Origin SSL Verification Process

Document created by Shakir Ali Employee on Apr 1, 2015Last modified by Shakir Ali Employee on Nov 10, 2016
Version 6Show Document
  • View in full screen mode

How it works

 

When an edge server sends a request to your origin, it first establishes a secure connection through an SSL handshake; your origin will provide our edge server with a certificate which our server will then use to validate your origin. If everything is successfully validated, the request goes forward. If the certificate is not valid, the action you set in the property for invalid certificates will occur.

Platform Settings

 

The Secure Network platform has default settings for Origin SSL Certificate Verification that can be overridden by a Property. The platform, by default, trusts certificates signed by the certificate authorities in theAkamai Certificate Store that also have a CN/SAN matching the Forward Host Header.

WARNING: If your certificate is signed by a certificate authority in the Akamai Certificate Store and is nearing its expiration date, you will want to rotate your certificate as soon as possible to avoid a service outage.

 

Custom Settings (Recommended)

 

Custom settings give you greater control of exactly which certificates or certificate authorities our edge servers should trust. While you can choose to continue using the Platform Settings, it is strongly recommended you define your own list of trusted certificates. This will reduce vulnerability to man-in-the-middle attacks due to a certificate authority being compromised. For instance, if a common certificate authority is compromised, but you provided a certificate directly, your certificate remains secure.

Note: The settings you choose in Origin SSL Certificate Verification will override the default settings for your property.

 

In order to get the updated list of CA, please edit a configuration in property manager, go to origin server behavior. Find the reference to Akamai Certificate Store and click on "View CA Set"

Pinned Certificates and the Auxiliary Certificate(s) List (Aux-List)

 

A pinned certificate is a leaf certificate that our edge server trusts. The auxiliary certificate(s) list, or aux-list, is a temporary, Akamai-maintained list of the certificate(s) your origin was already using before we implemented these changes. This aux-list is per-property; each property has its own trust list, and because it is temporary, it is intended that you add these certificates, or any others you wish, to your property. The aux-list is not directly editable; Akamai will periodically remove certificates from the list as you add new ones manually to your property. Alternatively, you can choose to import all certificates from your aux-list into your origin behavior's certificate verification settings.

You can view the aux-list through a prompt on your property's Home page, or any version page, and can choose to import the aux-list certificates if they are accurate. If you do not see this prompt, then your property does not have an auxiliary trusted certificate(s) list. This will occur, for example, if you are creating a new secure property after the initial upgrade of this behavior.

If you would like to remove something from the aux-list please contact your account team.

Note: The certificates in the aux-list will be trusted in addition to anything you designate your property to trust. The certificates we periodically remove from the aux-list will only be removed when they are no longer necessary to the property, and they will continue to be trusted after they expire.

Checking Origin Server Certificate Validity and Other Important Information

 

Find how to check if your origin certificates are valid, configured correctly, pinned, and other valuable information here: https://control.akamai.com/dl/rd/propmgr/Content/check_valid_cert.htm

Keeping Certificate Authorities Current

 

It is imperative to maintain your Luna Configuration to match the settings of your origin certificates (cert and match hostnames). Letting a certificate expire, if not already pinned, can result in site outage.

To update a certificate authority in Property Manager, follow the instructions here.

To update a certificate in Configuration Manager, see Origin SSL Certificate Validation.

1 person found this helpful

Attachments

    Outcomes