GuideReference
Guide

mtls_​origin_​keystore

Suggest Edits
Version: v2025-01-13Includes use: Yes

Behavior name: mTLS Edge Server to Origin

Establish a Mutual TLS (mTLS) connection between the edge server and the origin to authenticate requests. This ensures that the requests to your origin server come directly from the Akamai network. In the mTLS protocol, the origin asks the edge server to present its identity certificate. For this negotiation to work, either the origin needs to be configured for mTLS sessions, or the edge server is allowed to proceed without the edge certificate, effectively performing a standard (non-mutual) TLS connection to the origin.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "mtls_origin_keystore" {
  rules_v2025_02_18 {
    name     = "mTLS Edge Server to Origin"
    comments = "Ensures that the requests to your origin server come directly from the Akamai network."
    behavior {
      mtls_origin_keystore {
        enable                          = true
        client_certificate_version_guid = ""
        auth_client_cert                = false
      }
    }
  }
}

"behaviors": [
  {
    "name": "mtlsOriginKeystore",
    "options": {
      "enable": true,
      "clientCertificateVersionGuid": "",
      "authClientCert": false
      }
  }
]

Options

Option Description
enable
Boolean
Allows a specific mutual transport layer (mTLS) client certificate in a request from the edge server to the origin.
client_certificate_version_guid
String
Specifies the client certificate to authenticate your origin with the edge server. You need to create client certificates using the Mutual TLS Origin Keystore API or application.
auth_client_cert
Boolean
When enabled, the edge server requires a prompt from the origin for the client certificate's identity. If the edge server gets the request, it proceeds with the mTLS session and connects to the origin. If the edge server doesn’t get the request, the connection to the origin stops and a client error is reported. When disabled, the edge server proceeds without a request for the client certificate, making a standard TLS connection to the origin. Disabled by default.

Updated about 1 hour ago