TLS service options

  Last updated January 11, 2020

Fastly provides a variety of Transport Layer Security (TLS) services that allow websites and applications to serve traffic over HTTPS, offering privacy and data security for services. To serve secure HTTPS traffic from Fastly, your website needs a valid TLS certificate with a matching private key. You can generate and upload these yourself or have Fastly do this automatically on your behalf.

TIP: Fastly’s pricing page details the current rates for our TLS services.

Important considerations

Certificates provided by any certification authority (CA) are third-party technologies. You are responsible for ensuring that you are the legitimate registrant and can demonstrate control of any domain that appears on a certificate procured on your behalf. Certificates provided by GlobalSign are subject to the terms of GlobalSign's Subscriber Agreement, which can be found at https://www.globalsign.com/repository.

IMPORTANT: The ability to select GlobalSign as your certification authority when securing domains with Fastly TLS is part of a Limited Availability offering. Likewise, the ability to create multi-domain Fastly managed certificates when securing domains with Fastly TLS is part of a Limited Availability offering. For more information, see our product and feature lifecycle descriptions.

For customers bringing their own certificates, both Fastly TLS and Concierge TLS service support Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates. If Fastly manages your certificates, however, only DV and OV certificates can be used.

If you’ve purchased Fastly’s PCI-compliant caching or HIPAA-compliant caching products, Fastly will enforce a minimum version of TLS 1.2 or higher for all connections to meet the compliance requirements mandated by the PCI Security Standards Council.

By default Fastly uses the Server Name Indication (SNI) extension. All modern browsers support SNI. Clients that do not support SNI (such as those on Windows XP and Android 2.x or earlier) will see a TLS handshake error.

Fastly supports SHA-256 certificates signed by publicly trusted certification authorities that have a minimum key size of 2048 bits for RSA public key encryption. For performance reasons, we strongly recommend using a 2048-bit key size for RSA when larger key sizes are not required for your application.

Fastly TLS

Fastly TLS allows paid account customers to manage TLS certificates on a domain-by-domain or multi-domain basis using our web interface or API (you can’t use Fastly TLS with a developer trial). With Fastly TLS, you can either generate and upload your own TLS certificates and private keys or instruct Fastly to automatically generate and manage TLS certificates via a third-party CA on your behalf.

How it works

If you bring your own certificates, you can use the Fastly web interface or API to upload TLS certificates and keys. You must ensure you upload the relevant private key first before uploading the matching certificate.

When Fastly manages your certificates, you use the Fastly web interface or API to select the CA from which Fastly should procure your TLS certificates. Fastly then procures DV certificates from the authority you've chosen. To complete a certificate request, you must prove that you control your domains by modifying DNS records.

TIP: To have Fastly procure organization validated certificates (OV) instead, contact sales@fastly.com.

By default, Fastly installs TLS certificates at a shared set of IP addresses. When client requests get sent to Fastly, we select the correct certificates using the SNI extension of TLS that allows clients to present a hostname in the TLS handshake request.

IMPORTANT: Fastly TLS comes with a 50 certificate limit. To discuss how to raise this product’s certificate limit, contact sales@fastly.com.

How we bill for it

Fastly TLS is billed based on the number of fully qualified domain names (e.g., example.com or www.example.com) and wildcard domains (e.g., *.example.com) that are TLS enabled at the end of the month for your account.

Fastly TLS treats all entries on a certificate equally and each entry as its own item. On both certificates you manage and those that Fastly manages for you, an entry can be an apex domain, a subdomain, or a wildcard domain. Charges are based on the combined total of the domains on the certificates you manage as well as certificates that Fastly manages for you.

For Fastly-managed subscriptions, your charges may vary based on the CA you select. Specifically, there are pricing differences between Fastly TLS certificates provided by a commercial CA and those provided by a non-profit CA. Our pricing page provides specifics about these differences.

Concierge TLS

Concierge TLS provides TLS-specific advanced configuration support sold as a packaged addition to Fastly’s Enterprise Support service option. Concierge TLS increases the Fastly TLS limit on domain additions from 50 to 100 and provides advanced TLS support and configuration options for Enterprises.

To add Concierge TLS to your Enterprise Support option, contact sales@fastly.com.

Other TLS options

In addition to Fastly TLS, we make several other TLS options available including shared certificate options and a managed option that uses a procured certificate from a commercial certification authority.

IMPORTANT: As part of our previously announced planned retirement of shared certificates, Fastly has begun working with customers to migrate shared certificates to Fastly TLS, with its associated web interface and API, which offers similar functionality to the retired shared certificate products. We will continue to support shared certificates for existing customers during this migration. Our support team will contact you to schedule individual migrations and can be emailed at fastlytlsupdates@fastly.com for general questions.

Free TLS via the shared Fastly domain

Fastly offers a free TLS option that allows you to serve HTTPS traffic using an address like example.global.ssl.fastly.net via a shared Fastly domain.

To use this option, follow the instructions in our guide to setting up free TLS and pay close attention to the noted limitations. If you have specific traffic routing, domain naming, or URL requirements, one of Fastly’s paid TLS options will provide you with more flexibility.

Dedicated IP addresses

IMPORTANT: This information is part of a limited availability release. For more information, see our product and feature lifecycle descriptions.

On a limited availability basis, Fastly can install customer-provided certificates at a dedicated set of IP addresses specified via customer-specific DNS records. These DNS records can be set up to use three possible network routing options (sometimes referred to as network maps or domain maps) that allow you to choose which parts of the Fastly network to use.

To see if your company meets the qualification criteria for this option, contact sales@fastly.com.

Certificate Procurement, Management, and Hosting

Fastly offers a Certificate Procurement, Management, and Hosting Service where we purchase dedicated TLS certificates on your behalf, then host and manage them for you. Specifically:

• Each certificate purchased will support 2,500 bytes of SAN entries up to a maximum of 150 SAN entries.
• When the limits on any purchased certificate are reached, Fastly will purchase an additional one for you with the same limits, managing and hosting it on your behalf.
• All certificates will be served using SNI technology.
• All new SAN entries require you to verify your control of the domains requested.
• You manage additions and removals of SAN entries using our web interface.

Contact sales@fastly.com if you are interested in purchasing this hosting option.

Was this guide helpful?

Yes No

Tell us what worked and what we could do better.

Do not use this form to send sensitive information. If you need assistance, contact support@fastly.com.

Back to Top