Manage cloud certificates

📘

Beta

Hello. Just a note to let you know the underlying API on which this subprovider is built is general release and has been vetted, but because this is a new feature for our Terraform provider, we've given it beta label.

This status just means we've paused for a bit to get your feedback to make sure this data source works like you need and expect.

Store and manage third-party certificates without the complexity of network deployment settings. Unlike Client Certificate Provisioning (CPS), Cloud Certificate Manager (CCM) simplifies certificate management by reducing the number of required data fields and deployment steps.

What you'll do

Create a CCM certificate and bind it to your property hostname.

📘

Cloud Certificate Manager is currently a limited-availability service. To use a CCM certificate with a property hostname, you need to have this feature enabled on your account. To request access to this service, talk to your account representative.

Notes:

• Cloud Certificate Manager currently manages certificates only within ​Akamai​'s delivery platform.
• When you add a hostname with cert_provisioning_type = "CCM" and provide a certificate's ID with either the RSA or ECDSA key type, or both, in the property, the system automatically creates a corresponding edge hostname after activating a property. As a result, you don't need to create a separate edge hostname resource.

What you need

To create and use third-party certificates in your site traffic, you need properties.

1. Export the properties to get a rule format and rule tree.

   Optionally, add the --rules-as-hcl command flag to export the property rules as an akamai_property_rules_builder data source.

   Shell

   akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-property --rules-as-hcl {"your-property-name"}
   

2. Run the import script (import.sh) included in the export to populate your Terraform state and prevent Terraform from attempting to recreate your assets.

1. Create or import a certificate

Create new

Use the akamai_cloudcertificates_certificate resource to create a new third-party certificate.

1. In the resource, specify the required parameters, including:

   • Your group and contract IDs.
   • Your certificate's key type and size.
   • The type of security on a deployment network. Currently, ENHANCED_TLS is only supported.
   • A list of the subject alternative names (SANs) secured by a certificate.

   You can optionally provide a base name for your certificate. If you don't specify it, CCM auto-generates the name for you.

   hcl

   resource "akamai_cloudcertificates_certificate" "my-cert" {
      base_name      = "my-cert"
      contract_id    = "C-0N7RAC7"
      group_id       = "12345"
      key_size       = "P-256"
      key_type       = "ECDSA"
      secure_network = "ENHANCED_TLS"
      sans           = ["example.com"]
   }
   

2. Run terraform plan to check syntax and terraform apply to create your certificate. This creates a new certificate with the CSR_READY status.

Import existing

When working with an existing CCM certificate, you can import it with its related resources.

1. Get a list of certificates with the akamai_cloudcertificates_certificates data source to find the certificate name you want.

   QueryStandard output

   data "akamai_cloudcertificates_certificates" "my-certs" {}
   
   output "my-certs" {
      value = data.akamai_cloudcertificates_certificates.my-certs
   }
   

    my-certs = {
    certificate_name              = null
    certificate_status            = null
    certificates                  = [
        {
            account_id                               = "A-CCT1234"
            certificate_id                           = "12345"
            certificate_name                         = "my-cert"
            certificate_status                       = "CSR_READY"
            certificate_type                         = "THIRD_PARTY"
            contract_id                              = "C-0N7RAC7"
            created_by                               = "jsmith"
            created_date                             = "2025-10-24T17:10:47.940678Z"
            csr_expiration_date                      = "2026-12-26T17:10:48Z"
            csr_pem                                  = null
            key_size                                 = "P-256"
            key_type                                 = "ECDSA"
            modified_by                              = "jsmith"
            modified_date                            = "2025-10-24T17:14:47.941736Z"
            sans                                     = [
                "example.com",
            ]
            secure_network                           = "ENHANCED_TLS"
            signed_certificate_issuer                = "CN=example.com CA,O=Main Street Corporation,C=US"
            signed_certificate_not_valid_after_date  = null
            signed_certificate_not_valid_before_date = null
            signed_certificate_pem                   = null
            signed_certificate_serial_number         = null
            signed_certificate_sha256_fingerprint    = null
            subject                                  = {
                common_name  = "example.com"
                country      = "US"
                locality     = "Cambridge"
                organization = "Main Street Corporation"
                state        = "MA"
            }
            trust_chain_pem                          = null
        },
    ]
    contract_id                   = null
    domain                        = null
    expiring_in_days              = null
    group_id                      = null
    include_certificate_materials = null
    issuer                        = null
    key_type                      = null
    sort                          = null
    }
   

2. Export an existing certificate by passing the certificate name in the export-cloudcertificate command.

   Shell

   akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-cloudcertificate {"your-cloud-certificate-name"}
   

   If the certificate is in the READY_FOR_USE or ACTIVE status, the akamai_cloudcertificates_upload_signed_certificate resource will also be included in your configuration. If the certificate is in the CSR_READY status, the akamai_cloudcertificates_upload_signed_certificate resource will be generated but commented out.

3. Run the included import script (import.sh) to populate your Terraform state and prevent Terraform from attempting to recreate your assets.

2. Get a CSR and keys

When you create or renew a third-party certificate, it triggers a PEM-formatted certificate signing request (CSR) containing information about the subject, public key, and attributes (like SANs). CCM signs the request data with a private key using either the RSA or ECDSA algorithm. You need to send that CSR to your chosen certificate authority (CA) to issue your certificate.

1. Send your certificate ID in the akamai_cloudcertificates_certificate data source and run terraform plan to get the CSR for your certificate. In the output block, the csr_pem attribute contains your CSR.

   QueryStandard output

    data "akamai_cloudcertificates_certificate" "my-cert" {
        certificate_id = "12345"
    }
   
    output "my-cert" {
        value = data.akamai_cloudcertificates_certificate.my-cert
    }
   

    my-cert = {
        account_id                               = "A-CCT1234"
        bindings                                 = null
        certificate_id                           = "12345"
        certificate_name                         = "my-cert"
        certificate_status                       = "CSR_READY"
        certificate_type                         = "THIRD_PARTY"
        contract_id                              = "C-0N7RAC7"
        created_by                               = "jsmith"
        created_date                             = "2025-10-24T17:10:47.940678Z"
        csr_expiration_date                      = "2026-12-26T17:10:48Z"
        csr_pem                                  = <<-EOT
            -----BEGIN CERTIFICATE REQUEST-----
            MIID <sample - removed for readability> .... Mweq
            -----END CERTIFICATE REQUEST-----
        EOT
        include_hostname_bindings                = null
        key_size                                 = "P-256"
        key_type                                 = "ECDSA"
        modified_by                              = "jsmith"
        modified_date                            = "2025-10-24T17:14:47.941736Z"
        sans                                     = [
            "example.com",
        ]
        secure_network                           = "ENHANCED_TLS"
        signed_certificate_issuer                = null
        signed_certificate_not_valid_after_date  = null
        signed_certificate_not_valid_before_date = null
        signed_certificate_pem                   = null
        signed_certificate_serial_number         = null
        signed_certificate_sha256_fingerprint    = null
        subject                                  = {
            common_name  = "example.com"
            country      = "US"
            locality     = "Cambridge"
            organization = "Main Street Corporation"
            state        = "MA"
        }
        trust_chain_pem                          = null
    }
   

2. Send the retrieved CSR to your chosen certificate authority (CA) for signing.

   👍

   Tip

   You can use the acme_certificate resource from the acme provider or the null_resource resource with the local-exec provisioner to sign your certificate.

   For testing purposes, you can use Hashicorp’s tls_self_signed_cert resource. See the terraform-provider-akamai repository for an example configuration.

3. Upload your signed certificate

1. Upload your signed certificate for deployment with the akamai_cloudcertificates_upload_signed_certificate resource. The certificate must be in PEM format. If it was returned to you in a different format, convert it to PEM format using an SSL converter or OpenSSL commands.

   hcl

   resource "akamai_cloudcertificates_upload_signed_certificate" "example-upload" {
      certificate_id         = akamai_cloudcertificates_certificate.my-cert.certificate_id
      signed_certificate_pem = file("example_third_party-cert.pem")
      acknowledge_warnings   = true
   }
   

2. Run terraform plan to check syntax and terraform apply to upload your certificate.

Once the signed certificate is uploaded, its status changes to READY_FOR_USE. At this point, the certificate is immutable, and you can only rename or recreate it.

4. Bind the certificate to a property hostname

1. After uploading your signed certificate, bind it with a property hostname to secure your site traffic. This includes:

   • Specifying the certificate provisioning type as CCM.
   • Pointing to the CCM certificate's ID with either the RSA or ECDSA key type, or both from the akamai_cloudcertificates_upload_signed_certificate resource.
   • Ensuring that the cname_from argument matches one of the sans (subject alternative names) values defined in the CCM certificate resource.

   Note that you can have multiple hostnames in a property, each using different CCM certificates. You can also mix regular hostnames, such as CPS or domain-bound (DV) hostnames, along with CCM-bound hostnames within the same property. Additionally, if you already have a CCM-bound hostname, you can update its certificate ID to re-bind it to a different certificate without affecting other hostnames.

   hcl

   resource "akamai_property" "example-property" {
      name          = "MyProperty"
      product_id    = "prd_Object_Delivery"
      contract_id   = "C-0N7RAC7"
      group_id      = "12345"
      rule_format   = "v2025-07-07"
      version_notes = "Sample notes"
      rules         = file("${path.root}/property-snippets/main.json")
      hostnames {
         cname_from             = "example.com"
         cname_to               = "example.com.edgekey.net"
         cert_provisioning_type = "CCM"
         ccm_certificates {
            ecdsa_cert_id = akamai_cloudcertificates_upload_signed_certificate.example-upload.certificate_id
         }
      }
   }
   

2. Run terraform plan to check syntax and terraform apply to confirm the binding.

5. Activate a property

To activate the property containing the certificate bound to a property hostname, provide a value for the network, STAGING or PRODUCTION, and activate your property.

resource "akamai_property_activation" "my_staging_activation" {
  property_id                    = "prp_12345"
  contact                        = ["jsmith@example.com"]
  version                        = akamai_property.my_property.latest_version
  network                        = "STAGING"
  note                           = "Activating my property on staging"
  auto_acknowledge_rule_warnings = false
}

Other actions

Renew a certificate

If the current key on your CCM certificate is compromised, you can replace it with a new certificate for the same domain. To do that:

1. Create a new CCM certificate with the same input data. It must be added alongside the existing certificate.
2. Sign your new certificate and upload it.
3. Point to the new certificate in the property hostname by referencing the certificate's ID from the akamai_cloudcertificates_upload_signed_certificate resource.
4. Activate your property containing the new certificate.

You can safely remove your previous certificate only after the new certificate is fully active and bound to a property hostname.

Delete a certificate

You can delete the certificate only when it's not in use by any property activated on the staging or production network. Run the akamai_cloudcertificates_hostname_bindings resource to check if it's in use.

Before removing the certificate, first unbind it from the property hostname in the akamai_property resource. Then delete the CCM certificate resource by running terraform destroy.