as the default for new configurations.βœ…βœ…βœ…βœ…
Supports protocol downgrade from HTTPS to HTTP (with restrictions and limitations).Strongly discouraged and additional limitations apply.βœ…βœ…N/A
Supports China CDN (Additional terms apply).βœ…βœ…βŒβœ…
Supports delivery within Russia.Only with "Russia CDN Secure" opt-in.βœ…βœ…βœ…
Supports Edge IP Binding.βœ…βœ…βœ…βœ…
Supports Client Access Control.βœ…βŒβŒβŒ
Supports ESN Staging.βœ…βœ…βœ…βœ…
Supports "Instant Config" / MDC.βŒβŒβŒβœ…

Did this page help you?