IMPORTANT: This feature is part of a Beta release. Portions of this API may be subject to changes and improvements over time. Fields marked deprecated may be removed in the future and their use is discouraged. For more information, see our product and feature lifecycle descriptions.
Fastly offers an API for uploading and managing your keys and certificates used to enable TLS for your domains on Fastly.
To start, you must generate a new key and certificate with your preferred Certificate Authority. You may then use our endpoints to upload a key and then upload the matching certificate. To terminate TLS for a specific domain, you'll need to enable that domain for a given certificate by creating a protocol policy. Finally, for Fastly to begin to terminate TLS you will need to update the DNS records for the domain with the provided DNS Names returned to you.
We also provide a way for you to replace your certificates when they are nearing expiration. When regenerating a new certificate, you must ensure the list of SAN entries match the existing certificate. You can then replace the existing certificate with the new certificate.
This API also allows you to delete keys and certificates, list TLS domains for an uploaded certificate, and disable a protocol policy (which will disable TLS termination for that domain).
A private key is used to sign a Certificate. A key can be used to sign multiple certificates.
Time-stamp (GMT) when the private key was created. Read Only.
A customizable name for your private key. Optional.
The contents of the private key. Must be a PEM-formatted key. Not returned in response body. Required.
The key length used to generate the private key. Read Only.
The algorithm used to generate the private key. Must be RSA. Read Only.
A recommendation from Fastly to replace this private key and all associated certificates. Read Only.
Replace a TLS certificate with a newly reissued TLS certificate, or update a TLS certificate's name. If replacing a TLS certificate, the new TLS certificate must contain all SAN entries as the current TLS certificate. It must either have an exact matching list or contain a superset.
TLS domains are all the domains (including wildcard domains) included in any TLS certificate's Subject Alternative Names (SAN) list. Included in the response is information about which certificates reference this domain as well as the TLS activation indicating which certificate is enabled to serve TLS traffic for the domain.
The domain name. Read Only.
The list of all the TLS certificates that include this domain in their SAN list.
The list of TLS activations that exist for the domain. If empty, then this domain is not enabled to serve TLS traffic.
DNS records are the available DNS addresses that can be used to enable TLS for a domain. DNS must be configured for a domain for TLS handshakes to succeed. If enabling TLS on an apex domain (e.g., example.com) you must create four A records (or four AAAA records for IPv6 support) using the displayed global A record's IP addresses with your DNS provider. For subdomains and wildcard domains (e.g., www.example.com or *.example.com) you will need to create a relevant CNAME record.
The IP address or hostname of the DNS record.
Specifies the regions that will be used to route traffic. Select DNS Records with a global region to route traffic to the most performant point of presence (POP) worldwide (global pricing will apply). Select DNS records with a us-eu region to exclusively land traffic on North American and European POPs.
The type of the DNS record. A specifies an IPv4 address to be used for an A record to be used for apex domains (e.g., example.com). AAAA specifies an IPv6 address for use in an A record for apex domains. CNAME specifies the hostname to be used for a CNAME record for subdomains or wildcard domains (e.g., www.example.com or *.example.com).