SSL/TLS certificate chains for Akamai-managed certificates

Document created by Rajiv Aaron Manglani Employee on Oct 20, 2015Last modified by Rajiv Aaron Manglani Employee on May 1, 2017
Version 10Show Document
  • View in full screen mode

Akamai currently obtains SSL/TLS certificates on behalf of our customers from three Certificate Authorities:

  • GeoTrust (a Symantec brand)
  • Let's Encrypt
  • Symantec

 

In the past, we have also obtained certificates from:

  • Comodo
  • Verizon Cybertrust

 

Below is a list of certificate chains customers can expect to see for Akamai-managed certificates. In each example, the end-entity certificate is listed first, and is signed by the next certificate in each list. That intermediate is then signed by another intermediate or a root certificate.

 

This list is provided for informational purposes only. Akamai does not recommend that customers pin, or hard-code, any part of the SSL/TLS certificates or their trust chains in applications or client software. If your application does need to pin certificates, please ensure that you enable Change Management in our Certificate Provisioning System. Our selection of root certificates does not change often, however intermediate certificates in each trust chain are subject to change without notice.

 

 

Comodo Extended Validation (EV) Single and SAN certificates

SHA-2 RSA certificates issued after September 2014

End-entity certificate

C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA 2

C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority

C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

 

GeoTrust Organization Validated (OV) Single, SAN, and Wildcard certificates

SHA-2 RSA certificates issued on or after June 16, 2015

End-entity certificate

C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA - G3

C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

 

Let's Encrypt Domain Validated (DV) SAN certificates

SHA-2 RSA certificates issued on or after March 25, 2016, certificates may be issued with either chain

End-entity certificate

C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

O=Digital Signature Trust Co./CN=DST Root CA X3

 

End-entity certificate

C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X4

O=Digital Signature Trust Co./CN=DST Root CA X3

 

Symantec Secure Site Pro Organization Validated (OV) Single, SAN, Wildcard, and Wildcard SAN certificates

SHA-2 RSA certificates issued after late-April 2016 with the “Default” trust chain selected

End-entity certificate

C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

SHA-2 RSA certificates issued after late-April 2016 with the “Cross-signed 1k root” chain selected

End-entity certificate

C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Secure Server CA - G4

C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

 

ECDSA certificates issued after October 2016

End-entity certificate

C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit SSL CA - G2
C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

Symantec Secure Site Pro Extended Validated (EV) Single and SAN certificates

SHA-2 certificates issued after late-May 2016

End-entity certificate

C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3

C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

ECDSA certificates issued after October 2016

End-entity certificate

C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 ECC 256 bit EV CA - G2

C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 

Verizon Cybertrust Organization Validated (OV) Single, SAN, Wildcard, and Wildcard SAN certificates

SHA-2 certificates issued after June 2014

End-entity certificate

C=NL/L=Amsterdam/O=Verizon Enterprise Solutions/OU=Cybertrust/CN=Verizon Akamai SureServer CA G14-SHA2

C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root

Attachments

    Outcomes