Use an existing certificate or create a new one

The process of adding a hostname to a certificate is determined by a number of factors, including the types and number of certificates in your contract with Akamai, whether or not there are existing certificates available, and what types of certificates are available.

You may encounter any of the following situations when adding a hostname to a certificate.

Use an existing certificate

The getting started process will use an existing certificate (Enhanced or Standard TLS) when a certificate matches the hostname you are adding, under the following conditions:

  • There is an associated certificate for each hostname. The associated certificate must be on the same contract and match all of the hostnames that you are onboarding.

  • Each hostname you added is associated with only one certificate.

If multiple certificates exist for the hostname, you can choose a different certificate type, or you will need to use the Certificate Provisioning System to modify the existing certificates so that the hostname is associated with only one certificate. You can then return to the getting started page, select Refresh, and you will be able to select the modified certificate.

Create a new certificate

The getting started process will create a new certificate (Enhanced or Standard TLS) when it can't find an existing certificate with a matching hostname, under the following conditions:

  • Your contract includes the type of certificate that you select.
  • There are still certificates available in your contracted certificate quota.

The certificate types available to you depend on your contract with ‚ÄčAkamai‚Äč. If you have both Standard TLS and Enhanced TLS in your contract, the getting started process selects Enhanced TLS by default, but you can change the selection if you want.

Accepting a certificate created during the getting started process requires proof that you own the domain of the hostname, known as domain validation. To provide this proof of ownership, you will need to add the displayed DNS record name and Record value to your DNS configuration, and then select Validate. You will not be able to validate the certificate until you add the DNS record name and value to your DNS.

If you don't want to use the new certificate, you have the option to use the Certificate Provisioning System (doc:web-app-protector) to add the hostname to any available SAN (OV, EV or 3rd-party) certificate. You can then return to the getting started page, select Refresh, and the getting started process will find the new certificate and give you the option to select it. To learn more, see Select Certificate Settings.

If your contracted certificate quota has been met, you will need to contact your account team to increase the quota. Alternatively, you can select HTTP-Only, which uses the ‚ÄčAkamai‚Äč shared certificate. Using HTTP-only results in your users receiving a warning when they attempt to access content on your site.

Update an existing certificate

The getting started process will allow you to add the hostname to an existing SAN certificate under the following conditions:

  • There's no existing cert matching hostname.
  • The SAN certificate has space to add the hostname.
  • There are no more certificates available in your contracted certificate quota.

CPS will validate the hostname you are adding, and all of the existing hostnames associated with the SAN certificate. If CPS cannot validate any of the existing hostnames, you will see a warning message at the activation stage of the getting started process. You will need to use CPS to validate the certificate, or else remove those hostnames from the certificate. View validation instructions.

Use HTTP-only

In this case, there is no certificate for the hostname, no available SAN certificate and your certificate quota has been met. If you want to use a certificate for the hostname, contact your account representative to increase your quota.

When you select HTTP-only, if your end users attempt an HTTPS request, the ‚ÄčAkamai‚Äč shared certificate will be served. Since the shared certificate will not be valid for your hostname, your users will see a certificate hostname mismatch warning in their browser.