TLS/SSL Certificates
In this section, you'll be able to review the existing certificates, edit them or add a new one.
You can manage your certificates in three ways:
A custom certificate is the one that you already possess and want to import to the CDN, and for which you are responsible for keeping updated.
Autogenerated certificates are managed by our CDN and are renewed automatically.
After a certificate is generated (or uploaded if it's a custom one), deployment can take up to 5 minutes.
Custom certificates
If you already have a digital certificate for your domain, you can easily import it to the CDN. All you need is the certificate in PEM format.
To import a certificate, you must have two files: one with the full chain of the certificate and another with the private key, both coded in Base64 (normally with the extension .pem or .crt). Many certificate providers often give several format options when the certificate is downloaded.
You'll know if the format is correct if you can see the fields “BEGIN CERTIFICATE” and “END CERTIFICATE” when opened in a text editor.
If you must concatenate the full chain of the certificate yourself, the correct way of doing so is as follows:
If everything is OK, log in to our dashboard:
Provisioning > Certificates > New > Custom cert
A window will be display where you'll be able to paste the contents of the public and private key of your certificate.
Now click on "Create". If the certificate is correct, it'll be added to your account and you'll be able to see it in the table along with the rest of the certificates. Alongside this, a process will be triggered to deploy that certificate in the CDN. This process takes no longer than 5 minutes, after which the domains matching that certificate will automatically use it.
The renewal process is easy, and the date on which the certificate will expire can be viewed in the dashboard so that it can be planned in advance (you will also receive e-mail notification). It basically consists of editing the current certificate (by clicking on the pencil icon).
Only custom certificates can be edited directly; all the other types (autogenerated HTTP and autogenerated DNS) can only be viewed or removed from your account, as they're managed and renewed internally.
Autogenerated HTTP Certificates
This type is managed by the CDN, and both their initial expedition and further renewals are automatic provided one basic requirement is met: the domain must point at DNS level to the CDN.
To obtain a new certificate, a "Certificate Request" must be created:
Provisioning > Certificates > New > Certificate request (HTTP challenge)
Select the domains that will form part of the certificate. Optionally, you can check the "Standalone" option, which will make sure that this certificate will not merge with other HTTP certificates on your account. We recommend leaving this unchecked if not strictly necessary.
When you click on "Create", a new "Certificate Request" will be expedited and displayed in the request log, where you can consult the status of your request.
Provisioning > Certificates > Options > HTTP Requests History
You can consult the request log at any time:
Provisioning > Certificates > Options > HTTP request log
Autogenerated DNS Certificates
This type is also managed by the CDN, and the main difference is that the certificates are generated through a DNS challenge.
This means that the domains do not necessarily have to point to the CDN and it has one big advantage: wildcard certificates can be requested.
Requirements:
A compatible DNS provider (you can check the list of providers supported in the credentials management section that will be explained below)
Possess the required keys to updated DNS records
If you have delegated the DNS to Transparent Edge, you don’t have to have any key and the above requirements are automatically met. All you have to do is create a credential with the "Transparent Edge DNS" provider.
1.1 Credentials - (example with AWS Route53)
First of all, create the necessary credentials to update DNS records in your provider. In this example AWS Route53, or at least, the necessary record, which in our example would be _acme-challenge.example.com
.
Provisioning > Certificates > Options > DNS Credentials Manager
A table will be displayed with the current credentials. Click on the "New Credential" button.
Enter an alias to identify this credential and select the DNS provider, in this example "AWS (Route53").
The necessary fields for the credential will be displayed automatically, which differ among providers – check your provider documentations or contact us in case of doubt.
When you're done, click on "Create".
You can edit or delete credentials in this same section. Remember that the renewals of the certificates generated with the DNS challenge will use the credentials assigned with the values they have at that time.
1.2 New certificate request with DNS challenge - (example with AWS Route53)
Now that we have the required credentials, we will create the certificate request:
Provisioning > Certificates > New > Certificate request (DNS challenge)
A wizard will be displayed in which you must enter the domains to be included in the new certificate. In this example, the following must be entered on individual lines:
In the next section, select the credential to be associated with this “DNS certificate request”, remembering that these requests are permanent and are reused when the certificate is renewed. Therefore, if the credentials change, these must be updated accordingly.
Once the certificate request is created, a table will be displayed containing the active DNS requests and where the request status can be consulted.
If the certificate is generated, it will be displayed automatically in the table in the certificates section.
If the DNS provider is Transparent Edge
If you've delegated the DNS management of your domain to our CDN, you won't need to provide any credentials upfront, although you will have to create a credential object with our provider to attach it to the Certificate Requests. Follow the usual steps to create a new credential and select Transparent Edge DNS
.
Autogenerated DNS Certificates by CNAME
This method works like the Autogenerated DNS Certificate but it leverages on a CNAME or alias to validate against ACME.
This method is easier and more secure than standard DNS validation with API credentials to a DNS provider, but links the ACME validation to our CDN. If you plan to use ACME validation externally, use one of the other methods or export the generated certificates from our CDN using our dashboard or our API.
No secrets required, but you will need to create a "CNAME Verification" type credential:
The CNAME that you will need to point to your domains to will be displayed, which will be the same for all the domains, but different per company, for example:
5fb5c7b9ef2b82.tls-validation.edge2befaster.net
Now, if you want to create a certificate for:
You'll need to create two CNAME records (because the wildcard *.example.com and example.com validate in the same DNS record)
Once you have the CNAMEs in place and they've replicated, create a certificate request:
Provisioning > Certificates > New > Certificate request (DNS challenge)
When asked to provide a credential, select the alias that you gave to the "CNAME Verification".
Error obtaining a certificate
If certificate generation fails, an error message will appear either in the HTTP Requests History or in the Active DNS Requests, depending on the certificate challenge type. If the error message does not provide enough information, please reach out to our support team for assistance in diagnosing the issue.
For domains or subdomains with CAA
records, ensure that “letsencrypt.org
” is allowed, as it is the default Certificate Authority. You can find more details on configuring CAA
records here.
Last updated