TLS service options

      Last updated March 29, 2019

    Fastly's various Transport Layer Security (TLS) services allow websites and applications to serve traffic over HTTPS, providing privacy and data security for your services. In addition to our free shared domain option, we offer several shared certificate options and certificate hosting services for pre-existing certificates. We can also procure certificates for you, which we then host and manage on your behalf.

    Ordering a paid TLS option

    If you have not already obtained a TLS certificate, you can purchase one of our shared certificate options using our web interface. To purchase any of our other paid TLS options, contact our sales team at

    How we bill for paid TLS options

    Each time you add a domain (or wildcard) to a Shared TLS certificate, your bill will increase. We bill you for domain additions one month at a time for whole calendar months only. We don't charge you for any partial months of use.

    For example, when you add a domain in the middle of January, it will appear on your February invoice (not your January invoice) because February is the first full calendar month and because Fastly bills in arrears, not in advance.

    Shared certificate options

    Fastly offers the following shared TLS certificate options.

    Shared domain

    This free option allows you to serve HTTPS traffic using an address like To use this option, add a new domain in the Fastly web interface and set up an origin server for that domain. You can learn more about how to do that in our guide on setting up free TLS. When using free TLS, all traffic is routed through Fastly's entire global network. If you need the ability to route traffic through specific POPs, order a paid TLS option.

    Shared TLS Certificate Service

    Our Shared TLS Certificate option uses the Fastly Subject Alternative Name (SAN) certificate. Specifically:

    Our partner Certificate Authority explains the shared SAN certificate as "a way to conserve IP addresses by putting multiple hostnames or domains on one certificate. There are no security implications….Addition of your name to the certificate still needs to be authorized by you."

    Shared TLS Wildcard Certificate Service

    Our Shared TLS Wildcard Certificate option uses the Fastly SAN certificate. Specifically:

    Domain names that are within the scope of the wildcard domain name don't have to be added to the certificate. For example, if you provided Fastly with the * wildcard domain name and we added that to the certificate SAN field, you could use and with this service without having to contact Fastly. The apex domain ( in this example) would need to be added as a separate SAN entry (see Shared TLS Certificate Services). While the wildcard domain remains active on the shared certificate, the manually added apex domain would be included at no extra charge (review our pricing page for the wildcard service cost).

    Customer-Provided TLS Certificate Hosting Service

    For customers who want to serve their own TLS certificates from Fastly's edge network using Server Name Indication (SNI), we offer a Customer-Provided TLS Certificate Hosting Service. This service supports Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV) certificates.

    We install certificates at a shared set of IP addresses. Each are selected using the SNI extension of TLS that allows clients to present a hostname in the TLS handshake request. Contact if you're interested in purchasing this hosting option.

    Using a dedicated IP address with certificate hosting

    On a limited availability basis, Fastly will install customer-provided certificates at a dedicated IP address. With this add-on to our Customer-Provided TLS Certificate Hosting Service, Fastly offers a customer-specific DNS Global Domain Map that associates the certificate with the allocated IP addresses. To see if your company meets the qualification criteria for this option, contact

    Certificate Procurement, Management, and Hosting Service

    Fastly offers a Certificate Procurement, Management, and Hosting Service where we purchase dedicated TLS certificates on your behalf, and then host them and manage them for you. When you purchase this service:

    Contact if you are interested in purchasing this hosting option.

    TLS 1.3 and 0-RTT

    TLS 1.3, the newest version of the TLS protocol, is designed to improve the performance and security of traffic served over HTTPS. This version, ratified by the Internet Engineering Task Force (IETF) in 2018, offers a stronger set of ciphers compared to former versions, plus a reduction in the number of round trips required to establish a secure connection. New sessions benefit from one less round trip and, with 0-RTT enabled, resumed connections gain a latency reduction by encrypting the application request in the initial ClientHello. This results in zero round trip time (0-RTT).

    Limitations and key behaviors

    Before requesting this functionality, understand that:

    Enabling TLS 1.3 and 0-RTT

    To have TLS 1.3 turned on for your traffic, contact Optionally, you may also enable 0-RTT for session resumption for all or some of the hostnames that use a set of dedicated IPs. Requests issued with 0-RTT will include an Early-Data:1 header, as per RFC 8470. This attribute can be queried and logged via VCL, using req.http.early-data.

    Back to Top

    Additional resources: