Method 3: Pin a specific certificate
You can specify the exact certificate(s) that Akamai should trust for your origin (including self-signed). This is also known as "pinning" a certificate.
In this case, the Edge server just checks that the server sent the right certificate. It then skips the other usual checks. (This includes the signature, the SAN list of sites it's valid for, and the expiration date.) If you want to create a self-signed certificate, you can do that using multiple tools:
Next, you need to install that certificate on your origin server, very similar to how you’d install a certificate from any other certificate authority. (For example, you can use the DigiCert instructions for Apache or Nginx.)
- This establishes a direct trust relationship between your origin server and Akamai Edge servers, without depending on any intermediaries.
- Since the expiration date is not checked, you can continue to use this certificate indefinitely. (However, we recommend that you rotate your certificate regularly, to ensure the best security.)
- If any of the trusted certificate authorities are compromised, your site may be vulnerable until you remove that certificate authority from your custom trusted list.
- Every time you rotate your certificate, you need to make a change to your Akamai settings.
- There may be security implications associated with pinning that make it undesirable in your environment. You can review them on the OWASP website.
Do you need to rotate your certificate?
With this method you don't have to rotate your certificate, because there is no expiration check. You can, however rotate the certificate, if desired.