Edge

SSL management

Akamai allows you to establish a secure connection with a valid SSL certificate, providing end users with a safe browsing experience. This documentation guides you through the essential aspects of SSL management in Akamai’s content delivery network (CDN).

SSL certificates in Akamai

To ensure a secure connection, Akamai requires you to install SSL certificates at both the Edge layer (Akamai) and the Cloud Platform origin server.

  • Edge layer certificate: The SSL certificate installed at the Edge layer is presented to end users’ web traffic to establish a secure connection between the user’s browser and the Akamai’s network.

  • Cloud Platform certificate: The SSL certificate installed on the Cloud Platform server is used to create a secure connection between the Edge layer and the Cloud Platform server, ensuring data security during transmission.

Secure by Default (SBD) certificates

Akamai offers SBD certificates, which are SSL/TLS certificates pre-configured with secure settings by default.

The following table lists the key features of SBD certificates:

Feature

Description

Strong encryption

SBD certificates use robust encryption algorithms to protect the confidentiality and integrity of data transmitted over the Internet to ensure that the sensitive information such as passwords, credit card details, and personal data remains secure during transit.

Modern cipher suites

SBD certificates utilize modern cipher suites to prioritize strong encryption algorithms and key exchange protocols.

Perfect Forward Secrecy (PFS)

When you implement PFS, SBD certificates ensure that past encrypted sessions remain secure even if the private key is compromised. This protects against the decryption of intercepted encrypted traffic in the future.

Secure configuration

SBD certificates are securely configured by default, adhering to best practices for certificate management. They enable secure protocols and features, and are regularly updated to address emerging security vulnerabilities.

Certificate management

Akamai provides comprehensive certificate management capabilities, including certificate lifecycle management, automated renewals, and integration with certificate authorities (CAs). This simplifies the process of obtaining and managing SSL/TLS certificates for websites and applications.

Compatibility and interoperability:

SBD certificates are compatible with multiple web browsers, devices, and platforms. They meet industry standards and recommendations, ensuring seamless interoperability with client systems.

Standard vs enhanced network with SSL

Akamai offers two levels of TLS support:

  • Akamai Standard TLS

  • Akamai Enhanced TLS

These options provide different levels of security and features for securing data transmission between end users and Akamai’s CDN.

Akamai Standard TLS

This is the basic level of TLS support provided by Akamai that offers essential security features for securing data in transit.

The following table lists the key features of Akamai Standard TLS:

Feature

Description

Encryption

Encrypts data transmitted between end users and the Akamai CDN using industry standard encryption algorithms.

Certificate management

Allows Akamai to manage the SSL/TLS certificates required for establishing secure connections. This includes certificate provisioning, renewal, and installation on the Akamai CDN edge servers.

Compatibility

Ensures compatibility with a wide range of web browsers and devices, allowing secure connections with a broad user base.

Essential security features

Includes secure protocols, such as TLS 1.2 or higher, to establish encrypted connections. It also supports Server Name Indication (SNI), allowing multiple domains to share the same IP address while using different SSL/TLS certificates.

Akamai Enhanced TLS

Akamai Enhanced TLS is designed for organizations with higher security requirements.

The following table lists advanced security features of Akamai Enhanced TLS:

Feature

Description

Stronger encryption

Supports robust encryption algorithms and key exchange protocols, providing enhanced security against potential vulnerabilities and attacks.

Extended Validation (EV)

Supports EV certificates, offering a higher level of authentication and trust for websites. EV certificates display a green address bar in web browsers, indicating the highest level of security assurance.

Advanced security controls

Includes additional security controls, such as HTTP Strict Transport Security (HSTS) and Public Key Pinning (PKP), which help to prevent various types of attacks and enforce secure communication protocols.

Customization options

Allows organizations to configure specific SSL/TLS settings based on their unique security and compliance requirements.

Third-party certificate supports

Enables the use of third-party certificates issued by trusted certificate authorities (CAs) for secure connections.

Akamai Standard TLS and Akamai Enhanced TLS provide secure data transmission. However, Enhanced TLS offers advanced security features, stronger encryption, extended validation certificates, and more customization options to meet higher security requirements. Organizations with greater security needs may opt for Enhanced TLS to benefit from these additional features and controls.

CNAME validation

CNAME validation is a process used by Akamai to verify the ownership and control of a domain when setting up Akamai CDN services for that domain. The CNAME validation is performed to ensure that the domain owner has authorized Akamai to handle the content delivery for their domain.

The following table explains the Akamai CNAME validation process:

Steps

Feature

Description

1

Configuration

The domain owner configures their DNS (Domain Name System) settings to add a CNAME record that points to the Akamai CDN edge servers. This CNAME record typically includes a unique identifier provided by Akamai.

2

Validation process

When the CNAME record is set up, Akamai initiates the validation process by checking the DNS settings for the domain. Akamai’s validation system queries the DNS infrastructure to verify the existence and correctness of the CNAME record.

3

Validation criteria

Akamai checks if the CNAME record matches the expected configuration. This ensures that the domain owner has correctly configured their DNS to point to Akamai’s CDN edge servers.

4

Validation results

Akamai’s validation system provides feedback on the CNAME validation status. If the CNAME record is configured incorrectly, Akamai acknowledges the successful validation. If the CNAME record is missing, misconfigured, or points to an incorrect location, the validation will fail.

5

Activation

After the CNAME validation is complete, Akamai activates the CDN services for the domain. The domain’s traffic is then routed through Akamai’s network, and the content delivery is accelerated and optimized.

CNAME validation ensures that the domain owner has control over the DNS settings, and authorizes Akamai to serve content on their behalf. This validation process adds an additional layer of security and prevents unauthorized entities from hijacking or impersonating the domain’s CDN configuration.

Note

CNAME validation records need to remain in place to ensure the SSL certificate continues to renew automatically. If this CNAME validation record is removed, the SSL certificate cannot perform validation, which results in an SSL error.

Origin certificate expiring notification

Akamai’s origin certificate expiring notification is a vital feature provided as part of Acquia’s CDN services. This feature is designed to proactively alert website and application owners when their origin server’s SSL/TLS certificate approaches its expiration date.

This following table lists the process of sending notification for expiring origin certificates:

Feature

Description

SSL/TLS certificate monitoring

Akamai regularly monitors the SSL/TLS certificate associated with your origin server, which serves as the source of content for our CDN. This certificate is typically installed on your origin server and plays an important role in establishing secure connections between your server and the Akamai CDN.

Expiration date tracking

Akamai keeps track of the expiration date of the SSL/TLS certificate. It calculates the remaining validity period based on the certificate’s expiration date and the current date.

Notification trigger

Akamai triggers an expiration notification when your SSL/TLS certificate approaches its expiration date. This notification serves as a friendly reminder, prompting you to take necessary action and renew or update your origin server’s certificate promptly.

Notification delivery

Akamai sends the expiration notification to the designated contacts associated with your account. During the initial setup or configuration of your CDN services, you can provide the relevant contact information to ensure the right people receive these crucial alerts.

Alert frequency

Akamai sends notification in advance of the certificate’s expiration date to allow sufficient time for renewal or update. The frequency of expiration notifications can vary depending on the specific configuration and preferences set by the website or application owner.

Action required

Akamai sends the expiration notification. The website or application owner must take appropriate actions to renew or update their origin server’s SSL/TLS certificate. This typically involves contacting the certificate authority (CA) or the organization responsible for managing the certificate to initiate the renewal process.

The origin certificate expiring notification feature helps ensure that website or application owners stay informed about their SSL/TLS certificate’s expiration and can take timely action to prevent disruptions to their CDN services. It is crucial to renew or update the certificate before its expiration to maintain secure and uninterrupted content delivery from the origin server through the Akamai CDN.