LogoLogo
  • Welcome
  • Landing in Transparent Edge
  • Sign up process
  • Getting Started
    • Basics concepts
      • Glosary
        • API
        • Brotli Compression
        • Cache-Control
        • Cache key
        • Caching
        • CNAME
        • Cloud Computing
        • Cloud Computing Architecture
        • Cloud Services
        • DASH
        • Data Center
        • Edge Server
        • ETag
        • GSLB
        • HLS (HTTP Live Streaming)
        • HTTP/2
        • Infrastructure as a Service (IaaS)
        • Internet Exchange Point
        • Last-Modified
        • Load Balancing
        • MultiCDN
        • NoSQL (not only SQL)
        • Origin
        • Origin Shield
        • OTT (Over The Top)
        • Platform as a Service (PaaS)
        • PoP (Point of Presence)
        • Private CDN
        • Private Cloud
        • Public Cloud
        • Purge
        • Query String
        • Reverse Proxy
        • RTT (Round-trip Time)
        • SaaS (Software as a Service)
        • SDS (Software Defined Storage)
        • Smooth Streaming
        • Status Code
        • TCP (Transmission Control Protocol)
        • TLS Acceleration
        • TLS (Transport Layer Security)
        • TTFB (Time-to-first-byte)
        • TTL (Time-to-live)
        • Virtual Machine
        • VPS (Virtual Private Server)
        • Web Services
      • Let's start at the beginning
      • Things to consider
      • Houston, we have a problem
      • HTTP, How does it work?
      • Invalidating methods
      • DNS Pointing
      • Log formats
      • Predefined headers
      • Default headers
        • geo_country_code
        • X-Device
        • Vary
        • Cache headers
        • Age
        • TP-Cache
        • True-Client-IP and X-Forwarded-For
      • Forcing No-Cache
      • Architecture
        • Transparent Edge’s IP addresses
        • Locations and PoP
        • Cache layers
      • Cache effectiveness
      • SSL
      • HTTP 5xx Error Codes
      • Features
        • Protection against origin failures
        • Rate Limit
        • Geolocation and geoblocking
        • Prefechting
        • Refetching
        • Fast purging
        • HTTP Redirects
        • Caching static vs. dynamic objects
        • Rewriting of headers
        • Device detection
    • Dashboard
      • Historic
      • Analytics
      • Invalidating content
      • Content invalidation by tags
      • Prefetching Cache
      • Log shipping
      • Provisioning
        • Initial configuration
        • Backends
        • Sites
        • Configuration deployments
        • Network ACLs
        • TLS/SSL Certificates
      • User management
  • Configuration
    • VCL Reference
      • Default Functions
      • VCL Objects
      • Callable Functions
      • Security restrictions
      • Varnish book
    • Network Access Control List
      • Initial configuration
      • Auto generated lists
      • Manage lists via API
    • i3
      • Quality adjustment
      • Cache timing allocation for transformed images
      • Conversion to grayscale
      • Conversion to WebP
      • Blurring
      • Inclusion of graphics in the footer (strip)
      • Automatic resizing
      • Definition of the maximum size (content-length)
    • Transcoding
      • Relaunch or requeue jobs
      • Create a transcode job
      • Get job information
      • Dashboard usage
    • OpenAPI de TransparentCDN
  • Security
    • HTTPS
    • Blocking User-Agent
    • Blocking by IP Address
    • Blocking Requests Geographically
    • Avoiding Hotlinking
    • Bot Mitigation
    • WAF
      • Configuration
      • CAPTCHA
      • Content protected by token
      • Rate limit
    • Anomaly Detection
      • Detection Types
      • Automatic Reactions
      • Detection History
    • Under attack mode
    • Global Whitelists
  • Integrations
    • Wordpress plugin
    • Google Cloud Platform
    • Amazon Web Services
  • GUIDES AND TUTORIALS
    • How to do things
    • Edge Computing
      • ESI Tags
    • Acting on the Query String
    • Working with cookies
    • Making decisions based on HTTP headers
    • Web Application Gateway
    • Configure your servers to send cache headers
    • Caching a version per device
    • True-Client-IP in the origin
    • A/B Testing
    • Routing traffic to different backends
    • JSON Web Tokens
    • Debug codes
    • Streaming logs
    • API
      • Authentication
      • Invalidation
Powered by GitBook
On this page
  • Custom certificates
  • Autogenerated HTTP Certificates
  • Autogenerated DNS Certificates
  • Autogenerated DNS Certificates by CNAME
  • Error obtaining a certificate

Was this helpful?

Export as PDF
  1. Getting Started
  2. Dashboard
  3. Provisioning

TLS/SSL Certificates

PreviousNetwork ACLsNextUser management

Last updated 6 months ago

Was this helpful?

In this section, you'll be able to review the existing certificates, edit them or add a new one.

You can manage your certificates in three ways:

A custom certificate is the one that you already possess and want to import to the CDN, and for which you are responsible for keeping updated.

Autogenerated certificates are managed by our CDN and are renewed automatically.

After a certificate is generated (or uploaded if it's a custom one), deployment can take up to 5 minutes.

Custom certificates

If you already have a digital certificate for your domain, you can easily import it to the CDN. All you need is the certificate in format.

To import a certificate, you must have two files: one with the full chain of the certificate and another with the private key, both coded in Base64 (normally with the extension .pem or .crt). Many certificate providers often give several format options when the certificate is downloaded.

You'll know if the format is correct if you can see the fields “BEGIN CERTIFICATE” and “END CERTIFICATE” when opened in a text editor.

If you must concatenate the full chain of the certificate yourself, the correct way of doing so is as follows: 

-----BEGIN CERTIFICATE-----
(Primary certificate: your_domain.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA: your_CA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
(Private key: your_domain_private.pem)
-----END PRIVATE KEY-----

If everything is OK, log in to our dashboard:

Provisioning > Certificates > New > Custom cert

A window will be display where you'll be able to paste the contents of the public and private key of your certificate.

Now click on "Create". If the certificate is correct, it'll be added to your account and you'll be able to see it in the table along with the rest of the certificates. Alongside this, a process will be triggered to deploy that certificate in the CDN. This process takes no longer than 5 minutes, after which the domains matching that certificate will automatically use it.

The renewal process is easy, and the date on which the certificate will expire can be viewed in the dashboard so that it can be planned in advance (you will also receive e-mail notification). It basically consists of editing the current certificate (by clicking on the pencil icon).

Only custom certificates can be edited directly; all the other types (autogenerated HTTP and autogenerated DNS) can only be viewed or removed from your account, as they're managed and renewed internally.

Autogenerated HTTP Certificates

This type is managed by the CDN, and both their initial expedition and further renewals are automatic provided one basic requirement is met: the domain must point at DNS level to the CDN.

To obtain a new certificate, a "Certificate Request" must be created:

Provisioning > Certificates > New > Certificate request (HTTP challenge)

Select the domains that will form part of the certificate. Optionally, you can check the "Standalone" option, which will make sure that this certificate will not merge with other HTTP certificates on your account. We recommend leaving this unchecked if not strictly necessary.

When you click on "Create", a new "Certificate Request" will be expedited and displayed in the request log, where you can consult the status of your request.

Provisioning > Certificates > Options > HTTP Requests History

You can consult the request log at any time:

Provisioning > Certificates > Options > HTTP request log

Autogenerated DNS Certificates

This type is also managed by the CDN, and the main difference is that the certificates are generated through a DNS challenge.

Requirements:

  • A compatible DNS provider (you can check the list of providers supported in the credentials management section that will be explained below)

  • Possess the required keys to updated DNS records

1.1 Credentials - (example with AWS Route53)

First of all, create the necessary credentials to update DNS records in your provider. In this example AWS Route53, or at least, the necessary record, which in our example would be _acme-challenge.example.com.

Provisioning > Certificates > Options > DNS Credentials Manager

A table will be displayed with the current credentials. Click on the "New Credential" button.

Enter an alias to identify this credential and select the DNS provider, in this example "AWS (Route53").

The necessary fields for the credential will be displayed automatically, which differ among providers – check your provider documentations or contact us in case of doubt.

When you're done, click on "Create".

You can edit or delete credentials in this same section. Remember that the renewals of the certificates generated with the DNS challenge will use the credentials assigned with the values they have at that time.

1.2 New certificate request with DNS challenge - (example with AWS Route53)

Now that we have the required credentials, we will create the certificate request:

Provisioning > Certificates > New > Certificate request (DNS challenge)

A wizard will be displayed in which you must enter the domains to be included in the new certificate. In this example, the following must be entered on individual lines:

example.com
*.example.com

In the next section, select the credential to be associated with this “DNS certificate request”, remembering that these requests are permanent and are reused when the certificate is renewed. Therefore, if the credentials change, these must be updated accordingly.

Once the certificate request is created, a table will be displayed containing the active DNS requests and where the request status can be consulted.

If the certificate is generated, it will be displayed automatically in the table in the certificates section.

If the DNS provider is Transparent Edge

If you've delegated the DNS management of your domain to our CDN, you won't need to provide any credentials upfront, although you will have to create a credential object with our provider to attach it to the Certificate Requests. Follow the usual steps to create a new credential and select Transparent Edge DNS.

Autogenerated DNS Certificates by CNAME

This method is easier and more secure than standard DNS validation with API credentials to a DNS provider, but links the ACME validation to our CDN. If you plan to use ACME validation externally, use one of the other methods or export the generated certificates from our CDN using our dashboard or our API.

No secrets required, but you will need to create a "CNAME Verification" type credential:

The CNAME that you will need to point to your domains to will be displayed, which will be the same for all the domains, but different per company, for example:

5fb5c7b9ef2b82.tls-validation.edge2befaster.net

Now, if you want to create a certificate for:

example.com
*.example.com
test.example.com

You'll need to create two CNAME records (because the wildcard *.example.com and example.com validate in the same DNS record)

_acme-challenge.example.com       CNAME   5fb5c7b9ef2b82.tls-validation.edge2befaster.net
_acme-challenge.test.example.com  CNAME   5fb5c7b9ef2b82.tls-validation.edge2befaster.net

Once you have the CNAMEs in place and they've replicated, create a certificate request:

Provisioning > Certificates > New > Certificate request (DNS challenge)

When asked to provide a credential, select the alias that you gave to the "CNAME Verification".

Error obtaining a certificate

If certificate generation fails, an error message will appear either in the HTTP Requests History or in the Active DNS Requests, depending on the certificate challenge type. If the error message does not provide enough information, please reach out to our support team for assistance in diagnosing the issue.

This means that the domains do not necessarily have to point to the CDN and it has one big advantage: certificates can be requested.

If you have delegated the DNS to Transparent Edge, you don’t have to have any key and the above requirements are automatically met. All you have to do is create a credential with the "" provider.

This method works like the Autogenerated DNS Certificate but it leverages on a CNAME or alias to validate against .

For domains or subdomains with CAA records, ensure that “letsencrypt.org” is allowed, as it is the default Certificate Authority. You can find more details on configuring CAA records .

wildcard
ACME
here
PEM
Custom
Autogenerated HTTP
Autogenerated DNS
Autogenerated DNS by CNAME
Transparent Edge DNS