Onboard a property with a CPS-managed certificate

Here, we'll set up a property using a CPS-managed certificate that we'll create to secure the connection between a requesting client and the ​Akamai​ network.

Before you begin

Make sure you get these things done before you start with this workflow.

  • Determine the level of security. What level of security do you need to deliver your content to requesting clients? Have a look at Understand the levels of security to figure out if you need Enhanced or Standard TLS security.

  • Set up authentication. To make calls through the various ​Akamai​ APIs available for this workflow, you need to authenticate using tokens you generate and apply in requests from your API client tool.

    • Property Manager API (PAPI). This is what you'll use to set up your property to deliver your traffic. You'll need to ensure that your authentication is set up for READ/WRITE access to PAPI.

    • Certificate Provisioning System (CPS) API. As a step in this workflow, you'll need to set up a certificate to secure the connection between clients requesting your content and the ​Akamai​ edge network. You can use an API for this process. You'll need to ensure that the access authentication for it is also set up for READ/WRITE access.

  • Make sure you have write access to your primary DNS servers. You'll need to modify DNS records during the process.

  • Review limits imposed on PAPI operations. Make sure you don't exceed the rate and resource limits and familiarize yourself with the concurrency control rules this API applies.

1 - Add the origin layer to your DNS

Get the IP address of your existing origin and create an A record in your DNS.

2 - Use CPS to prepare your edge certificate

CPS is a separate ​​Akamai​​ utility you can use to generate a certificate using either Standard or Enhanced TLS security. All certificates are signed by a Certificate Authority that is known to be trusted by every major browser or operating system. When creating one, you need to set the domain name that clients use to access your site or asset as the common name (CN), or include it as a subject alternate name (SAN) in the certificate.

Use the CPS API

Have a look at the developer documentation for CPS for details.

Use ​​Akamai Control Center​

You can also use a separate user interface in ​​Control Center​​ to create CPS-managed certificates. See the Certificate Provisioning System user documentation for instructions on this process. There are multiple phases of the process, and you need to apply specific settings:

  1. When you enter certificate information, you'll set your domain name as either the Common Name (CN) or a Subject Alternate Name (SAN). Make note of it, because you need this value later in the process.

  2. During the select network setting phase, set Deployment Network to the desired level of security, Standard TLS or Enhanced TLS.

  3. Set all other options for all other phases of the certificate creation process as desired.

Wait for the certificate to provision

Regardless of the tool you used, a certificate can take from 3 - 6 hours to provision, based on the level of security you've chosen. The email address set for the ​Control Center​ account that you used to create the certificate will receive an email when it's ready.

3 - Get contracts, groups, and products

These identifiers specify what modules and features you'll be able to use in your property.

4 - Create an edge hostname

An edge hostname is used to process the request between a client and the ​​Akamai​ edge network. Create your edge hostname using the domain name you set as the CN or SAN in your certificate:

5 - Create a CP code

CP codes track any web traffic handled by edge servers. Each property’s default rule needs a valid CP code to bill and report for the service.

6 - Create a property

Think of a property as a container for your product configuration. Set one up to control how your content is delivered.

7 - Set variables for your property (optional)

Do you have specific values you'll repeatedly use in the property's rule tree? Use built-in system variablesor create your own and apply them as you need them.

8 - Update your property with your edge hostname

Here, you map your property hostname to the edge hostname that you created, so that the edge servers can take over the client traffic from your origin.

9 - Check the status of your hostname

Run this operation and locate your hostname, based on its "cnameFrom": "<your domain>". It needs to be active. Check for the status object in the response:

  • You see the status object. Any status value indicates that it's still being processed. Wait a while and try the operation again.
  • There's no status object. The hostname is active. Review the response to confirm that the cnameFrom value is the correct domain for your site or resource, and store the cnameTo value for use later in the process.

10 - Add the edge hostname to your DNS

In your DNS configuration, create a CNAME record and map your domain (cnameFrom) to the cnameTo value that you stored.

11 - Get the rule tree

Get the baseline of your property's rule tree. It includes all of the default rules and behaviors that ​Akamai​ adds. What you'll get in the response varies depending on your ​Akamai​ product.

12 - Edit the rule tree

Provide necessary details for the top-level default rule. At a minimum, configure these mandatory behaviors in a rule:

You can optionally include any number of your own rules to customize content delivery. Rule trees are maintained in a special form of JSON that you can best edit and validate in the dedicated VS code or Eclipse IDE plugins.

13 - Validate the rule tree changes

Make sure your JSON file is correct and complete before deploying it on edge servers. You need to resolve returned errors, as they block an activation, but you can activate a property version that yields less severe warnings. For more information, see Rule tree errors and warnings. Both VS code and Eclipse plugins support full rule tree validation.

14 - Update the property's rule tree

Push your updated JSON file back to the property.

15 - Activate the property on staging and production

With brand new setups, you only need to test your configuration on production. But, you can activate your property on both networks at the same time.

16 - Confirm activation

Make sure the activation was successful. The response should contain "status": ACTIVE.

17 - Test the activated settings

Temporarily set up your local browser to target an edge server to access your property.

  1. You need your edge hostname's actual IP address. Get it by running a command for your stored edge hostname. For example, assume the domain you set in your edge hostname was "example.com" and you're using a Standard TLS certificate that adds the edgesuite.net suffix to your hostname behind the scenes:


    nslookup www.example.com.edgesuite.net

    Mac OS, Linux, or Unix:

    dig www.example.com.edgesuite.net
    dig AAAA www.example.com.edgesuite.net
  2. Navigate to your local hosts file in a text editor.

    • Windows. You should be able to find your hosts file in: C:\Windows\System32\drivers\etc\hosts
    • Mac OS, Linux, or Unix. You should be able to find your hosts file in: /etc/hosts
  3. At the end of the hosts file, add an entry for the actual domain to your website that includes the edge hostname's IP address. example.com
  4. Save and close your hosts file. Restart your browser to clear your DNS cache and verify that your site is working the way you expect.

For more details on testing and activation, see Activate a property.

18 - Go live

Start serving live traffic through the ​Akamai​ Edge Platform. Replace your existing CNAME record and with a new one, setting its value to the ​Akamai​ edge hostname.

Remember to remove any entries from your local hosts file that you may have set up for testing. Now, you can restart your browser and do a smoke test of your website or application.