- Fastly Status
Setting up free TLS
Last updated April 20, 2017
Customers can use our free shared domain TLS wildcard certificate to test TLS websites or applications using a Fastly URL (e.g.,
Before you begin
Before you begin setting up free TLS, understand the following:
- Free TLS may not be suitable for a production environment if the domain name you use matters. For that, you'll need a paid TLS option.
- If you DNS alias your own domain (
www.example.org) to the shared domain (
example.global.ssl.fastly.net), a TLS name mismatch warning will appear in the browser. The only way to fix the mismatch is by ordering a paid TLS option.
- Free TLS supports both HTTP/2 and HTTP/1.1 by default, although you can temporarily limit free TLS to HTTP/1.1.
Setting up free TLS for the first time
Follow the steps below to set up free TLS:
- Log in to the Fastly web interface and click the Configure link.
- From the service menu, select the appropriate service.
- Click the Configuration button and then select Clone active. The service version page appears.
- Click the Domains tab. The Domains page appears.
Click the Create domain button. The Create a domain page appears.
- Fill out the Create a new domain fields as follows:
- In the Domain Name field, type
<name>is a single word that claims the domain you're creating. If the name has already been claimed, you will need to pick a different one.
- In the Comment field, type a human-readable name for the domain. This name is displayed in the Fastly web interface.
IMPORTANT: In the Domain Name field,
<name>can only be a single word. You cannot use a dot-separated name such as
www.example.org.global.ssl.fastly.netbecause TLS certificates do not support nesting.
- In the Domain Name field, type
- Click the Create button to save the domain. The new domain appears in the list of domains.
- Click the Activate button to deploy your configuration changes.
Once you've set up free TLS, you'll be able to access your host domain via the following URL:
You won't need to add CNAME records to use the shared domain certificate and your service configuration will automatically work with HTTP/2 (and HTTP/1.1) once you update your host domain to use the new DNS name.
Updating existing free TLS service to support HTTP/2
If your existing shared domain name uses our
<name>.global.ssl.fastly.net map, you can continue to use it for HTTP1.1. If you want to use your HTTP/2-enabled map, then update your DNS to use
<name>.freetls.fastly.net instead. The
freetls.fastly.net domain is automatically created for you and you can continue to use the
<name>.global.ssl.fastly.net syntax when claiming your domain in the web interface.
For example, if you originally claimed
example.global.ssl.fastly.net during setup, you can continue to use it for HTTP1.1. Fastly automatically makes
example.freetls.fastly.net available to you (no one else can claim it) with support for both HTTP/2 and HTTP/1.1. If you want to use it for HTTP/2, update your DNS to use
example.freetls.fastly.net instead. Your existing
example.global.ssl.fastly.net domain will still be available for use (though it will only support HTTP/1.1) and you'll still be able to test your domain via the URL
Temporarily limiting free TLS service to HTTP/1.1
If you're not ready to use HTTP/2, you can temporarily limit support to just HTTP/1.1 by setting your domain name during setup to
<name>.global.ssl.fastly.net until all free TLS shared domain traffic is switched exclusively to HTTP/2 (see our deprecation schedule for key dates).