IMPORTANT: This information is part of a limited availability release. Portions of this API may be subject to changes and improvements over time. Fields marked deprecated may be removed in the future and their use is discouraged. For more information, see our product and feature lifecycle descriptions.
The Platform TLS Certificate Deployment Service is available to subscribers who have purchased the service.
A private key is used to sign a Certificate. A key can be used to sign multiple certificates.
Time-stamp (GMT) when the private key was created. Read Only.
A customizable name for your private key. Optional.
The contents of the private key. Must be a PEM-formatted key. Not returned in response body. Required.
The key length used to generate the private key. Read Only.
The algorithm used to generate the private key. Must be RSA. Read Only.
A recommendation from Fastly to replace this private key and all associated certificates. Read Only.
Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.
The PEM-formatted certificate blob. Required. Write Only.
Time-stamp (GMT) when the certificate was created. Read Only.
The PEM-formatted chain of intermediate blobs. Required. Write Only.
Time-stamp (GMT) when the certificate will expire. Must be in the future to be used to terminate TLS traffic. Read Only.
Time-stamp (GMT) when the certificate will become valid. Must be in the past to be used to terminate TLS traffic. Read Only.
A recommendation from Fastly indicating the key associated with this certificate is in need of rotation. Read Only.
Time-stamp (GMT) when the certificate was last updated. Read Only.
The identifier for the dedicated IP address pool that will be used to route traffic from the domain. Required.
All the domains (including wildcard domains) that are listed in any certificate's Subject Alternative Names (SAN) list. Read Only.
Upload a new certificate. TLS domains are automatically enabled upon certificate creation. If a domain is already enabled on a previously uploaded certificate, that domain will be updated to use the new certificate for all future TLS handshake requests.
Replace a certificate with a newly reissued certificate. By using this endpoint, the original certificate will cease to be used for future TLS handshakes. Thus, only SAN entries that appear in the replacement certificate will become TLS enabled. Any SAN entries that are missing in the replacement certificate will become disabled.
The Platform TLS Certificate Deployment Service has the following general limitations:
This service is not available for private CDN deployments.
To take advantage of this service, you must procure your own certificates from the certification authority (CA) of your choice. Fastly will not procure certificates on your behalf.
In addition, certificates are deployed using the Platform TLS Certificate Service with the following conditions:
Certificates hosted using SNI will only be served to browsers that support SNI. Browsers that do not support SNI will not receive the correct certificate for the domain requested.
The certificate deployment process takes an average of approximately 20 minutes to complete once a certificate is submitted, but may take as long as an hour.
Fastly will automatically choose the certificate delivered for a given request based on the host requested.
The certificate with the most specific hostname will be prioritized over certificates with less specific hostnames. For example, on a request for api.example.com, Fastly will prioritize a certificate with a SAN entry for api.example.com over a different certificate with a SAN entry for *.example.com.
If an identical hostname appears on more than one certificate, then the most recently uploaded certificate will be used. We recommend that you manage certificates such that hostnames remain unique for them.