TLS service options

      Last updated November 11, 2019

    Fastly provides a variety of Transport Layer Security (TLS) services that allow websites and applications to serve traffic over HTTPS, offering privacy and data security for services. To serve secure HTTPS traffic from Fastly, your website needs a valid TLS certificate with a matching private key. You can generate and upload these yourself or have Fastly do this automatically on your behalf.

    Important considerations

    Certificates provided by Let’s Encrypt and any other Certification Authority are third-party technologies. You are responsible for ensuring that you are the legitimate registrant and can demonstrate control of any domain that appears on a certificate procured on your behalf.

    Certificates provided by GlobalSign are subject to the terms of GlobalSign's Subscriber Agreement, which can be found at https://www.globalsign.com/repository.

    If you’ve purchased Fastly’s PCI-compliant caching or HIPAA-compliant caching products, Fastly will enforce a minimum version of TLS 1.2 or higher for all connections to meet the compliance requirements mandated by the PCI Security Standards Council.

    By default Fastly uses the Server Name Indication (SNI) extension. All modern browsers support SNI. Clients that do not support SNI (such as those on Windows XP and Android 2.x or earlier) will see a TLS handshake error.

    Fastly supports SHA-256 certificates signed by publicly trusted certification authorities that have a minimum key size of 2048 bits for RSA public key encryption. For performance reasons, we strongly recommend using a 2048-bit key size for RSA when larger key sizes are not required for your application.

    Fastly TLS

    Fastly TLS allows paid account customers to manage TLS certificates on a domain-by-domain basis using our web interface or API (you can’t use Fastly TLS with a developer trial). With Fastly TLS, you can either generate and upload your own TLS certificates and private keys or instruct Fastly to automatically generate and manage TLS certificates via a third-party Certification Authority on your behalf.

    How it works

    If you bring your own certificates, you can use the Fastly web interface or API to upload TLS material. You must ensure you upload the relevant private key first before uploading the matching certificate.

    When Fastly manages your certificates, you must prove that you control your domains by modifying DNS records to complete a certificate request. Fastly will generate one certificate per domain.

    By default, Fastly installs TLS certificates at a shared set of IP addresses. When client requests get sent to Fastly, we select the correct certificates using the SNI extension of TLS that allows clients to present a hostname in the TLS handshake request.

    How we bill for it

    Fastly TLS is billed based on the number of fully qualified domain names (e.g., example.com or www.example.com) and wildcard domains (e.g., *.example.com) that are TLS enabled at the end of the month for your account.

    Concierge TLS

    Concierge TLS provides TLS-specific advanced configuration support sold as a packaged addition to Fastly’s Enterprise Support service option. Concierge TLS increases the Fastly TLS limit on domain additions from 50 to 100 and provides advanced TLS support and configuration options for Enterprises. For customers bringing their own certificates, this service supports Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates.

    To add Concierge TLS to your Enterprise Support option, contact sales@fastly.com.

    Other TLS options

    In addition to Fastly TLS, we make several other TLS options available including shared certificate options and a managed option that uses a procured certificate from a commercial certification authority.

    Shared TLS certificate options

    Fastly offers the following shared TLS certificate options.

    Free TLS via the shared Fastly domain

    Fastly offers a free TLS option that allows you to serve HTTPS traffic using an address like example.global.ssl.fastly.net via a shared Fastly domain.

    To use this option, follow the instructions in our guide to setting up free TLS and pay close attention to the noted limitations. If you have specific traffic routing, domain naming, or URL requirements, one of Fastly’s paid TLS options will provide you with more flexibility.

    Shared TLS Certificate Service

    Fastly’s Shared TLS Certificate Service allows you to serve HTTPS traffic using the Fastly Subject Alternative Name (SAN) certificate. You get to add up to five of your second-level domains and addresses to it, but Fastly does the certificate administration.

    To purchase and use this option, follow the instructions in our guide to managing domains on TLS certificates. You’ll be billed automatically as a result of the changes you make in the Fastly web interface. Each time you add a second-level domain to a shared TLS certificate, your bill will increase. We charge you for additions one month at a time, at the end of the month, for whole calendar months only. We don't charge you for any partial months of use.

    Shared TLS Wildcard Certificate Service

    Fastly’s Shared TLS Wildcard Certificate Service allows you to serve HTTPS traffic using the Fastly SAN certificate. You get to add up to five of your wildcard domains and addresses to it, but Fastly does the certificate administration.

    To purchase and use this option, follow the instructions in our guide to managing domains on TLS certificates. You’ll be billed automatically as a result of the changes you make in the Fastly web interface. Each time you add a wildcard domain to a shared TLS certificate, your bill will increase. We charge you for additions one month at a time, at the end of the month, for whole calendar months only. We don't charge you for any partial months of use.

    Customer-Provided TLS Certificate Hosting Service

    Fastly offers a Customer-Provided TLS Certificate Hosting Service where you provide TLS certificates and private keys which we then install at a shared set of IP addresses. Each are selected using the SNI extension of TLS that allows clients to present a hostname in the TLS handshake request. Choose this option if you have requirements that prevent you from using the Fastly TLS interface to upload your TLS certificates and private keys personally.

    To purchase this option, contact sales@fastly.com.

    Dedicated IP addresses

    On a limited availability basis, Fastly can install customer-provided certificates at a dedicated set of IP addresses specified via customer-specific DNS records. These DNS records can be set up to use three possible network routing options (sometimes referred to as network maps or domain maps) that allow you to choose which parts of the Fastly network to use.

    To see if your company meets the qualification criteria for this option, contact sales@fastly.com.

    Certificate Procurement, Management, and Hosting

    Fastly offers a Certificate Procurement, Management, and Hosting Service where we purchase dedicated TLS certificates on your behalf, and then host them and manage them for you. When you purchase this service:

    Contact sales@fastly.com if you are interested in purchasing this hosting option.

    TLS 1.3 and 0-RTT

    TLS 1.3, the newest version of the TLS protocol, is designed to improve the performance and security of traffic served over HTTPS. This version, ratified by the Internet Engineering Task Force (IETF) in 2018, offers a stronger set of ciphers compared to former versions, plus a reduction in the number of round trips required to establish a secure connection. New sessions benefit from one less round trip and, with 0-RTT enabled, resumed connections gain a latency reduction by encrypting the application request in the initial ClientHello. This results in zero round trip time (0-RTT).

    Limitations and key behaviors

    Before requesting this functionality, understand that:

    Enabling TLS 1.3 and 0-RTT

    To have TLS 1.3 turned on for your traffic, contact support@fastly.com. Optionally, you may also enable 0-RTT for session resumption for all or some of the hostnames that use a set of dedicated IPs. Requests issued with 0-RTT will include an Early-Data:1 header, as per RFC 8470. This attribute can be queried and logged via VCL, using req.http.early-data.

    Back to Top

    Additional resources: