A default CDN configuration allows traffic to flow over HTTP. Serving traffic over HTTPS requires a TLS certificateRefers to a certificate that allows you to use the TLS protocol to encrypt traffic between the client and our network for the purpose of delivery over HTTPS. on our network, updating your CDN configuration, and defining a CNAME record via your DNS service provider.
Delivery over HTTPS requires TLS activation and TLS certificates. Contact your CDN account manager for more information.
Our CDN supports the use of any certificate derived from a Certificate Authority (CA) by allowing you to bring your own certificate to our network. Additionally, you may purchase a TLS certificate that supports multiple Subject Alternative Names (SAN). We support the following levels of validationDetermines the amount of validation that the Certificate Authority will perform to verify a certificate applicant's information before issuing a certificate. for our certificates:
Domain Validation (DV)
This validation level only requires proof that you control the domain(s) associated with the certificate. Use a Domain Control Validation (DCV) method (i.e., email or DNS record) to prove your control over those domains.
Organization Validation (OV)
In addition to domain validation, OV requires a CA representative to contact/vet your organization and check whether the applicant may use the requested domain(s).
Extended Validation (EV)
EV provides the highest level of validation by requiring the CA to perform a rigorous audit to establish identity assurance. Browsers use visual cuesFor example, they may use green in the address bar, a padlock, the site's owner, and "https://" at the beginning of the domain name. to identify sites that leverage an EV certificate. These visual cues provide additional reassurance to your clients that they are accessing a secured site.
Setting up HTTPS delivery involves the following steps:
Activate TLS and purchase the desired TLS certificate(s). Contact your CDN account manager for more information.
Set up the desired TLS certificate(s).
New TLS Certificate
Existing TLS Certificate
Submit a previously purchased TLS certificate by providing the intermediate certificate, public key, and the private key via the SSL Certificate Submission page.
Enable TLS 1.3 (recommended)TLS 1.3 improves security and performance of internet communications. Specifically, it eliminates known TLS 1.2 security vulnerabilities and prevents snooping and man-in-the-middle attacks. and/or 1.2 encryption on your web server(s).
A recommended best practice is to disable support for SSL/TLS versions 1.1 or older.
Customer Origin Only
Configure your customer origin configuration for either end-to-end or client to edge encryption.
Setting up a TLS certificate requires performing the following steps:
Prove your control over each Subject Alternative Name (SAN) defined in the certificate via a Domain Control Validation (DCV) method (i.e., email, DNS TXT, or DNS CNAME).
OV and EV Certificate
Validate your organization by following the directions provided by the Certificate Authority (CA) via phone or email.
Once a TLS certificate has been installed on our network, you will need to update your edge CNAME configuration and DNS zone before HTTPS traffic may flow through our network. If you plan on serving HTTPS traffic via your web server(s), then you will also need to update your customer origin configuration.
To set up a TLS certificate
From the Domain Control Validation (DCV) Method option, select whether you will prove your control over each domain associated with this certificate request through instructions provided within an email, DNS TXT record(s), or DNS CNAME record(s).
Domain control validation through DNS CNAME record(s) is restricted to OV and EV certificates.
From the Subject Alternative Name (SAN) option, click Add Domain and then type the desired SAN. Repeat this step as needed.
DV and OV certificates support the use of a wildcard to secure all possible subdomains (e.g., *.example.com). However, this is not allowed for an EV certificate.
From the Validation Level option, select the level of validation that will be performed by the CA.
Domain Validation (DV)
Proceed to the next step.
Organization Validation (OV)
Provide your organization information in the form that appears in this section. The CA will validate your organization using the provided information.
Fill out this form with care. Misspellings or incorrect information (e.g., unregistered abbreviations) will delay your request until those issues are corrected.
Extended Validation (EV)
Add one or more contact(s) for the individuals within your organization that are responsible for approving this EV certificate.
Add a contact by clicking + Add Contact from the Additional Contacts section and then filling out all of the fields.
Fill out organization and contact information with care. Misspellings or incorrect information (e.g., unregistered abbreviations) will delay your request until those issues are corrected.
If you plan on pinning this certificate to an application, then you should disable the Auto renew option. Otherwise, you should verify that the Auto renew option is enabled.
Learn more about:
Check the following domains for CAA records:
All of the domains added in step 6 (e.g., images.cdn.example.com).
If none of the above domains have a CAA record, proceed to the next step. Otherwise, you must issue a DigiCert (CA) CAA record either on the domain(s) defined within the certificate request or the parent domain that has a CAA record.
Example:
Validate control over your domain according to the DCV selected in the Domain Control Validation (DCV) Method option.
Follow the directions for both sets of emails sent by the CA to:
DNS Text
Copy a verification token.
Create a TXT record for each SAN defined in your certificate request.
Name:
Prepend _dnsauth. to avoid a conflict with an existing CNAME record.
If you have requested a wildcard certificate, exclude the last level in the domain. For example, if you have requested a wildcard certificate for *.cdn.example.com, then the fully qualified domain for that certificate request would be cdn.example.com..
Value:
Example:
DNS CNAME
Each SAN defined in your certificate request is assigned a unique verification token. This means that each CNAME record created within this procedure will use a different verification token.
Copy a verification token by finding the desired SAN from under the Subject Alternate Name (SAN) section and then clicking Copy.
Create a CNAME record for each SAN defined in your certificate request with the following properties:
The CA performs automatic checks for DNS text and DNS CNAME DCVs for up to a week after submitting your certificate request. You may also manually request validation from the CA by clicking Validate.
Extended Validation (EV) and Organization Validation (OV)
In addition to other validations performed by the CA, you will be required to follow the directions provided by DigiCert (CA) via an email to the contact email.
Wait 6 hours and then verify that the certificate is live.
Point your browser to:
View the certificate by clicking on the certificate icon that appears in the browser's address bar. Verify that the common name matches the one that you requested.
If the browser returns an error, then the certificate has not been fully deployed. Please wait a few more minutes and then retry.
Adding one or more SANs to an existing TLS certificateRefers to a TLS certificate that was deployed via CPS. requires domain control validation.
The recommended procedure for certificate pinning is to:
Prior to the expiration of the above certificate, submit another certificate request. Make sure that the Auto renew option is disabled.
The lead time for this step varies according to the length of time required to update all applications to which the first certificate has been pinned.
CPS automatically renews your certificate approximately 60 days prior to expiration when the Auto renew option has been enabled on your certificate request.
Key information:
An email notification may be sent for each of the following events:
Key information:
To set up a default notification configuration
Perform the following steps for each type of certificate notification:
If enabled, determine who will receive this notification by adding or removing email addresses.
To set up a certificate-specific notification configuration
From the Certificate Notification Settings section, perform the following steps for each type of certificate notification:
You may enable a notification by clicking on its toggle. It is enabled when it looks like this:
You cannot disable a notification that has been enabled within your default configuration.
If enabled, determine who will receive this notification by adding or removing email addresses.
A certificate request's notification configuration supersedes your default configuration. For example, if you customize who will receive pending validation notifications for a specific certificate, then CPS will only send pending validation notifications for that certificate to the updated list of recipients.
This section only applies if you would like to serve HTTPS traffic from your own web servers. This section is inapplicable when setting up HTTPS delivery for CDN storage
A customer origin configuration determines the scheme for communication between:
A prerequisite for delivery over HTTPS requires your customer origin to use the HTTPS scheme when serving content to your clients. This is known as client to edge encryption.
You may configure your customer origin to also use the HTTPS scheme when communicating with your web server(s). This is known as end-to-end encryption.
Setting up HTTPS support on your customer origin configuration varies according to whether you are using customer origin groups. Customer origin groups is a new capability. Setup instructions for both customer origin groups and legacy customer origin configurations are provided below.
From the main menu, navigate to
If your account supports customer origin groups, it should look similar to the following illustration:
If it still uses the legacy method for customer origin configuration and therefore doesn't support customer origin groups, it will look like the following illustration:
Customer origin groups allow you to leverage our built-in support for connecting to new or preexisting Azure block blob containers. Contact your CDN account manager to upgrade your account to support customer origin groups.
Navigate to the Origins page.
Click on the desired customer origin group to expand it.
Content delivery over HTTPS requires an edge CNAME configuration that points to this customer origin group.
Update origin entries to use the HTTPS scheme by performing the following steps:
The above configuration configures your origin entries to use end-to-end encryption. Alternatively, you may configure an origin entry to only encrypt traffic between the client and our network or to only encrypt traffic when the client submits a HTTPS request.
Learn more.
Review your customer origin group's TLS configuration by performing the following steps:
Review and adjust how our edge servers perform TLS verification with your origin servers.
Open the desired customer origin configuration.
Content delivery over HTTPS requires an edge CNAME configuration that points to this customer origin.
Configure this option using one of the following methods:
End-to-End Encryption: Specify one or more HTTPS hostnames/IP addresses under the HTTPS Edge Protocol option.
Sample Configuration:
https://video.mydomain.com
https://101.10.20.30
Client to Edge Encryption: Specify HTTP hostnames/IP addresses under the HTTPS Edge Protocol option.
Sample Configuration:
http://video.mydomain.com
http://101.10.20.30
Create or update an edge CNAME configuration for each Subject Alternative Name (SAN) defined in the certificate (e.g., common name).
To set up an edge CNAME for use with a TLS certificate
Navigate to the Edge CNAMEs page
In the New Edge Cname option, type the desired SAN.
This hostname should be specified in lower-case letters and should not include a protocol (i.e., http://).
In the Origin Directory option, select one of the following:
If you point it to a customer origin, then please verify that it has been updated to leverage HTTPS.
Traffic may only be delivered via this edge CNAME configuration once your DNS has been updated. Delivery over HTTPS requires a CNAME record that points a SAN to the certificate's target CNAMEIdentifies a system-defined CNAME record through which HTTPS requests will be routed. You must update your DNS configuration to point a CNAME record to this target CNAME..
The following information is only applicable if you would like to leverage a TLS certificate purchased directly from a CA to serve HTTPS traffic over the CDN. The recommended approach for HTTPS content delivery is to request a TLS certificate
A prerequisite for submitting a TLS certificate is to contact your CDN account manager. Your CDN account manager will enable the SSL Certificate Submission page (Tools menu | SSL Certificate Submission). Use this page to submit a TLS certificate by providing the following items:
Item | Description |
---|---|
Intermediate Certificate |
An intermediate certificate is provided by a CA. More Information: An intermediate certificate proves ownership over a public key and establishes a chain of trust through which the requester's device can verify that the TLS certificate can be traced back to a trusted source (i.e., Root CA). In other words, it proves that your chosen CA is trusted by one of the root CAs. The use of an intermediate certificate is one of the security measures taken by CAs to ensure the integrity of the keys used by root certificates. |
Public Key |
A certificate containing a public key is provided by a CA. A public key allows a requester to verify the TLS certificate's digital signature. |
Private Key |
A private key should be stored on the server where the CSR was generated. This private key allows the server to encrypt/decrypt communication with the client. |
Please provide certificate and keys in PEM format.
Key information:
Useful OpenSSL commands, including how to convert a certificate into PEM, can be found on the following web page:
https://www.sslshopper.com/article-most-common-openssl-commands.html
To submit a TLS certificate
Gather the following items:
Perform the following:
Verify that the PEM-encoded public key certificate matches the private key.
Verify that the CA signed the public key certificate.
Navigate to the SSL Certificate Submission page. If this page is unavailable, please contact your CDN account manager.
Copy and paste the intermediate certificate into the Intermediate Certificate option.
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIJAPKeHhFoo9UvMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNV
BAMMEHd3dy5teWRvbWFpbi5jb20wHhcNMTQxMTE3MjAyMjMxWhcNMjQxMTE0MjAy
MjMxWjAbMRkwFwYDVQQDDBB3d3cubXlkb21haW4uY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAzTaxMLbRdvdTiRmaVt8RMDweKfYBWhe3i3VsloVd
4jGEFBtH1bAlbfN/S4hRH5F28h1Ga1Unh/LeeFnKS9ZH0CHazrA6Ug+CyqENdQ3M
OjvHn6VHLxMC5nVhoPkBlTVPGGtceZh0AsAT+H8mW4xgzGON9hq9yUpLIuHwVkMx
lcmIc0pn9QIbPyQz5fOvVBGEZJ+NbUjYDp6ByHJFUme9ONm41aq47tG4rXLWf7wl
0C5uhUIKhcw+XT88GCxwVjANoDVnc1fMVFsFt9ogfQ7uX3TK/R9Rn/Jh7zmoxXOj
Mb0Tfzc/CeWnBh3C4MXAXeHXVFcMkHR6EGwq+5esGqt0rQIDAQABo1AwTjAdBgNV
HQ4EFgQUkIfpiCBm61RL5ahAR1jBOkGSfmowHwYDVR0jBBgwFoAUkIfpiCBm61RL
5ahAR1jBOkGSfmowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAhFJ5
B4HM8ReYqestuv/D21ZgUq8BpWpqqI8bdptnz+GFEEPtu2tDoAWDNDaPjMZF7x6G
2oz75+sdiio9lMtDOFulZxXHa4kcWZkmhB86VLaFHcBWVojQKi3rcT+8hsPX0pG4
sHa1oGo7E83yyaNmbBKya9U13jCZHdbppA2iOUJZ+5Kz9K6mHmKTX1dOo2u+hfHR
2hI1MLELMpD3IEGwlp0HmorgwwCXW1tW7Y8dgtM9XR2G7CkF4Q8551rwDOhv1ghE
DTgFbRAwtKc+SZ23NSreej+SuPTJPc+Go66X+bT/22h5sfQaE9PyL3FtqGaIskfT
+Amj8JQ5Rpi3vrdiLw==
-----END CERTIFICATE-----
Copy and paste the public key certificate into the Public Key option.
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIJAPKeHhFoo9UvMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNV
BAMMEHd3dy5teWRvbWFpbi5jb20wHhcNMTQxMTE3MjAyMjMxWhcNMjQxMTE0MjAy
MjMxWjAbMRkwFwYDVQQDDBB3d3cubXlkb21haW4uY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAzTaxMLbRdvdTiRmaVt8RMDweKfYBWhe3i3VsloVd
4jGEFBtH1bAlbfN/S4hRH5F28h1Ga1Unh/LeeFnKS9ZH0CHazrA6Ug+CyqENdQ3M
OjvHn6VHLxMC5nVhoPkBlTVPGGtceZh0AsAT+H8mW4xgzGON9hq9yUpLIuHwVkMx
lcmIc0pn9QIbPyQz5fOvVBGEZJ+NbUjYDp6ByHJFUme9ONm41aq47tG4rXLWf7wl
0C5uhUIKhcw+XT88GCxwVjANoDVnc1fMVFsFt9ogfQ7uX3TK/R9Rn/Jh7zmoxXOj
Mb0Tfzc/CeWnBh3C4MXAXeHXVFcMkHR6EGwq+5esGqt0rQIDAQABo1AwTjAdBgNV
HQ4EFgQUkIfpiCBm61RL5ahAR1jBOkGSfmowHwYDVR0jBBgwFoAUkIfpiCBm61RL
5ahAR1jBOkGSfmowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAhFJ5
B4HM8ReYqestuv/D21ZgUq8BpWpqqI8bdptnz+GFEEPtu2tDoAWDNDaPjMZF7x6G
2oz75+sdiio9lMtDOFulZxXHa4kcWZkmhB86VLaFHcBWVojQKi3rcT+8hsPX0pG4
sHa1oGo7E83yyaNmbBKya9U13jCZHdbppA2iOUJZ+5Kz9K6mHmKTX1dOo2u+hfHR
2hI1MLELMpD3IEGwlp0HmorgwwCXW1tW7Y8dgtM9XR2G7CkF4Q8551rwDOhv1ghE
DTgFbRAwtKc+SZ23NSreej+SuPTJPc+Go66X+bT/22h5sfQaE9PyL3FtqGaIskfT
+Amj8JQ5Rpi3vrdiLw==
-----END CERTIFICATE-----
To verify that the public key certificate and the private key match
Run the following two OpenSSL commands.
openssl x509 -noout -modulus -in CertificateName.crtReplace this term with the public key certificate's file name. | openssl md5
openssl rsa -noout -modulus -in private.keyReplace this term with the private key's file name. | openssl md5
To verify that the CA signed the public key certificate
Run the following command:
Consider the public key certificate verified when the above command returns OK. All other results indicate that the public key certificate has not been properly signed.
To verify the public key certificate's attributes
Run the following command to verify the certificate's common name and issue\expire