Configure for secure delivery (HTTPS)
This applies to base configurations for subcustomer websites or applications that process all requests securely via HTTPS.
Before you begin: Understand the connections
There are two connections involved in a request using the Akamai platform:
- Client to Edge server. This is the initial request between the client (an end user making a request for content) and the Edge server, where this property is read to determine how content should be delivered. The property hostname to Edge hostname association deals with the first connection. To secure this connection, you must use a certificate that is verified between the client and Edge server. This is known as the "Edge certificate."
- Edge server to Origin, This is the connection between the Edge server and your designated origin, to access your website or app content to deliver it. This is configured using the Origin behavior in your property, and is discussed later in this section.
Tip: We've created the document, HTTPS Delivery with Property Manager. It describes both of these connections in greater detail and covers the requirements for both—including specifics on how to set up your origin for HTTPS.
What levels of security can be applied in the Edge certificate?
|Enhanced TLS (formerly “HTTPS Option”, “HTTPS Custom Cert” or “SSL Network”)||This provides a rich set of TLS, HTTPS and security functionality engineered to meet the needs of sites and content with high-assurance security requirements, such as FedRAMP and PCI compliance. It also supports custom or very old clients that do not send a TLS SNI header, which requires a VIP hosted certificate.|
|Standard TLS||This enables the delivery of sites, content, and video streaming over HTTPS using customer-branded certificates as a standard feature of delivery and performance products. It is secure (HTTPS L1), but not as rigorous as Enhanced TLS certificate delivery. (Standard TLS is not FedRAMP or PCI compliant, but it is Sarbanes Oxley (SOX) and International Standards Organization (ISO) compliant.) So, if you're looking for secure delivery, but are not transferring personally identifiable information (PII), Standard TLS could work for you.|
|AkamaiShared certificate||This enables the delivery of objects, downloads, and video streaming over HTTPS, without the need to provision and manage a certificate. However, it does require that you use a hostname under an Akamai-owned domain such as “example.akamaized.net” or “example-a.akamaihd.net”.|