Digital Certificates
You need a SSL Certificate to transfer data over HTTPS. Using HTTPS gives you the assurance that your customers’ data is securely transferred over the Internet, demonstrates the reliability of your website and the authenticity of your domain, in addition to improving your website’s position in search engines like Google.
At Azion, you can rely on the following SSL Certificate options for HTTPS traffic:
1. Shared Domain
When using Azion Edge Application you count on our SSL certificate for HTTPS traffic at no additional cost — you only need to use Azion’s shared domain.
When you create an Edge Application configuration in Real-Time Manager, a domain is automatically assigned in the “azionedge.net” zone. If you wish, you may use the assigned domain to deliver your static content over HTTPS, avoiding the costs of issuing SSL certificates for approval environments or URLs whose domain can be shared with other Azion customers.
To use Azion’s SSL certificate for Shared Domain, proceed as follows:
- Access Real-Time Manager, go to the Products Menu, and select Domains.
- Add or edit your Domain settings.
- In the Digital Certificate field, select Azion (SAN).
- Click the Save button to save your settings and you’ll be using Azion’s Shared Domain.
2. Custom Certificate
To use your HTTPS domain you will need your own SSL certificate (X.509). You can, at no additional cost, set up your SSL Certificate in the Real-Time Manager. If you do not have one, Azion can share a Subject Alternate Name (SAN) certificate, which is a digital security certificate that allows multiple hostnames to be protected by a single certificate. To use this feature, you will need to prove that the domain is really yours.
There are three types of validations that you can choose:
DV (Domain Validation) |
OV (Organization Validation) |
EV (Extended Validation) |
---|---|---|
It is the validation of your right to use the domain, it is the simplest of the three options. This is the option recommended by Azion for most companies. | It is validation about your right to use the domain and some further validations about the requesting organization. | It is an extended validation, which requires additional documentation to prove the physical, legal and operational existence of the requesting organization and the most complex of the three options. |
Azion currently works with two types of certificates, which are: “RSA” and “ECC/ECDSA”. Each certificate has its characteristics and its security level, and Azion allows you to choose the option that best fits your scenario.
RSA
It is one of the earliest public key cryptography systems and it is widely used for the secure transmission of data. In this encryption system, the encryption key is public and is different from the decryption key that is secret (private). Any message encrypted using a public key can only be decrypted using the respective private key.
RSA is a relatively slow algorithm and is therefore less used to directly encrypt user data. Most often, RSA passes shared encrypted keys to symmetric key encryption, which in turn can perform mass encryption-decryption operations at a much faster rate.
ECC/ECDSA
Elliptical Curve Cryptography is an approach to public key cryptography based on the algebraic structure of elliptical curves. Public key cryptography is based on creating mathematical puzzles that are difficult to solve, therefore it becomes much more secure than other types of certificates such as RSA.
Smaller keys are less computationally intensive to generate signatures because they involve smaller mathematical numbers. ECC is faster in generating signatures and has better performance than RSA.
How to use Custom Certificate
To add your Custom Certificate, you will need the Certificate pair (X.509) and its private key, both in ASCII PEM format and the private key cannot be protected by passphrase.
The certificate is the file you receive from your CA. It starts with:
-----BEGIN CERTIFICATE-----
You must copy all the content including the start marker and also the end marker:
-----END CERTIFICATE-----
The private key is the file that you used to generate the CSR request which was sent to your CA. The content starts with:
-----BEGIN RSA PRIVATE KEY-----
You must copy all the content including the start marker and also the end marker:
-----END RSA PRIVATE KEY-----
To use your Custom Certificate with Azion, we use the SNI (Server Name Indication) extension of the TLS protocol. Check the browser list with SNI support.
Adding a certificate
You can add a digital certificate in two different ways:
- Uploading your own digital certificate and your private key.
- Generating a CSR and a private key with Azion.
How to use your own certificate:
- Access Real-Time Manager.
- Go to the Products Menu on the upper-left corner and select Digital Certificates under Edge Libraries.
- Click the button Add certificate.
- Select the Upload my certificate and private key option to add a Digital Certificate including your Certificate information to your Private key.
- Click Save to save your settings.
How to generate a CSR and private key with Azion
A Certificate Signing Request (CSR) is one of the first steps towards getting your own SSL/TLS certificate. For customers with contracted FIPS 140 support, the private key will be stored in an HSM that uses a cryptographic module certified in the FIPS-140 Level 3 standard.
- Access Real-Time Manager.
- Go to the Products Menu on the top left corner and select Digital Certificates under Edge Libraries.
- Click the Add certificate button.
- Select the Generate CSR and private key with Azion option.
- Fill in the required fields and click Save.
The Country/Region field accepts two characters. For example, if referring to the USA, fill it in with US.
- A window will pop up on the screen with the CSR Successful Generated information. Here, you will get the information you need to start your certificate request. Choose one of the given options: I will copy later or Copy to Clipboard.
- The information generated must be duly signed by a CA (Certification Authority).
- Once you have your certificate signed, you must add it to the platform. Click on the pending certificate and add your certificate information in the Certificate field.
- Click Save to save your settings. After this step, your certificate is ready for use.
If you prefer, you can provide the complete chain of certificates for your domains in the Certificate field.
3. Let’s Encrypt certificate
Let’s Encrypt™ is a nonprofit global CA that allows people and organizations to obtain, renew, and manage SSL/TLS certificates for free. When creating a Domain with Azion, you may choose to obtain an SSL certificate signed by Let’s Encrypt. You can request Let’s Encrypt certificates for domains hosted in Intelligent DNS or in a third-party DNS provider.
Once you create a domain with Azion, you can choose the option Let’s Encrypt to automatically generate a Let’s Encrypt certificate. An entry for this certificate will be listed in the Digital Certificates page in Real-Time Manager. After the certificate undergoes DNS validation, issuance, and storage, it’ll become active.
You must create a new Azion domain to generate the Let’s Encrypt certificate. The certificate you create will be exclusive to the new Azion domain, which means you can’t transfer the certificate to another domain.
See How to generate a Let’s Encrypt certificate to know how to validate this type of certificate.
Active Let’s Encrypt certificates will be renewed automatically before the expiration date of 90 days, provided that you don’t bind a different certificate to the Azion domain or delete the associated domain.
CNAME configuration
When you create an Azion domain and select the Let’s Encrypt certificate option, you can list up to 50 CNAMEs to request the certificate. CNAMEs listed after a top-level domain are registered as alternative names. If you want a different certificate for your domain’s CNAMEs, you must create a domain for each of your CNAMEs.
You can use wildcard CNAMEs (*.domain.com
) or mix wildcard and non-wildcard CNAMEs in the same domain. The hostname resolution follows Azion’s standard rules: specific domains have precedence over wildcard ones. For example, a Let’s Encrypt certificate for blog.domain.com
will take precedence over a certificate for *.domain.com
.
If you modify the CNAME list on the domain settings, Azion will create a new certificate based on the modified set of CNAMEs, and the old entry will be deactivated. If any of the CNAMEs fail the challenge, the certificate won’t be generated and will remain with the Pending status.
Trademarks
Let’s Encrypt is a trademark of Internet Security Research Group. All rights reserved.
Didn’t find what you were looking for? Open a support ticket.