Provision certificates

Increase your customers' trust, encrypt sensitive information, and improve SEO rankings using SSL/TLS Domain Validation certificates that securely deliver content to and from your site.

Use the Secure by Default workflow to automatically provision and request default DV certificates for up to 1000 hostnames from within your property.
  1. Create an Edge hostname.
  2. Set the hostnames.cert_provisioning_type argument of your property resource to DEFAULT.
To learn more about or get access to Secure by Default, contact your account team.

What you'll do

Create or modify an Akamai-managed domain validation or third-party certificate and upload the certification requirements to your account.

Get a contract ID

To identify what contract you'll work against, add the contracts data source to your Akamai configuration to get a list of available contracts associated with your account.

data "akamai_contracts" "my-contracts" {

output "property_match" {
  value =

Akamai-managed enrollments

1. Create a Domain Validated enrollment


You can import an existing enrollment(s) and make adjustments using the import command on the akamai_cps_dv_enrollment resource. Add a name, your enrollment_id and contract_id as a comma-delimited string of the to the end of the command.
$ terraform import 12345,A-12345

Create an enrollment, the core configuration for CPS, and define your certificate's life cycle.

  1. Add your contract ID to the akamai_cps_dv_enrollment resource and provide information about your certificate.
  2. Run terraform plan to check your syntax and review the total set of changes you're making and then run terraform apply to create your enrollment.

The response will return the certificate signing request (CSR) challenges you need to validate control over your domains.

2. Validate control over your domains

When you create or modify a DV enrollment, it triggers a certificate signing request (CSR). CPS automatically sends it to Let's Encrypt for signing, and Let's Encrypt sends back a challenge for each domain listed on your certificate.

To answer the challenge, prove that you have control over the domains listed in the CSR by redirecting your traffic to Akamai, and then we complete the challenge process for you by detecting the redirect.

  • For http_challenges, create a file with a token and put it in the designated folder on your site. Once Akamai detects the file is in place, it asks Let's Encrypt to validate the domain.
  • For dns_challenges, add a TXT record to the DNS configuration of your domain. If you're using the Edge DNS subprovider, you can create DNS records for the provided SANs from the same config file.


If the challenge token expires, run terraform-apply again to pull the latest token. Even though Terraform doesn't automatically notify you of any updates to tokens, you can set outputs for dns_challenges and http_challenges. If applicable, terraform-apply returns new values for those arrays.

3. Send the validation acknowledgement

Once you complete the Let's Encrypt challenges, let CPS know your tokens are ready for validation.

  1. Use the akamai_cps_dv_validation resource to send the acknowledgement to CPS.

      resource "akamai_cps_dv_validation" "example" {
      enrollment_id =
      sans = akamai_cps_dv_enrollment.example.sans
  2. Run terraform plan to check your syntax and review the total set of changes you're making and then run terraform apply to apply your changes to your infrastructure.

Third-party enrollments

1. Create a third-party enrollment

To create a third-party enrollment, use your contract ID to define your certificate's life cycle and create your enrollment with the akamai_cps_third_party_enrollment resource.

Once you've set up the resource, run terraform plan to check your syntax and review the total set of changes you're making.

Run terraform apply to apply your changes to your infrastructure and begin domain validation.

2. Get CSR and keys

When you create or modify a third-party DV enrollment, it triggers a PEM-formatted certificate signing request (CSR) with all the information the certificate authority (CA) needs to issue your certificate. CPS encodes the CSR with a private key using either the RSA or the ECDSA algorithm.

  1. Send your enrollment ID in the akamai_cps_csr data source and run terraform plan to get the CSR(s) for your enrollment.

    data "akamai_cps_csr" "example" {
      enrollment_id = 12345

    If you're using dual-stacked certificates, you'll see data for both ECDSA and RSA keys.


    Dual-stacked certificates are enabled by default for third-party enrollments.

  2. Send the CSR(s) to a CA for signing.



    Use the acme provider along with tls_private_key, acme_registration1, acme_certificate. acme also supports maintenance of challenges through dns_challenge.

3. Upload your signed certificate

Once you have your signed certificate, upload it and your trust chain to CPS.

  1. Use the akamai_cps_upload_certificate to upload your certificate for deployment. These certificates must be in PEM format. If they were returned to you in a different format, convert them to PEM format using an SSL converter.

    resource "akamai_cps_upload_certificate" "upload_cert" {
      enrollment_id                          = 12345
      certificate_ecdsa_pem                  = example_cert_ecdsa.pem
      trust_chain_ecdsa_pem                  = example_trust_chain_ecdsa.pem
      acknowledge_post_verification_warnings = true
      acknowledge_change_management          = true
      wait_for_deployment                    = true
  2. Run terraform plan to check your syntax and review the total set of changes you're making and then terraform apply to apply your changes to your infrastructure and upload your certificates in staging using the ChangeManagement object first, activating it for the production environment after you've tested.

Manage enrollments

Modify Subject Alternate Names

In existing enrollments, you can add, modify, and remove existing Subject Alternate Names for your domain. These operations require another domain validation check.

Modify deployed enrollments

You can edit your network deployment settings for a certificate that is in progress or active on the network.

  1. Get the needed certificate by sending the enrollment ID in the akamai_cps_deployments.

    data "akamai_cps_deployments" "example" {
      enrollment_id = 12345
  2. Make edits.

  3. Use the akamai_cps_upload_certificate to redeploy your certificate to the network.