TLS service options

Fastly provides a variety of Transport Layer Security (TLS) services that allow websites and applications to serve traffic over HTTPS, offering privacy and data security for services. To serve secure HTTPS traffic from Fastly, your website needs a valid TLS certificate with a matching private key. You can generate and upload these yourself or have Fastly do this automatically on your behalf.

Important considerations

You are responsible for ensuring that you are the legitimate registrant and can demonstrate control of any domain that appears on a certificate procured on your behalf. Fastly may revoke certificates if required by the CA/Browser Forum Baseline Requirements or the certification authority (CA) providing the certificate. We may also revoke certificates if you fail to comply with Fastly’s Acceptable Use Policy.

Certificates provided by Let’s Encrypt or GlobalSign are third-party technologies. Certificates provided by GlobalSign are subject to the terms of GlobalSign's Subscriber Agreement, which can be found at https://www.globalsign.com/repository.

An alternative to these third-party technologies is Certainly, Fastly’s publicly-trusted CA. Customers with a paid account can use Fastly TLS to manage Certainly certificates to secure up to five domains for free. Additional domains will be billed by usage.

For customers bringing their own certificates, both Fastly TLS and Concierge TLS service support Domain Validated (DV), Organization Validated (OV), Extended Validation (EV), RSA, and ECDSA certificates. If Fastly manages your certificates, use Certainly or Let’s Encrypt to issue DV certificates or GlobalSign to issue DV, OV, or EV certificates.

If you’ve purchased Fastly’s PCI-compliant caching or HIPAA-compliant caching products, Fastly will enforce a minimum version of TLS 1.2 or higher for all connections to meet the compliance requirements mandated by the PCI Security Standards Council.

By default Fastly uses the Server Name Indication (SNI) extension. All modern browsers support SNI. Clients that do not support SNI (such as those on Windows XP and Android 2.x or earlier) will see a TLS handshake error.

Fastly supports SHA-256 certificates signed by publicly trusted certification authorities that have a key size of 2048 bits for RSA public key encryption and key sizes of 256 bits and 384 bits for ECDSA public key encryption. For performance reasons and to help mitigate your security costs, we strongly recommend using an ECDSA certificate.

Fastly TLS

Fastly TLS allows you to manage TLS certificates on a domain-by-domain or multi-domain basis using our web interface or API. With Fastly TLS, you can either generate and upload your own TLS certificates and private keys or instruct Fastly to automatically generate and manage TLS certificates via a third-party, non-profit or commercial CA on your behalf.

How it works

If you have a paid account for Fastly's services, you can bring your own certificates and use the Fastly web interface or API to upload TLS certificates and keys. You must ensure you upload the relevant private key first before uploading the matching certificate.

Fastly-managed certificates are a free TLS option for both paid accounts and free trial accounts. When Fastly manages your certificates, you use the Fastly web interface or API to select the CA from which Fastly should procure your TLS certificates. Fastly then procures DV certificates from the authority you've chosen. To complete a certificate request, you must prove that you control your domains by modifying DNS records. Free trial accounts include up to two TLS domains for free with Certainly, while paid accounts can use Certainly, Let's Encrypt, or GlobalSign and secure additional domains.

By default, Fastly installs TLS certificates at a shared set of IP addresses. When client requests get sent to Fastly, we select the correct certificates using the SNI extension of TLS that allows clients to present a hostname in the TLS handshake request.

How we bill for it

Fastly TLS is billed based on the number of fully qualified domain names (e.g., example.com or www.example.com) and wildcard domains (e.g., *.example.com) that are TLS enabled at the end of the month for your account. All domains in an enabled state will be billed at the end of the month, regardless of certificate status (e.g., valid or expired).

Fastly TLS treats all entries on a certificate equally and each entry as its own item. On both certificates you manage and those that Fastly manages for you, an entry can be an apex domain, a subdomain, or a wildcard domain. Charges are based on the combined total of the domains on the certificates you manage as well as certificates that Fastly manages for you.

For Fastly-managed subscriptions, your charges may vary based on the CA you select. Specifically, there are pricing differences between Fastly TLS certificates provided by a commercial CA and those provided by a non-profit CA. Our pricing page provides specifics about these differences.

Free trial accounts include up to two TLS domains for free. Upgrade to a paid account to secure additional domains or to upload a self-managed certificate.

Mutual TLS authentication

Mutual TLS (mTLS) is an additional layer of network connection security that is added on top of our existing TLS product. By default, the TLS protocol only requires a server to present a trusted certificate to the client. mTLS requires the client to also present a trusted certificate to the server. Instead of having to rely on traditional authentication methods like passwords or API keys, the server to client connection is secured using TLS certificates.

Paid accounts with a contract for Fastly's services can protect two domains for free with mTLS. Additional domains can be purchased for a flat fee. Contact sales@fastly.com for more information.

Concierge TLS

Concierge TLS provides you with TLS-specific advanced configuration support. It is sold as a packaged addition to Fastly’s Enterprise Support service option.

To add Concierge TLS to your Enterprise Support option, contact sales@fastly.com.

Other TLS options

In addition to Fastly TLS, we make several other TLS options available including shared certificate options and a managed option that uses a procured certificate from a commercial certification authority.

Using a shared Fastly domain

Fastly offers a free TLS option that allows you to serve HTTPS traffic using an address like example.global.ssl.fastly.net via a shared Fastly domain.

To use this option, follow the instructions in our guide to setting up TLS on a shared Fastly domain and pay close attention to the noted limitations. If you have specific traffic routing, domain naming, or URL requirements, one of Fastly’s paid TLS options will provide you with more flexibility.

Dedicated IP addresses

Fastly can install customer-provided or Fastly-managed certificates at a dedicated set of IP addresses specified via customer-specific DNS records. These DNS records can be set up to use three possible network routing options (sometimes referred to as network maps or domain maps) that allow you to choose which parts of the Fastly network to use.

To see if your company meets the qualification criteria for this option, contact sales@fastly.com.