Manage certificate authority sets
Currently, mTLS Edge Truststore is available only to selected customers.
Create and activate certificate authority (CA) sets, also known as virtual certificate truststores, which store CA certificates used to validate client TLS certificates. By binding a CA set with your edge certificates, you enable a secure, mutual authentication (mTLS) session between a client and Akamai edge servers.
You can configure up to 200 CA sets per account, 100 versions per CA set, and 300 certificates per CA set version.
1. Prep
To create and use CA sets for an mTLS session, you need properties and edge certificates.
Note: mTLS doesn't support edge hostnames secured with Akamai's shared certificates.
-
Export the properties to get a rule format and rule tree you want to link a CA set to.
Optionally, add the
--rules-as-hclcommand flag to export the property rules as anakamai_property_rules_builderdata source.akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-property --rules-as-hcl {"your-property-name"} -
Export edge certificates.
akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-cps {"your-enrollment-id"} {"your-contract-id"} -
After each export, run the included import script (
import.sh) to populate your Terraform state and prevent Terraform from attempting to recreate your assets.
2. Create or import a CA set and version
Create new
To create a new CA set, provide a name for it and include at least one valid, PEM-formatted certificate in the certificates argument. You can also add an optional description. The CA set version is created implicitly.
By default, the version's certificates need a signature algorithm of SHA-256 or better. If you want to use certificates with SHA-1 (insecure) signatures, you can enable them with the allow_insecure_sha1 argument.
Tip
A signed certificate that you add to the CA set version doesn't need to come from Certificate Provisioning System (CPS). Certificates from other trusted global CAs, like DigiCert, GlobalSign, or Entrust, are also accepted. Alternatively, you can use certificates issued by your organization's internal CA.
For testing purposes, you can use Hashicorp’s tls_self_signed_cert resource. See the
terraform-provider-akamairepository for an example configuration.
resource "akamai_mtlstruststore_ca_set" "my-ca-set" {
name = "my-ca-set"
certificates = [
{
certificate_pem = <<-EOT
-----BEGIN CERTIFICATE-----
MIID <sample - removed for readability> .... Mweq
-----END CERTIFICATE-----
EOT
description = "Test certificate"
}
]
}
You can have up to 100 versions on a single CA set. If you reach the limit, you need to create a new CA set.
Import a CA set
When working with an existing CA set, you can import it with its related version details and activations (if present).
-
Get a list of CA sets with the
akamai_mtlstruststore_ca_setsdata source to find the CA set's name you want.data "akamai_mtlstruststore_ca_sets" "my-ca-sets" {} output "my-ca-sets" { value = data.akamai_mtlstruststore_ca_sets.my-ca-sets }my-ca-sets = { activated_on = null ca_sets = [ { account_id = "A-CCT1234" created_by = "jsmith" created_date = "2025-01-04T11:43:15.578752Z" deleted_by = null deleted_date = null description = "Testing a new CA set" id = "12345" latest_version = 3 name = "test_ca-set-1" production_version = 1 staging_version = 2 status = "NOT_DELETED" }, { account_id = "A-CCT1234" created_by = "jasmith" created_date = "2025-03-30T17:48:47.899306Z" deleted_by = null deleted_date = null description = "Testing another CA set" id = "98765" latest_version = 1 name = "test_ca-set-2" production_version = null staging_version = 1 status = "NOT_DELETED" }, ] name_prefix = null } -
Export an existing CA set with all its versions and the CA set activation resource by passing the CA set's name in the
export-mtls-truststorecommand.Optionally, add the
--versioncommand flag to export a specific CA set version.akamai terraform --edgerc {location-of-your-edgerc-file} --section {section-of-edgerc-to-use} export-mtls-truststore [--version {your-ca-set-version-number}] {"your-ca-set-name"} -
Run the included import script (
import.sh) to populate your Terraform state and prevent Terraform from attempting to recreate your assets.
3. Activate a CA set version
A new CA set version needs to be activated on staging and production networks before it can be linked to any edge certificate.
You can activate the version with the akamai_mtlstruststore_ca_set_activation resource by specifying the CA set's ID, version, and network of activation, STAGING or PRODUCTION.
Here are several things to take into account when activating a CA set version:
- The CA set activation resource can only activate a CA set version on one network, staging or production. To activate on both, you need to instantiate two separate resources.
- Processing the CA set activation takes about 12–15 minutes on each network.
- A new activation automatically replaces an old activation.
resource "akamai_mtlstruststore_ca_set_activation" "my-ca-set-activation-staging" {
ca_set_id = "12345"
network = "STAGING"
version = 1
}
4. Set up mutual authentication
After you activate your CA set, set up mutual authentication in Certificate Provisioning System (CPS) to bind your CA certificates to the CPS enrollment. You can do this by adding the CA set ID to the network_configuration.client_mutual_authentication.set_id argument of the akamai_cps_dv_enrollment or akamai_cps_third_party_enrollment resource. The CA set ID that you reference in the network_configuration.client_mutual_authentication.set_id argument must come from the akamai_mtlstruststore_ca_set_activation resource.
Currently, you can perform this binding only if the CA set has active versions on both the staging and production networks. This includes scenarios where the same version is active on both networks or different versions are active on each network.
Note: You can't set up your mTLS configuration on the staging network only, including activating the property and CA set solely on staging. This is because, for a CPS enrollment to work properly, the CA set must be activated on the production network.
If you want to remove your mTLS Truststore configuration at some point, first delete the enrollment resource. Only then you can remove both CA set activation resources. This order is necessary because the enrollment uses data from both staging and production CA set activations.
In the example, the enrollment directly depends on the staging activation. As a result, the staging activation will be removed only after the enrollment is gone. To prevent the production activation from being destroyed too soon, add an explicit depends_on block on the production activation. This way, both activations are deleted only after the enrollment is removed. You can also adjust this setup the other way around. The enrollment can directly refer to the production activation, with depends_on on the staging activation.
resource "akamai_cps_dv_enrollment" "my-enrollment" {
depends_on = [
akamai_mtlstruststore_ca_set_activation.my-ca-set-activation-production
]
contract_id = "C-0N7RAC7"
acknowledge_pre_verification_warnings = true
common_name = "my-site.com"
sans = ["san1.my-site.com", "san2.my-site.com"]
secure_network = "enhanced-tls"
sni_only = true
timeouts {
default = "1h"
}
admin_contact {
first_name = "John"
last_name = "Smith"
phone = "1-617-555-6789"
email = "jsmith@example.com"
address_line_one = "1234 Main St."
address_line_two = "Suite 123"
city = "Cambridge"
country_code = "US"
organization = "Main Street Corporation"
postal_code = "02142"
region = "MA"
title = "Director of Operations"
}
tech_contact {
first_name = "Janet"
last_name = "Smithson"
phone = "1-617-555-6789"
email = "jsmithson@example.com"
address_line_one = "1234 Main St."
address_line_two = "Suite 123"
city = "Cambridge"
country_code = "US"
organization = "Main Street Corporation"
postal_code = "02142"
region = "MA"
title = "Director of Platform Services"
}
certificate_chain_type = "default"
csr {
country_code = "US"
city = "Cambridge"
organization = "Main Street Corporation"
organizational_unit = "IT"
state = "MA"
}
network_configuration {
client_mutual_authentication {
set_id = akamai_mtlstruststore_ca_set_activation.my-ca-set-activation-staging.ca_set_id
send_ca_list_to_client = true
ocsp_enabled = true
}
disallowed_tls_versions = ["TLSv1", "TLSv1_1"]
clone_dns_names = true
geography = "core"
ocsp_stapling = "on"
preferred_ciphers = "ak-akamai-2020q1"
must_have_ciphers = "ak-akamai-2020q1"
quic_enabled = false
}
signature_algorithm = "SHA-256"
organization {
name = "Main Street Corporation"
phone = "1-617-555-6789"
address_line_one = "1234 Main St."
address_line_two = "Suite 123"
city = "Cambridge"
country_code = "US"
postal_code = "02142"
region = "MA"
}
}
Additionally, add a depends_on block to point to the CPS enrollment resource in the edge hostname resource. This ensures the safe deletion of the enrollment linked to a CA set and to a property. Otherwise, your traffic won't be secure anymore. See Delete a CA set and version for details.
resource "akamai_edge_hostname" "aka_edgehost" {
depends_on = [
akamai_cps_third_party_enrollment.my-cps-enrollment
]
contract_id = "C-0N7RAC7"
group_id = "12345"
product_id = "prd_Object_Delivery"
edge_hostname = "example.com.edgekey.net"
ip_behavior = "IPV4"
}
5. Add property behaviors
Configure your property to point to the CA set ID you want to use to establish an mTLS session.
Basic settings
You can apply a simple rule to deny requests to a specific hostname if they don't properly apply mTLS. In this case, to your property rules' main.json file:
-
Add the
request_headercriterion.data "akamai_property_rules_builder" "request_header" { rules_v2025_02_18 { name = "Request Header" comments = "Matches the hostname name or value passed with the request." criterion { request_header { match_wildcard_name = false match_operator = "IS_ONE_OF" header_name = "test" values = ["ON",] match_wildcard_value = false match_case_sensitive_value = true } } } }{ "criterion": [ { "name": "requestHeader", "options": { "matchWildcardName": false, "matchOperator": "IS_ONE_OF", "headerName": "test", "values": ["ON"], "matchWildcardValue": false, "matchCaseSensitiveValue": true } } ] } -
Add the
enforce_mtls_settingsbehavior. For this behavior:- Set the
enable_auth_setargument totrueto enforce CA sets. - In the
certificate_authority_setargument, provide the CA set IDs that are bound to the edge certificate in CPS. - Enable the optional online certificate support protocol (OCSP) status if the certificates you're using in your CA set (for client requests) and your edge certificates in CPS (for the server response) use OCSP.
- Enable the optional deny request setting to deny any request for the specified secure hostname that doesn't match the settings applied in this behavior. A request doesn't match and isn't allowed if both of the following apply:
- The CA sets you've provided in this behavior aren't bound to the edge certificate you've included in your secure hostname.
- The OCSP setting in your edge certificate doesn't match what you've set in this behavior. For example, if it's disabled in this behavior, but enabled in your edge certificate, then the request is denied.
data "akamai_property_rules_builder" "enforce_mtls_settings" { rules_v2025_02_18 { name = "Enforce mTLS settings" comments = "Repeats mTLS validation checks between a requesting client and the edge network." behavior { enforce_mtls_settings { certificate_authority_set = ["12345", ] enable_auth_set = true enable_deny_request = true enable_ocsp_status = true } } } }{ "behaviors": [ { "name": "enforceMtlsSettings", "options": { "certificateAuthoritySet": [ "12345" ], "enableAuthSet": true, "enableDenyRequest": true, "enableOcspStatus": true } } ] } - Set the
Custom settings
You can apply some custom rules to your mTLS settings. That includes:
- A parent rule to enforce mTLS settings.
- Two nested child rules to handle mismatched requests.
With this setup, successful requests pass through client certificate information via headers for transitive trust between the client and your origin server. Also, non-matching requests are allowed but logged for analysis in the Log Delivery Service report.
To set this up:
-
Add the
request_headercriterion. -
Add the
enforce_mtls_settingsbehavior. In this case:-
Set the
enable_auth_setargument totrueto enforce CA sets. -
In the
certificate_authority_setargument, provide the CA set IDs that are bound to the edge certificate in CPS. -
Enable the optional online certificate support protocol (OCSP) status if the certificates you're using in your CA set (for client requests) and your edge certificates in CPS (for the server response) use OCSP.
-
Disable the optional deny request setting to allow any request for the specified secure hostname that matches or doesn't match the settings applied in this behavior. For requests that don't match the settings, you'll incorporate custom settings through other rules. A request doesn't match and isn't allowed if either of the following applies:
- The CA sets you've provided in this behavior aren't bound to the edge certificate you've included in your secure hostname.
- The OCSP setting in your edge certificate doesn't match what you've set in this behavior. For example, if it's disabled in this behavior, but enabled in your edge certificate, then the request is denied.
data "akamai_property_rules_builder" "enforce_mtls_settings" { rules_v2025_02_18 { name = "Enforce mTLS settings" comments = "Repeats mTLS validation checks between a requesting client and the edge network." behavior { enforce_mtls_settings { certificate_authority_set = ["12345", ] enable_auth_set = true enable_deny_request = false enable_ocsp_status = true } } } }{ "behaviors": [ { "name": "enforceMtlsSettings", "options": { "certificateAuthoritySet": [ "12345" ], "enableAuthSet": true, "enableDenyRequest": false, "enableOcspStatus": true } } ] } -
-
Add the
client_certificatecriterion. For this criterion:- Set the
is_certificate_presentargument totrueto execute rule behaviors only if a client certificate authenticates requests. - Set the
is_certificate_validargument toVALIDto match when the certificate is valid. - Set the
enforce_mtlsargument totrueto specify custom handling of requests if any of the checks in theenforce_mtls_settingsbehavior fail.
data "akamai_property_rules_builder" "client_certificate" { rules_v2025_02_18 { name = "Client certificate" comments = "Matches whether you have configured a client certificate to authenticate requests to edge servers." criterion { client_certificate { is_certificate_present = true is_certificate_valid = "VALID" enforce_mtls = true } } } }{ "criterion": [ { "name": "clientCertificate", "options": { "isCertificatePresent": true, "isCertificateValid": "VALID", "enforceMtls": true } } ] } - Set the
-
Add the
client_certificate_authbehavior as a child rule to forward client certificate details to your origin server as headers. For this behavior:- Set the
enableargument totrueso that the property can build theClient-To-Edgeauthentication header using information from the client to edge mTLS handshake and forward it to your origin. - If you disable the
enable_complete_client_certificateattribute, specifyclient_certificate_attributesto include in theClient-To-Edgeauthentication header that's sent to your origin server. - Set the
enable_client_certificate_validation_statusargument totrueto include the current validation status of the client certificate in theClient-To-Edgeauthentication header.
data "akamai_property_rules_builder" "client_certificate_auth" { rules_v2025_02_18 { name = "Client Certificate Authentication" comments = "Establishes transitive trust between the client and your origin server." behavior { client_certificate_auth { client_certificate_attributes = ["SHA256_FINGERPRINT", ] enable = true enable_client_certificate_validation_status = true enable_complete_client_certificate = false } } } }{ "behaviors": [ { "name": "clientCertificateAuth", "options": { "clientCertificateAttributes": [ "SHA256_FINGERPRINT" ], "enable": true, "enableClientCertificateValidationStatus": true, "enableCompleteClientCertificate": false } } ] } - Set the
-
Add the
log_custombehavior as another child rule to generate log data for mismatched mTLS certificate requests. For this behavior:- Set the
log_custom_log_fieldargument totrueto include what's set in the custom log field. - In the
custom_log_fieldargument, specify the additional data field you want to append to each log line.
data "akamai_property_rules_builder" "log_custom" { rules_v2025_02_18 { name = "Log Custom Details" comments = "Logs custom details from the origin response in the Log Delivery Service report." behavior { log_custom { log_custom_log_field = true custom_log_field = "invalid_mTLS" } } } }{ "behaviors": [ { "name": "logCustom", "options": { "logCustomLogField": true, "customLogField": "invalid_mTLS" } } ] } - Set the
Add rules to a property
If you store your rules in the akamai_property_rules_builder data source, point to that data source in your property.
resource "akamai_property" "my_property" {
name = "MyProperty"
product_id = "prd_Object_Delivery"
contract_id = "C-0N7RAC7"
group_id = "12345"
rule_format = "v2025_02_18"
rules = data.akamai_property_rules_builder.my-rules.json
hostnames {
cname_from = "example.com"
cname_to = "example.com.edgekey.net"
cert_provisioning_type = "DEFAULT"
}
}
data "akamai_property_rules_builder" "my-rules" {
rules_v2025_02_18 {
name = "default"
is_secure = false
behavior {
origin_characteristics {
authentication_method = "AUTOMATIC"
authentication_method_title = ""
country = "UNKNOWN"
origin_location_title = ""
}
}
behavior {
origin {
cache_key_hostname = "ORIGIN_HOSTNAME"
compress = true
enable_true_client_ip = true
forward_host_header = "REQUEST_HOST_HEADER"
hostname = "example.com"
http_port = 80
https_port = 443
ip_version = "IPV4"
min_tls_version = "DYNAMIC"
origin_certificate = ""
origin_sni = true
origin_type = "CUSTOMER"
ports = ""
tls_version_title = ""
true_client_ip_client_setting = false
true_client_ip_header = "True-Client-IP"
verification_mode = "PLATFORM_SETTINGS"
}
}
behavior {
cp_code {
value {
id = 12345
}
}
}
behavior {
http3 {
enable = false
}
}
behavior {
caching {
behavior = "MAX_AGE"
must_revalidate = false
ttl = "50000s"
}
}
children = [
data.akamai_property_rules_builder.basic-mtls-settings.json,
]
}
}
data "akamai_property_rules_builder" "basic-mtls-settings" {
rules_v2025_02_18 {
name = "Basic mTLS enforcement settings"
criteria_must_satisfy = "any"
criterion {
request_header {
match_wildcard_name = false
match_operator = "IS_ONE_OF"
header_name = "test"
values = ["ON", ]
match_wildcard_value = false
match_case_sensitive_value = true
}
}
behavior {
enforce_mtls_settings {
certificate_authority_set = [akamai_mtlstruststore_ca_set_activation.my-ca-set-activation-production.ca_set_id, ]
enable_auth_set = true
enable_deny_request = false
enable_ocsp_status = true
}
}
children = [
data.akamai_property_rules_builder.custom-mtls-settings.json,
]
}
}
data "akamai_property_rules_builder" "custom-mtls-settings" {
rules_v2025_02_18 {
name = "Custom mTLS enforcement settings"
criteria_must_satisfy = "all"
criterion {
client_certificate {
is_certificate_present = true
is_certificate_valid = "VALID"
enforce_mtls = true
}
}
behavior {
client_certificate_auth {
client_certificate_attributes = ["SHA256_FINGERPRINT", ]
enable = true
enable_client_certificate_validation_status = true
enable_complete_client_certificate = false
}
}
behavior {
log_custom {
log_custom_log_field = true
custom_log_field = "invalid_mTLS"
}
}
}
}
If you store your rules in JSON format, point to the rules in the akamai_property_rules_template data source and reference it in your property.
data "akamai_property_rules_template" "rules" {
template_file = abspath("${path.module}/property-snippets/main.json")
}
resource "akamai_property" "my_property" {
name = "MyProperty"
product_id = "prd_Object_Delivery"
contract_id = "C-0N7RAC7"
group_id = "12345"
rule_format = "v2025_02_18"
rules = data.akamai_property_rules_template.my-rules.json
hostnames {
cname_from = "example.com"
cname_to = "example.com.edgekey.net"
cert_provisioning_type = "DEFAULT"
}
}
{
"accountId": "act_A-CCT1234",
"contractId": "ctr_C-0N7RAC7",
"groupId": "grp_12345",
"ruleFormat": "v2024_05_31",
"propertyId": "prp_12345",
"propertyName": "MyProperty",
"propertyVersion": 16,
"rules": {
"name": "default",
"children": [
{
"name": "Basic mTLS enforcement settings",
"children": [
{
"name": "Custom mTLS enforcement settings",
"children": [],
"behaviors": [
{
"name": "clientCertificateAuth",
"options": {
"clientCertificateAttributes": [
"SHA256_FINGERPRINT"
],
"enable": true,
"enableClientCertificateValidationStatus": true,
"enableCompleteClientCertificate": false
}
},
{
"name": "logCustom",
"options": {
"customLogField": "invalid_mTLS",
"logCustomLogField": true
}
}
],
"criteria": [
{
"name": "clientCertificate",
"options": {
"enforceMtls": true,
"isCertificatePresent": true,
"isCertificateValid": "VALID"
}
}
],
"criteriaMustSatisfy": "all"
}
],
"behaviors": [
{
"name": "enforceMtlsSettings",
"options": {
"certificateAuthoritySet": [
"12345"
],
"enableAuthSet": true,
"enableDenyRequest": false,
"enableOcspStatus": true
}
}
],
"criteria": [
{
"name": "requestHeader",
"options": {
"headerName": "test",
"matchCaseSensitiveValue": true,
"matchOperator": "IS_ONE_OF",
"matchWildcardName": false,
"matchWildcardValue": false,
"values": [
"ON"
]
}
}
],
"criteriaMustSatisfy": "any"
}
],
"behaviors": [
{
"name": "origin",
"options": {
"cacheKeyHostname": "ORIGIN_HOSTNAME",
"compress": true,
"enableTrueClientIp": true,
"forwardHostHeader": "REQUEST_HOST_HEADER",
"hostname": "example.com",
"httpPort": 80,
"httpsPort": 443,
"ipVersion": "IPV4",
"minTlsVersion": "DYNAMIC",
"originCertificate": "",
"originSni": true,
"originType": "CUSTOMER",
"ports": "",
"tlsVersionTitle": "",
"trueClientIpClientSetting": false,
"trueClientIpHeader": "True-Client-IP",
"verificationMode": "PLATFORM_SETTINGS"
}
},
{
"name": "http3",
"options": {
"enable": false
}
},
{
"name": "originCharacteristics",
"options": {
"authenticationMethod": "AUTOMATIC",
"authenticationMethodTitle": "",
"country": "UNKNOWN",
"originLocationTitle": ""
}
},
{
"name": "cpCode",
"options": {
"value": {
"id": 12345
}
}
},
{
"name": "caching",
"options": {
"behavior": "MAX_AGE",
"mustRevalidate": false,
"ttl": "50000s"
}
}
],
"options": {
"is_secure": false
},
"variables": []
}
}
6. Activate a property
To activate the property containing your newly added CA set version, provide a value for the network, STAGING or PRODUCTION, and activate your property.
resource "akamai_property_activation" "my_staging_activation" {
property_id = "prp_12345"
contact = ["jsmith@example.com"]
version = akamai_property.my_property.latest_version
network = "STAGING"
note = "Activating my property on staging"
auto_acknowledge_rule_warnings = false
}
Other actions
Update a CA set and version
You can't update a CA set's name or description in the created akamai_mtlstruststore_ca_set resource.
Before updating a CA set version, you can use the akamai_mtlstruststore_ca_set_certificates data source to verify whether the CA set has any expired or about-to-expire certificates.
Updating a CA set version's details can happen in two ways:
- If the version hasn't been activated, the update applies directly to that version.
- If the version is already activated, updating its details creates a new version by cloning an existing one.
If a CA set version was activated and then deactivated, it can’t be modified. Any change would implicitly trigger the creation of a new version.
If you want to perform a bulk rotation of certificates within a CA set version without hitting the maximum limit of 300 certificates per CA set, we recommend adding no more than 150 certificates at a time, including both old and new ones. This way, you can efficiently add a new version of up to 150 certificates without exceeding the total limit.
Deactivate a CA set version
Before deactivating a CA set version from all networks, make sure the CA set that this version belongs to is unbound from a slot in Certificate Provisioning System (CPS). To verify if the CA set is bound to any certificate in CPS, run the akamai_mtlstruststore_ca_set_associations data source.
Use the akamai_mtlstruststore_ca_set_activation resource to deactivate a CA set version from the staging or production network by running terraform destroy.
Delete a CA set and version
Before removing the CA set, first remove it from your property in the enforce_mtls_settings behavior. Next, unbind the CA set from the certificate in Certificate Provisioning System (CPS). If you don’t, your service will become disabled for requests to your property.
To verify if the CA set is currently bound to any certificate in CPS, run the akamai_mtlstruststore_ca_set_associations data source. If the enrollments attribute returns any records, the CA set is in use. This data source also returns properties. However, this attribute only applies when a CA set is linked to property hostnames via a CCM (Cloud Certificate Manager) certificate.
Warning: Impact to Property Behavior
If you delete a certificate enrollment that's linked to a CA set and used in a property hostname, requests to your property may stop working correctly. CPS doesn't currently provide warnings before or after deleting an enrollment.
To avoid unintentionally removing a certificate from a property, delete items in this order:
- Delete the property hostname.
- Remove the
enforce_mtls_settingsbehavior from the property's rule tree.- Delete the CPS enrollment.
- Deactivate the CA set and remove it.
You can't remove certificates from a CA set version if it's active on any network, or the CA set version has in-progress deployment requests on any network. You also can’t remove all the certificates from the CA set version because mTLS Edge Truststore doesn't accept a version without a certificate.
You can delete a CA set only after deactivating its versions. If there are active versions, deactivate them first, then delete the CA set. The whole CA set resource's delete operation is initiated separately for each network. If it's processed correctly on one network but fails on another network, you need to retry the delete.
As to the CA set versions, you can't delete them. You can only deactivate them. Any existing versions will be removed implicitly during the CA set removal.
When you delete the CA set, it's removed from both staging and production networks and marked as DELETED. The deleted CA set is rendered as read-only and can’t be reactivated.
Updated 8 days ago