Think of certificates as licenses or passports that web browsers use to identify your website and your organization. They include a public key that allows for encrypted communication between browsers and your website. You get them from certification authorities or CAs, organizations that verify identities and issue certificates.
On the Akamai network you actually use not one but two certificates, one for your origin server and one for the Akamai edge servers.
Pretty straightforward, right? Like locks and keys, these certificates are just a handy way to protect you, your visitors, and your customers.
Origin server certificate requirements
The origin server certificate secures your content as it travels between your origin server and the Akamai network. It also ensures that we’re communicating with the right origin website. You should be able to use your existing certificate for your origin server, assuming it meets the requirements here. Keep in mind, this certificate is a separate certificate from your Akamai network server certificate.
This certificate has to:
- include the primary domain or the origin domain
- have a name that matches either the primary domain that you're onboarding or the origin domain that you're telling Akamai to fetch content from
- be signed by an approved CA from the Akamai Certificate Store
- have an expiration date in the future
You can get a new certificate either from a CA in the Akamai store or by using Property Manager. If you already have an origin certificate but it’s not signed by a CA from the Akamai Certificate Store, you can still use Akamai. However, you'll need to set up your configuration using Property Manager instead of OCA.
It’s your responsibility to renew your SSL origin certificate in a timely fashion and to make sure it continues to meet requirements. If the origin certificate does not meet requirements, it might prevent you from serving secure traffic to your users.
About Akamai network server certificates
An Akamai network server certificate keeps your content secure as it travels from our network to your customers. Keep in mind, this certificate is a separate certificate from your origin certificate. You’ll request a new Akamai network server certificate as part of the OCA onboarding process.
OCA lets you create two certificate types directly, within the application:
- Domain Validated (DV) uses domain validation to make sure a company has control of the domain.
- Organization Validated (OV) determines whether or not a company is valid, if it's registered, and if the business contact legitimately works at the company. The CA uses your organization information to verify that you legally own or have the legal right to use the domains listed in your certificate.
You can use Extended Validation (EV) or third-party certificates with OCA, but first you'll need to request them through the separate Certificate Provisioning System (CPS) application in Control Center.
- Getting a DV certificate
To get a DV certificate for your domain(s), you need to prove that you control those domains by adding a redirect to an Akamai provided URL for each of your domains on the certificate. Akamai works with DV certificate authority Let’s Encrypt to check your redirects and issue your edge certificates. Because OCA displays the URL for Redirect From and Redirect To for each domain, you’ll know exactly which redirect to set up.
- Getting an OV certificate
- Getting an OV certificate involves several steps. After you complete a certificate signing request (CSR) form requesting a new certificate, Akamai sends it to the CA. The CA compares the information on the certificate to the information on the registered domain (using WhoIS), and calls the administrator contact listed on your CSR to verify that the certificate request is legitimate. If your organization holds its domain registration information private or anonymized, you need to make it temporarily available. It may take a few days to receive the certificate back from the CA.
- Server name indication (SNI) is an extension of the transport layer
security (TLS) protocol. It allows multiple hostnames to be served securely over HTTPS
from the same IP address, without requiring those sites to use the same certificate.
Without SNI, an IP address can securely host only one hostname. A unique IP address would need to be reserved by your company for each domain.
For more information about SNI, see Reaching toward universal TLS SNI.
To learn more about certificates, see the Certificate Provisioning System User Guide on Control Center.
Next, let’s talk about customizing your site's property configuration for a perfect fit.