Getting started
Basics
Domains & Origins
Performance

Configuration
Basics
Conditions
Dictionaries
Domains & Origins
Request settings
Cache settings
Headers
Responses
Performance
Custom VCL
Image optimization
Video

Security
Access Control Lists
Monitoring and testing
Securing communications
Security measures
TLS
Web Application Firewall

Integrations
Logging endpoints
Non-Fastly services

Diagnostics
Streaming logs
Debugging techniques
Common errors

Account info
Account management
Billing
User access and control

Reference

    Serving HTTPS traffic using certificates you manage

      Last updated September 18, 2019

    This guide describes how to use the Fastly TLS product to upload and deploy your own TLS certificates and private keys using the Fastly web interface.

    To serve secure traffic from Fastly using HTTPS, a website or application needs to provide clients with a valid TLS certificate signed by a trusted Certification Authority (CA). TLS (Transport Level Security) and its predecessor SSL (Secure Sockets Layer) are the protocols that allow clients to form secure server connections so traffic can be served over HTTPS.

    Before you begin

    To use Fastly TLS with certificates and keys that you upload and deploy via the web interface, be sure you have the following prerequisites in place:

    In addition to these prerequisites, be sure you understand the following limitations:

    Uploading a private key and certificate

    To upload a TLS certificate and the relevant private key (used to initially generate the certificate) follow the steps below.

    1. Log in to the Fastly web interface and click the Configure link.
    2. Click the HTTPS and network tab. The TLS domains page appears, displaying any domains for which you have TLS either enabled or for which TLS can be enabled. If you've not yet started setting up TLS on any of your domains, this page appears empty.
    3. Click the Add HTTPS to your domains button. The Enter domain window appears.
    4. Click the I want to bring my own certificate and private key link. The TLS certificates tab appears displaying the secure upload controls.

      the secure upload controls on the tls certificates tab

    5. Drag and drop your private key file into the drag and drop area to upload your private key file. Alternately, click the Browse for key file link to navigate to the file on your system using the file picker.

      The private key appears below the upload controls and displays the Unmatched key label prominently on the left.

      an uploaded but unmatched private key that needs a matching certificate

    6. Upload a TLS certificate using the same drag-and-drop area or file picker you used to upload your private key. A success message appears.

    Enabling TLS on a domain

    Once a valid certificate and private key have been uploaded, all domains that appear as SAN entries will be listed on the TLS domains page with a status of TLS ready. To serve HTTPS traffic using your certificate, follow the steps below to enable TLS for the domain and point the DNS records to the certificate's location.

    1. Click the TLS domains tab. The list of all domains that appear as SAN entries appear. Domains in a disabled state will have the status of TLS ready.

      the list of domains that appear as san entries on the tls domains tab, with domains in a disabled state displaying the tls ready status

    2. Click the Enable TLS button to the right of the appropriate domain. Fastly deploys your TLS certificate to the entire Fastly edge network. It may take up to an hour for your certificate to become available throughout the world.
    3. Click More details to view the TLS configuration associated with the domain. Details about your domain’s TLS configuration appear.

      the domain details shown by clicking more details when tls traffic hasn't started flowing yet

    4. Use the DNS details displayed in this section to configure your DNS records so that a TLS connection can be established using your certificate.

    Applying a TLS configuration to a domain

    TLS configurations are a collection of TLS settings that include the supported versions of TLS and HTTP, along with networking and handshaking options that clients will use. For accounts with more than one TLS configuration, the default configuration has a label in the right corner of the card.

    the list of configurations on the TLS configurations tab with the default configuration marked as default in the upper right corner of the configuration card

    To override the default TLS configuration applied to a domain or to migrate a domain to use a different configuration follow these steps.

    1. Click the TLS domains tab.
    2. Click the More details link on the appropriate domain card.
    3. From the Add TLS configuration menu at the bottom of the card, select the new configuration from the available options.

      the domain details shown by clicking more details when tls traffic hasn't started flowing yet and the associated additional TLS configurations that can be selected from the add tls configuration menu

      Once the configuration is selected, the TLS configurations listed are applied to the domain. Each TLS configuration is active and available at their respective IP addresses and DNS records.

      the list of active tls configurations and available at specific IP addresses and dns records

    4. Use the DNS details under the desired TLS configuration to update your DNS records.
    5. Confirm the new DNS records have propagated across the internet (this can take up to 48 hours), then delete the old TLS configuration by clicking the trash can icon.

    Replacing a certificate

    The TLS certificates page warns you when a certificate is nearing its expiration date.

    a certificate that is nearing expiration

    There may be situations where Fastly identifies certificates that should be replaced. These certificates will be clearly marked.

    a certificate needing replacement

    Fastly allows you replace a certificate with a new one at any time.

    Replacing certificates when there are no removed domains

    To replace a TLS certificate with one that contains all the domains as the original (either as a superset or a matching list) follow these steps.

    1. Generate a new certificate with your preferred Certification Authority.
    2. If a new key was generated with the new certificate, upload it.
    3. Find the certificate you’re replacing on the TLS certificates tab in the web interface.

      a certificate that is nearing expiration

    4. Click the certificate replacement icon in the upper right corner of the certificate’s card.
    5. Using the file picker that appears, find the new certificate you’re replacing the old one with. The certificate you select should be PEM-formatted and the SAN entries of this new certificate must contain all entries in the current certificate (i.e., it must either have an exact matching list or contain a superset).
    6. Wait for the certificate update process to complete. A success message appears indicating the certificate has been successfully updated.

      a certificate successfully replaced

    All domains actively serving TLS traffic on the old certificate will be automatically transitioned to the updated certificate within a matter of minutes. Any new domains will need to be manually enabled by following the steps for enabling TLS on a domain.

    Replacing certificates when there have been changes to domains

    If you want to update one of your certificates that requires removing domains, you will need to procure a new certificate with the updated list of SAN entries. Follow the steps to upload this certificate as a new certificate.

    1. Upload the new certificate.
    2. Click the TLS domains tab and find the previously existing domains that have already been enabled on the certificate you’re replacing.
    3. Click More details on the domain card to see the active TLS configurations.

      the more details menu that allows you to select which TLS certificate to use for terminating TLS requests

    4. From the Certificate being used menu, select a new certificate. A confirmation message appears.
    5. Click the Use this certificate button on the confirmation message.
    6. Manually activate any new domains that have been added to the updated certificate by following the steps for enabling TLS on a domain. Certificates for newly activated domains can take between 20 minutes to an hour to fully deploy across Fastly’s global network. If the new certificate is not being used to serve TLS traffic within 1 hour, contact support@fastly.com for assistance.

    Disabling TLS and deleting certificates and private keys

    Once a domain has TLS enabled, you have the option to disable TLS via the Disable TLS link listed on the TLS domains page. Once disabled, Fastly will no longer serve TLS traffic on the selected domain.

    To delete a certificate from the TLS certificates page, be sure to disable TLS for all domains on that specific certificate. You will also need to delete all certificates before you can delete a matching private key.

    Certificate expirations

    Thirty days before any certificate is due to expire, the web interface will display warnings on certificates soon to expire. Fastly will also begin to periodically send automated expiration notification emails to all users on the account with the TLS management permission. If the certificate is not replaced or removed, Fastly will continue to email users on the account until the certificate expires. Once expired, Fastly will no longer send automatic notifications.

    Back to Top

    Additional resources: