Serving HTTPS traffic using certificates you manage

This guide describes how to use the Fastly TLS product to upload and deploy your own TLS certificates and private keys using the Fastly web interface.

To serve secure traffic from Fastly using HTTPS, a website or application needs to provide clients with a valid TLS certificate signed by a trusted Certification Authority (CA). TLS (Transport Level Security) and its predecessor SSL (Secure Sockets Layer) are the protocols that allow clients to form secure server connections so traffic can be served over HTTPS.

TIP

Fastly offers an API for uploading and managing your keys and certificates used to enable TLS for your domains on Fastly.

Before you begin

To use Fastly TLS with certificates and keys that you upload and deploy via the web interface, be sure you have the following prerequisites in place:

• a paid Fastly user account (not a developer’s trial) assigned the role of superuser or assigned a user role with added TLS management permission
• a valid X.509 TLS certificate from a trusted CA and a matching 2048-bit RSA private key
• permission to modify the DNS records on the relevant domains that appear as Subject Alternative Name (SAN) entries on the TLS certificate
• the relevant domains added to a properly configured Fastly service

The Fastly TLS web interface is compatible with certificates that have been uploaded as part of the Customer-Provided TLS Certificate Hosting Service with the following limitations:

• If you replace previously uploaded certificates, you can continue to use the Customer-Provided TLS Certificate Hosting Service with no changes to your bill.
• Removing a previously uploaded certificate from the Customer-Provided TLS Certificate Hosting Service and uploading a new one using Fastly TLS will result in the new certificate being counted in your bill for Fastly TLS. The old certificate will continue to be billed per any contracted term for Customer-Provided TLS Certificate Hosting Service.

For information on migrating certificates from the Customer-Provided TLS Certificate Hosting Service to Fastly TLS, contact support@fastly.com.

In addition to these prerequisites, be sure you understand the following limitations:

• Fastly TLS comes with a 50 certificate limit. To discuss how to raise this product’s certificate limit, contact sales@fastly.com.
• Uploaded certificates require clients to support TLS v1.2 and Server Name Indication (SNI) by default. To discuss how you can use settings other than these defaults, contact sales@fastly.com. The ability to use custom settings may require you to use a dedicated Fastly IP address pool, which must be purchased separately.
• Fastly TLS does not support the Triple DES (3des) cipher suite.
• If you're a DigiCert customer, be aware that upon making certificate changes, DigiCert will revoke your original certificate 72 hours after re-issuance. Be sure you upload your new certificate and switch all hostnames as soon as possible.

Uploading a private key and certificate

To upload a TLS certificate and the relevant private key (used to initially generate the certificate) follow the steps below.

IMPORTANT

The key file upload tool currently only accepts 2048-bit RSA keys. If you require longer key lengths, contact sales@fastly.com.

1. Log in to the Fastly web interface and click the Configure link.
2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled. If you've not yet started setting up TLS on any of your domains, this page appears empty.
3. Click the Secure another domain button. The Enter domain window appears.
4. Click the I want to bring my own certificate and private key link. The TLS certificates tab appears displaying the secure upload controls.

5. Drag and drop your private key file into the drag and drop area to upload your private key file. Alternately, click the Browse for key file link to navigate to the file on your system using the file picker.

   The private key appears below the upload controls and displays the Unmatched key label prominently on the left.

   

   TIP

   Unmatched keys are private keys that have no matching TLS certificate. If you have multiple private keys, you can identify each by the unique SHA1 hash. Private keys can only be deleted if they are in the unmatched state.

6. Upload a TLS certificate using the same drag-and-drop area or file picker you used to upload your private key. A success message appears.

Enabling TLS on a domain

Once a valid certificate and private key have been uploaded, all domains that appear as SAN entries will be listed on the TLS domains page with a status of TLS ready. To serve HTTPS traffic using your certificate, follow the steps below to enable TLS for the domain and point the DNS records to the certificate's location.

1. Click the TLS domains tab. The list of all domains that appear as SAN entries appear. Domains in a disabled state will have the status of TLS ready.

   

2. Click the Enable TLS button to the right of the appropriate domain. Fastly deploys your TLS certificate to the entire Fastly edge network. It may take up to an hour for your certificate to become available throughout the world.

3. Click More details to view the TLS configuration associated with the domain. Details about your domain’s TLS configuration appear.

   

4. Use the DNS details displayed in this section to configure your DNS records so that a TLS connection can be established using your certificate.

   • For TLS on an apex domain (e.g., example.com), you'll need to create a series of A records with your DNS provider.
   • For subdomains and wildcard domains (e.g, www.example.com or *.example.com), you'll need to create a relevant CNAME record.

IMPORTANT

It can take up to 48 hours for new DNS records to propagate across the internet.

Applying a TLS configuration to a domain

TLS configurations are a collection of TLS settings that include the supported versions of TLS and HTTP, along with networking and handshaking options that clients will use. For accounts with more than one TLS configuration, the default configuration has a label in the right corner of the card.

TIP

TLS configuration names are editable by clicking the pencil icon next to the name.

To override the default TLS configuration applied to a domain or to migrate a domain to use a different configuration follow these steps.

1. Click the TLS domains tab.
2. Click the More details link on the appropriate domain card.

3. From the Add TLS configuration menu at the bottom of the card, select the new configuration from the available options.

   

   Once the configuration is selected, the TLS configurations listed are applied to the domain. Each TLS configuration is active and available at their respective IP addresses and DNS records.

   

4. Use the DNS details under the desired TLS configuration to update your DNS records.
5. Confirm the new DNS records have propagated across the internet (this can take up to 48 hours), then delete the old TLS configuration by clicking the trash can icon.

NOTE

For HTTP/1.1, be sure to enable TLS for each of your domains in the web application. If you upload a certificate with multiple SANs, each domain must be explicitly enabled if you want to secure these domains on Fastly.

Exceptions may apply in the case of HTTP/2 if your browser coalesces secure connections and has previously received a TLS certificate from an earlier handshake. In this case, some browsers may reuse an existing secure connection to Fastly if its certificate has a matching SAN entry.

Replacing a certificate

The TLS certificates page warns you when a certificate is nearing its expiration date:

or when a certificate is past its expiration date:

There may be situations where Fastly identifies certificates that should be replaced. These certificates will be clearly marked with a recommendation:

Fastly allows you replace a certificate with a new one at any time.

Replacing certificates when there are no removed domains

To replace a TLS certificate with one that contains all the domains as the original (either as a superset or a matching list) follow these steps.

1. Generate a new certificate with your preferred Certification Authority.
2. If a new key was generated with the new certificate, upload it.

3. Find the certificate you’re replacing on the TLS certificates tab in the web interface.

   

4. Click the word Update in the upper right corner of the certificate’s card.
5. Using the file picker that appears, find the new certificate you’re replacing the old one with. The certificate you select should be PEM-formatted and the SAN entries of this new certificate must contain all entries in the current certificate (i.e., it must either have an exact matching list or contain a superset).

6. Wait for the certificate update process to complete. A success message appears indicating the certificate has been successfully updated.

   

All domains actively serving TLS traffic on the old certificate will be automatically transitioned to the updated certificate within a matter of minutes. Any new domains will need to be manually enabled by following the steps for enabling TLS on a domain.

Replacing certificates when there have been changes to domains

If you want to update one of your certificates that requires removing domains, you will need to procure a new certificate with the updated list of SAN entries. Follow the steps to upload this certificate as a new certificate.

1. Upload the new certificate.
2. Click the TLS domains tab and find the previously existing domains that have already been enabled on the certificate you’re replacing.

3. Click More details on the domain card to see the active TLS configurations.

   

4. From the Certificate being used menu, select a new certificate. A confirmation message appears.
5. Click the Use this certificate button on the confirmation message.
6. Manually activate any new domains that have been added to the updated certificate by following the steps for enabling TLS on a domain. Certificates for newly activated domains can take between 20 minutes to an hour to fully deploy across Fastly’s global network. If the new certificate is not being used to serve TLS traffic within 1 hour, contact support@fastly.com for assistance.

TIP

Certificate display names are editable by clicking the pencil icon next to the name.

Disabling TLS and deleting certificates and private keys

Once a domain has TLS enabled, you have the option to disable TLS via the Disable TLS link listed on the TLS domains page. Once disabled, Fastly will no longer serve TLS traffic on the selected domain.

To delete a certificate from the TLS certificates page, be sure to disable TLS for all domains on that specific certificate. You will also need to delete all certificates before you can delete a matching private key.

Certificate expirations

Thirty days before any certificate is due to expire, the web interface will display warnings on certificates soon to expire. Fastly will also begin to periodically send automated expiration notification emails to all users on the account with the TLS management permission. If the certificate is not replaced or removed, Fastly will continue to email users on the account until the certificate expires. Once expired, Fastly will no longer send automatic notifications.

Was this guide helpful?

Yes No Comment only

Tell us what worked and what we could do better.

Do not use this form to send sensitive information. If you need assistance, contact support@fastly.com.