TLS key and certificate replacement

  Last updated October 03, 2018

To serve secure traffic from Fastly using HTTPS, a website or application needs to provide clients with a valid TLS certificate signed by a trusted certificate authority. Fastly offers a number of ways to deploy TLS certificates across our edge network.

This guide describes how to replace the keys and certificates used to terminate TLS for domains that have already been configured within the Fastly system. If you generate your own keys and certificates and transfer them to Fastly to install, contact support@fastly.com to see if you qualify for this interface.


To upload new private keys and replace TLS certificates using the web interface, you will need:

Known Issues

Accessing the TLS management interface

To access the TLS management interface, log in to your Fastly account, click the stopwatch icon in the top left of the screen, and then click on the TLS management tab.

the TLS management tab on the All services page

This brings you to the TLS certificates page, which lets you view your certificates and private keys, and allows you to upload new keys and replace your existing certificates.

Replacing a key and certificate

To upload the new key and replace the certificate used to terminate TLS for a domain, first you must generate a new key and certificate with your preferred Certificate Authority. When regenerating a new certificate, you must specify the exact same list of SAN entries as the existing certificate. The TLS management interface will provide you with information on all of your current certificates and the SAN entries of each of those certificates. If you need to modify the SAN entries for a particular certificate, or if you need to add a brand new certificate for a new set of domains, contact support@fastly.com for assistance.

In order to replace a TLS certificate you will first need to upload the matching private key that was used to generate the new certificate.

the key upload zone

On the TLS certificates page there is a drag-and-drop area that you can use to drop your private key file. Alternatively you can browse your file system for the private key. This upload tool currently only accepts 2048-bit RSA keys. If you require longer key lengths, contact support@fastly.com. Valid private keys will automatically upload to Fastly upon being dropped on the page, or after being selected from the file picker.

Upon successfully uploading a private key, the TLS certificates page will display the key with the label, Orphan key. This refers to a private key that has no matching TLS certificate. If you have multiple private keys, you will be able to identify each by a unique upload date time. Private keys can only be deleted if they are in the orphan state.

a key has been uploaded

Once you have uploaded the new private key, you will be able to replace the TLS certificate. Find the certificate in the list of certificates. In the example below we show a certificate that is nearing expiration. You will see the Replace icon at the top-right corner. Clicking this icon brings up a file-picker that can be used to select the new certificate. The certificate you select should be PEM-formatted and the SAN entries of this certificate must be an exact match to the current certificate. You can select either a file containing the full certificate chain or a file containing just the leaf certificate. The intermediate certificates will be automatically backfilled when just the leaf certificate is uploaded.

a certificate that is nearing expiration

After selecting the new certificate, a success message will be displayed and the certificate information will be updated. When a certificate is replaced, it will be automatically deployed and all domains actively serving TLS traffic on the old certificate will be automatically transitioned to the updated certificate within a matter of minutes.

a certificate successfully replaced

There may be situations where Fastly identifies certificates that should be replaced. These certificates will be clearly marked.

a certificate needing replacement

Back to Top