We've been making changes to how we organize and display our docs. Our work isn't done but we'd love your feedback.

TLS service options

  Last updated March 29, 2019

Fastly's various Transport Layer Security (TLS) services allow websites and applications to serve traffic over HTTPS, providing privacy and data security for your services. In addition to our free shared domain option, we offer several shared certificate options and certificate hosting services for pre-existing certificates. We can also procure certificates for you, which we then host and manage on your behalf.

Ordering a paid TLS option

If you have not already obtained a TLS certificate, you can purchase one of our shared certificate options using our web interface. To purchase any of our other paid TLS options, contact our sales team at sales@fastly.com.

How we bill for paid TLS options

Each time you add a domain (or wildcard) to a Shared TLS certificate, your bill will increase. We bill you for domain additions one month at a time for whole calendar months only. We don't charge you for any partial months of use.

For example, when you add a domain in the middle of January, it will appear on your February invoice (not your January invoice) because February is the first full calendar month and because Fastly bills in arrears, not in advance.

Shared certificate options

Fastly offers the following shared TLS certificate options.

Shared domain

This free option allows you to serve HTTPS traffic using an address like example.global.ssl.fastly.net. To use this option, add a new domain in the Fastly web interface and set up an origin server for that domain. You can learn more about how to do that in our guide on setting up free TLS. When using free TLS, all traffic is routed through Fastly's entire global network. If you need the ability to route traffic through specific POPs, order a paid TLS option.

Shared TLS Certificate Service

Our Shared TLS Certificate option uses the Fastly Subject Alternative Name (SAN) certificate. Specifically:

Our partner Certificate Authority explains the shared SAN certificate as "a way to conserve IP addresses by putting multiple hostnames or domains on one certificate. There are no security implications….Addition of your name to the certificate still needs to be authorized by you."

Shared TLS Wildcard Certificate Service

Our Shared TLS Wildcard Certificate option uses the Fastly SAN certificate. Specifically:

Domain names that are within the scope of the wildcard domain name don't have to be added to the certificate. For example, if you provided Fastly with the *.example.com wildcard domain name and we added that to the certificate SAN field, you could use api.example.com and demo.example.com with this service without having to contact Fastly. The apex domain (example.com in this example) would need to be added as a separate SAN entry (see Shared TLS Certificate Services). While the wildcard domain remains active on the shared certificate, the manually added apex domain would be included at no extra charge (review our pricing page for the wildcard service cost).

Customer-Provided TLS Certificate Hosting Service

For customers who want to serve their own TLS certificates from Fastly's edge network using Server Name Indication (SNI), we offer a Customer-Provided TLS Certificate Hosting Service. This service supports Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates.

We install certificates at a shared set of IP addresses. Each are selected using the SNI extension of TLS that allows clients to present a hostname in the TLS handshake request. Contact sales@fastly.com if you're interested in purchasing this hosting option.

Using a dedicated IP address with certificate hosting

On a limited availability basis, Fastly will install customer-provided certificates at a dedicated IP address. With this add-on to our Customer-Provided TLS Certificate Hosting Service, Fastly offers a customer-specific DNS Global Domain Map that associates the certificate with the allocated IP addresses. To see if your company meets the qualification criteria for this option, contact sales@fastly.com.

Certificate Procurement, Management, and Hosting Service

Fastly offers a Certificate Procurement, Management, and Hosting Service where we purchase dedicated TLS certificates on your behalf, and then host them and manage them for you. When you purchase this service:

Contact sales@fastly.com if you are interested in purchasing this hosting option.

TLS 1.3 and 0-RTT

TLS 1.3, the newest version of the TLS protocol, is designed to improve the performance and security of traffic served over HTTPS. This version, ratified by the Internet Engineering Task Force (IETF) in 2018, offers a stronger set of ciphers compared to former versions, plus a reduction in the number of round trips required to establish a secure connection. New sessions benefit from one less round trip and, with 0-RTT enabled, resumed connections gain a latency reduction by encrypting the application request in the initial ClientHello. This results in zero round trip time (0-RTT).

Limitations and key behaviors

Before requesting this functionality, understand that:

Enabling TLS 1.3 and 0-RTT

To have TLS 1.3 turned on for your traffic, contact support@fastly.com. Optionally, you may also enable 0-RTT for session resumption for all or some of the hostnames that use a set of dedicated IPs. Requests issued with 0-RTT will include an Early-Data:1 header, as per RFC 8470. This attribute can be queried and logged via VCL, using req.http.early-data.

Back to Top

Additional resources: