Provision certificates
Increase your customers' trust, encrypt sensitive information, and improve SEO rankings using SSL/TLS Domain Validation certificates that securely deliver content to and from your site.
Before you begin
- Understand the basics of Terraform.
- Complete the steps in Get started.
- Set up a secure property.
What you'll do
Create or modify an Akamai-managed domain validation or third-party certificate and upload the certification requirements to your account.
Get a contract ID
To identify what contract you'll work against, add the contracts data source to your Akamai configuration to get a list of available contracts associated with your account.
data "akamai_contracts" "my-contracts" {
}
output "property_match" {
value = data.akamai_contracts.my-contracts
}
Akamai-managed enrollments
1. Create a Domain Validated enrollment
You can import an existing enrollment(s) and make adjustments using the import command on the
akamai_cps_dv_enrollment
resource. Add a name, yourenrollment_id
andcontract_id
as a comma-delimited string of the to the end of the command.
$ terraform import akamai_cps_dv_enrollment.name 12345,A-12345
Create an enrollment, the core configuration for CPS, and define your certificate's life cycle.
- Add your contract ID to the akamai_cps_dv_enrollment resource and provide information about your certificate.
- Run
terraform plan
to check your syntax and review the total set of changes you're making and then runterraform apply
to create your enrollment.
The response will return the certificate signing request (CSR) challenges you need to validate control over your domains.
2. Validate control over your domains
When you create or modify a DV enrollment, it triggers a certificate signing request (CSR). CPS automatically sends it to Let's Encrypt for signing, and Let's Encrypt sends back a challenge for each domain listed on your certificate.
To answer the challenge, prove that you have control over the domains listed in the CSR by redirecting your traffic to Akamai, and then we complete the challenge process for you by detecting the redirect.
- For
http_challenges
, create a file with a token and put it in the designated folder on your site. Once Akamai detects the file is in place, it asks Let's Encrypt to validate the domain. - For
dns_challenges
, add aTXT
record to the DNS configuration of your domain. If you're using the Edge DNS subprovider, you can create DNS records for the provided SANs from the sameconfig
file.
If the challenge token expires, run
terraform-apply
again to pull the latest token. Even though Terraform doesn't automatically notify you of any updates to tokens, you can set outputs fordns_challenges
andhttp_challenges
. If applicable,terraform-apply
returns new values for those arrays.
3. Send the validation acknowledgement
Once you complete the Let's Encrypt challenges, let CPS know your tokens are ready for validation.
-
Use the
akamai_cps_dv_validation
resource to send the acknowledgement to CPS.resource "akamai_cps_dv_validation" "example" { enrollment_id = akamai_cps_dv_enrollment.example.id sans = akamai_cps_dv_enrollment.example.sans }
-
Run
terraform plan
to check your syntax and review the total set of changes you're making and then runterraform apply
to apply your changes to your infrastructure.
Third-party enrollments
1. Create a third-party enrollment
To create a third-party enrollment, use your contract ID to define your certificate's life cycle and create your enrollment with the akamai_cps_third_party_enrollment resource.
Once you've set up the resource, run terraform plan
to check your syntax and review the total set of changes you're making.
Run terraform apply
to apply your changes to your infrastructure and begin domain validation.
2. Get CSR and keys
When you create or modify a third-party DV enrollment, it triggers a PEM-formatted certificate signing request (CSR) with all the information the certificate authority (CA) needs to issue your certificate. CPS encodes the CSR with a private key using either the RSA or the ECDSA algorithm.
-
Send your enrollment ID in the akamai_cps_csr data source and run
terraform plan
to get the CSR(s) for your enrollment.data "akamai_cps_csr" "example" { enrollment_id = 12345 }
If you're using dual-stacked certificates, you'll see data for both ECDSA and RSA keys.
Dual-stacked certificates are enabled by default for third-party enrollments.
-
Send the CSR(s) to a CA for signing.
Tip
Use the
acme
provider along withtls_private_key
,acme_registration1
,acme_certificate
.acme
also supports maintenance of challenges throughdns_challenge
.
3. Upload your signed certificate
Once you have your signed certificate, upload it and your trust chain to CPS.
-
Use the akamai_cps_upload_certificate to upload your certificate for deployment. These certificates must be in PEM format. If they were returned to you in a different format, convert them to PEM format using an SSL converter.
resource "akamai_cps_upload_certificate" "upload_cert" { enrollment_id = 12345 certificate_ecdsa_pem = example_cert_ecdsa.pem trust_chain_ecdsa_pem = example_trust_chain_ecdsa.pem acknowledge_post_verification_warnings = true acknowledge_change_management = true wait_for_deployment = true }
-
Run
terraform plan
to check your syntax and review the total set of changes you're making and thenterraform apply
to apply your changes to your infrastructure and upload your certificates in staging using theChangeManagement
object first, activating it for the production environment after you've tested.
Manage enrollments
Modify Subject Alternate Names
In existing enrollments, you can add, modify, and remove existing Subject Alternate Names for your domain. These operations require another domain validation check.
Modify deployed enrollments
You can edit your network deployment settings for a certificate that is in progress or active on the network.
-
Get the needed certificate by sending the enrollment ID in the akamai_cps_deployments.
data "akamai_cps_deployments" "example" { enrollment_id = 12345 }
-
Make edits.
-
Use the akamai_cps_upload_certificate to redeploy your certificate to the network.
Updated 3 months ago