🎉 Introducing Edgio v6 which supports Node.js v16. Learn how to upgrade. 🎉
Edgio
Edgio

TLS Certificates

Edgio requires a TLS certificate hosted on our network to serve HTTPS traffic for:

Autogenerating TLS Certificates

Edgio can automatically generate TLS Certificates on your behalf using Let’s Encrypt. These certificates are free, valid for 3 months, and automatically renewed as long as the following technical requirements remain met:

Certificate Authority Authorization

The Let’s Encrypt certificate authority (CA) must be allowed to issue certificates for each registered hostname. It is allowed to issue certificates when either of the following conditions are true:

  • A CAA record has not been issued for that hostname or a parent hostname (i.e., the main domain or at any depth of subdomain). This DNS configuration means that any CA is allowed to generate certificates for that hostname.

    CAA validation follows CNAME records. For example, if your www.example.com CNAME record points to www-origin.example.com, then the CA will first request CAA records for www.example.com. Upon detecting a CNAME record, it will request CAA records for www-origin.example.com instead.

  • A CAA record explicitly allows the Let’s Encrypt CA to generate certificates for that hostname.

    This sample CAA record indicates that the Let’s Encrypt CA is allowed to issue certificates for cdn.example.com:

    cdn.example.com. CAA 0 issue "letsencrypt.org"

To add a CAA record to allow Let’s Encrypt to generate certificates for your domains

  1. Verify the value of the CAA records for your domain from the command line.

    Bash
    1# Run the following command
    2dig caa +short <your-apex-domain>
    3

    4# Example
    5dig caa +short mywebsite.xyz

    The following sample response for a CAA query shows that only specific CAs are allowed to generate certificates for that domain:

    Bash
    10 issue "amazon.com"
    20 issue "digicert.com"
    30 issue "globalsign.com"
    40 issue "letsencrypt.org"

    If the result of the CAA DNS query is empty, it means that any CA is allowed to generate certificates on that domain. If so, proceed to domain control validation.

  2. If there are CAA DNS entries defined on your hostname or parent hostname, and if the Let’s Encrypt’s CAA entry is not among those, you will have to add an additional CAA entry for Let’s Encrypt.

    From your DNS service provider, add the following CAA DNS record:

    • Type: CAA
    • Name: empty or @ (depending on the DNS provider)
    • Flags: 0
    • Tag: issue
    • Value: letsencrypt.org or "letsencrypt.org"

    GoDaddy Example:

    CAA Record on GoDaddy

    Gandi Example:

    CAA Record on Gandi

    Learn more on:

    Verify your CAA configuration. We recommend the following CAA lookup tools:

    By default, some DNS service providers add CAA DNS record(s), while others do not allow the creation of CAA DNS records and therefore allow any CA to generate certificates.

    Learn more about CAA DNS records: Let’s Encrypt, Wikipedia, Gandi, and eff.org

Domain Control Validation

Before Edgio may issue a certificate request on your behalf, we require that you validate your control over each of your hostnames by adding a CNAME record. From your DNS service provider, add the following CNAME DNS entry for each desired hostname:

  • Host: _acme-challenge.<HOSTNAME>

    Example:

    If your hostname is cdn.example.com, then you would set it to _acme-challenge.cdn.example.com.

  • Value: _acme-challenge.xdn-validation.com

GoDaddy Example:

ACME Challenge Record on GoDady

Gandi Example:

ACME Challenge Record on Gandi

Verify each CNAME record using your preferred tool. For example, you can use any of the following tools:

  • MX ToolBox DNS Lookup

  • NsLookup DNS Lookup

  • Command line: Run the following command:

    Bash
    1# Run the following 'dig' command to verify the presence of the '_acme-challenge.' CNAME :
    2dig +short cname _acme-challenge.<your-domain>
    3

    4# For example:
    5dig +short cname _acme-challenge.mywebsite.xyz

    Expected result for the DNS query:

    1_acme-challenge.xdn-validation.com.

If you use multiple domains for your website, like mywebsite.xyz and www.mywebsite.xyz, you will have to make sure that the _acme-challenge DNS record has been added for both domains:

1_acme-challenge.mywebsite.xyz -> _acme-challenge.xdn-validation.com.
2_acme-challenge.www.mywebsite.xyz -> _acme-challenge.xdn-validation.com.

If you have previously used Let’s Encrypt to generate certificates for your hostnames, you should verify that all _acme-challenge.<HOSTNAME> TXT records have been removed.

Learn more about DNS TXT domain control.

TLS Certificate Verification

Once the above requirements are met, you should verify that a TLS certificate for each of your hostnames has been generated.

To verify TLS certificate creation

  1. From the Edgio Developer console, click Settings to load the Settings page. Find the TLS Certificate section.

  2. Review the TLS status for each of your hostnames.

    TLS Certificate section

  3. If a TLS certificate has not yet been generated, you may manually generate it by clicking Recheck Validation icon under the ACME Challenge Record column.

    Edgio will generate a TLS certificate for that hostname within a few minutes.

  4. Wait a few minutes and then verify that a certificate was created for that hostname.

Manually Creating a TLS Certificate

Skip this section if you plan on using autogenerated TLS certificate or if you already have an existing TLS certificate that you plan to upload.

TLS certificates are issued by Certificate Authorities (CA) based on your Certificate Signing Request (CSR). Although a single command generates a CSR and a private key, you should only share your CSR with the CA. You should also securely store your private key.

The following procedure indicates how to create a CSR and a private key with OpenSSL. OpenSSL is an open-source toolkit for the TLS protocol. We recommend using OpenSSL because it ensures that your private key will only be stored locally on your infrastructure.

Review your CA’s documentation to check for additonal requirements or a custom certification workflow.

To generate a CSR and a private key

  1. From the command line, verify that OpenSSL is installed:

    • MacOS: Install it by using brew package manager (e.g., brew install openssl).
    • Windows: Install it by using Chocolatey package manager (e.g., choco install openssl).
    • Linux/Unix: Install it by running the built-in OS package manager (e.g., apt-get install openssl, apk add openssl, and so on).

  2. Go to the directory of your choice and create a configuration file (e.g., edgio_cert.conf) based on this template:

    1[req]
    2default_bits=2048
    3distinguished_name = req_distinguished_name
    4req_extensions = v3_req
    5

    6[req_distinguished_name]
    7countryName=Country Name (2 letter code)
    8countryName_default=US
    9stateOrProvinceName=State or Province Name (full name)
    10stateOrProvinceName_default=California
    11localityName=Locality Name (e.g., city)
    12localityName_default=San Francisco
    13organizationName=Organization Name (e.g., company)
    14organizationName_default=YourCompanyName
    15commonName=Fully Qualified Domain Name (FQDN) e.g., www.your-company-name.com
    16commonName_default=www.your-company-domain.com
    17

    18[v3_req]
    19subjectAltName=@alt_names
    20

    21[alt_names] # Other domains: apex domain, wildcard domain for staging and dev, and so on
    22DNS.1=*.your-main-domain.com
    23DNS.2=*.your-dev-domain.com
    24DNS.3=your-apex-domain.com
    25# And so on

    Replace the country, state/province, locality, organization name, and Common Name (CN). Set the CN to your hostname’s fully qualified domain name (e.g., cdn.example.com).

    Edgio strongly encourages the use of wildcard certificates. However, if you are not using a wildcard certificate, then you will need to add the remaining hostnames into the alt_names section.

  3. Run the following command:

    Bash
    1openssl req -out edgio.csr -newkey rsa:2048 -nodes -keyout edgio.key -config edgio_cert.conf -batch

    This should generate your CSR in edgio.csr and private key in edgio.key.

    If you want OpenSSL to ask you for each different input, remove the -batch option and re-run the command.

  4. Verify your CSR contains the expected domains by running the following command:

    Bash
    1openssl req -in edgio.csr -noout -text | grep DNS

  5. Read the CSR (e.g., cat edgio.csr) or copy it to your clipboard (on OSX, cat edgio.csr | pbcopy) and send it to your CA for certification.

Uploading Your Certificate

Uploading a TLS certificate requires:

  • An Enterprise account. Contact your account manager or our sales department at 1 (866) 200 - 5463 to upgrade your account.
  • The Admin role within your team.
  • A certificate issued by a CA.
  • The intermediate certificates (IC) used by the CA, including the CA’s signing certificate.
  • The private key that was generated with the CSR.

To upload your TLS certificate

  1. From the Edgio Developer console, click Settings to load the Settings page. Find the TLS Certificate section.

  2. Clear the Automatically create an TLS certificate for my custom domains. option.

  3. Copy the certificate, intermediate certificates, and the private key into the corresponding options.

    The private key is non-public data and must not be shared with parties other than Edgio. Edgio securely stores your private key. It is never shown in the Edgio Developer console and it is only used to provision parts of the infrastructure that are used to terminate TLS connections.

  4. Click Changes Saved.

    After which, the status of the TLS certificate will update to Activating.

    in-progress-certificate

    After the certificate is activated, its status becomes Active.

    activated-certificate

    Certificate activation should take a few minutes. Contact technical customer support if the status does not become Active within an hour.