Create a certificate set

A CA certificate set is a collection of trusted intermediate and root certificates that can be used to verify the authenticity of client certificates at the ​Akamai​ edge for the purpose of establishing TLS mutual authenticated connections.

Before you begin

Determine and collect the public CA certificate(s) that issue the client certificates you want to authenticate and establish trust with. Avoid collecting more issuing CAs than necessary. Along with the issuing CAs, determine and collect the remaining parts of each certificate chain, including any intermediate and self-signed root certificate(s). Determine if your mTLS policy requires establishing trust at only specific points in the certificate chain or whether trust follows the full certificate chain - including any untrusted certificates sent by an end-user that can chain to the trusted root certificate.

Ensure your certificate meets the Trust Chain Manager validation requirements. See Validating uploaded CA certificates to learn more.


If you cancel at anytime during this procedure, your changes will be lost.

How to

  1. From the Trust Chain Manager landing page, click Manage Certificate Sets.

  2. Click Create new set.

  3. Give your certificate set a name.

  4. Click Next. The set's name and version number appear under Certificate sets. Use the Edit icon to change the name. Note that after the set is deployed, the name cannot be changed.

  5. Click Upload certificates.

  6. Choose a path validation scheme: Require Root Certificate is enabled by default to ensure your uploaded CAs chain to a self-signed trust anchor. See more information about [Require Root Certificate](doc:key- concepts-terms).

  7. Select a method to add certificates to the set:

    • Copy/paste. Lets you copy and paste PEM encoded certificates into the entry field.

    • Upload. Lets you browse, then upload certificates from your local machine into the entry field. For example, you can upload a PEM file that contains one or more certificates from your local machine.


    Duplicate certificates with the same Common Name (CN) are currently not supported.

  8. Click Upload and validate chains. Click here for more information on upload validation.

    Your CA certificates appear in the certificate set structure on the left side, under your newly created CA set. See How Trust Chain Manager works for information on certificate set structure. To add more certificates, click Upload Certificates in the upper right corner.

  9. Select a deployment location:

    • For a new CA set, select both Staging and Production deployment locations - note, a new CA set must be deployed to both Staging and Production before it can be associated with an Edge certificate. For existing CA sets, you may deploy independent CA set versions to Staging and Production.

    • Staging. Trust Chain Manager deploys the certificate set to the ​Akamai​ staging network for testing.

    Testing is performed outside of Trust Chain Manager, on the Edge Staging Network (ESN). The ESN provides an environment to test your ​Akamai​ configurations without impact to production configurations. After testing functionality on the ESN, deploy the certificate set to production.

    • Production. Trust Chain Manager deploys the certificate set to the ​Akamai​ production network.
  10. Click Deploy. Trust Chain Manager deploys the certificate to the selected location.