CJ Arnesen

Akamai's shared certificate explained

Blog Post created by CJ Arnesen Employee on Nov 20, 2017

There probably isn't a week that goes by that a customer doesn't ask me to explain what the Akamai shared cert is and how to enable it.



There are two ways to serve SSL/TLS traffic with Akamai.  


Shared Certificate

The first way is on our standard HTTP network with a shared wildcard certificate. The shared SSL hostname takes advantage of the global certificate on the Akamai network and would look something like: “customer-cdn.akamaized.net”  The <customer-cdn> can be anything as long as it is between 4-60 characters, the characters must be alphanumeric or hyphens, and must not include periods or underscores.


The Shared Certificate Hostname will be the hostname used in the URL that is presented to the end users.  And when configured in Property Manager, the Akamai edge hostname will automatically be created.  No CNAME on the customer's behalf is required because the DNS record is managed by Akamai and will automatically be created when you create the entry in Property Manager.


This is usually acceptable in the case of URLs that are hidden from end users eyes.  ie. links embedded in pages or apps.


This is a very easy, no fuss solution when using your own domain isn't a requirement.  

Vanity SSL

If you need SSL delivery on a vanity hostname (something you own  ie. “api.customer.com”) that you would then CNAME to Akamai, we can deliver that too, but it needs to run over our dedicated PCI complaint SSL network. There are some additional steps and this requires a line item in your contract and an SSL certificate which we provision on your behalf. Typically customers use this if they're serving their entire site through Akamai and they need SSL delivery. 


Please contact your account team if you need a vanity domain ssl support, they can guide you through the options.


Bottom line is:
If you need a vanity hostname you need to be on our dedicated SSL network which requires additional contract and certificate work. If don’t require a vanity hostname then the Akamai shared cert will work.


The shared cert hostname can NOT be a CNAME record from your hostname.  i.e. www.customer.com CNAME customer-cdn.akamaized.net  

It MUST be used directly.  Ie. Hardcoded into your links.  


How to implement:

Open your property

Check the box next to "Security Options" near the top of the config:

Create a shared cert hostname by clicking the "arrow" next to "Add" and selecting "Add Shared Certificate Hostname":

Follow the strict guidelines for naming conventions:

Update your Origin Behavior settings to support SSL and Verification:

NOTE: When using shared cert, you'll most likely need to change "Forward Host Header" to "Origin Hostname", this is especially true when using s3 as your origin


For more details on Verification settings, please see the links below and use the web based help guide available in LUNA.

Luna Control Center - Origin SSL Verification Settings

Luna Control Center - Origin SSL options explained


For a bit more information on the various shared certs Akamai has please check out Michael Kuchyt's blog entry on the subject here: SSL/TLS certificate chains for Akamai shared certificate (a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, *.akamaized-staging.net) 



Special thanks to Tedd Smith and Michael Kuchyt for reviewing this doc and providing feedback