Edgio Domains: Edgio provides a wildcard TLS certificate for the domains that we automatically generate when you deploy to your property. This certificate is managed by Edgio and it does not require configuration.
Edgio can automatically generate TLS Certificates on your behalf using Let’s Encrypt. These certificates are free, valid for 3 months, and automatically renewed as long as the following technical requirements remain met:
Hostnames: Register the hostnames that will serve traffic for each environment.
Certificate Authority Authorization: The Let’s Encrypt certificate authority (CA) must be allowed to issue certificates for each registered hostname.
Domain Control Validation: Prove your control over that domain by adding an _acme-challenge CNAME record to it.
The Let’s Encrypt certificate authority (CA) must be allowed to issue certificates for each registered hostname. It is allowed to issue certificates when either of the following conditions are true:
A CAA record has not been issued for that hostname or a parent hostname (i.e., the main domain or at any depth of subdomain). This DNS configuration means that any CA is allowed to generate certificates for that hostname.
CAA validation follows CNAME records. For example, if your www.example.com CNAME record points to www-origin.example.com, then the CA will first request CAA records for www.example.com. Upon detecting a CNAME record, it will request CAA records for www-origin.example.com instead.
A CAA record explicitly allows the Let’s Encrypt CA to generate certificates for that hostname.
This sample CAA record indicates that the Let’s Encrypt CA is allowed to issue certificates for cdn.example.com:
cdn.example.com. CAA 0 issue "letsencrypt.org"
To add a CAA record to allow Let’s Encrypt to generate certificates for your domains
Verify the value of the CAA records for your domain from the command line.
Bash
1# Run the following command
2dig caa +short <your-apex-domain>
3
4# Example
5dig caa +short mywebsite.xyz
The following sample response for a CAA query shows that only specific CAs are allowed to generate certificates for that domain:
Bash
10 issue "amazon.com"
20 issue "digicert.com"
30 issue "globalsign.com"
40 issue "letsencrypt.org"
If the result of the CAA DNS query is empty, it means that any CA is allowed to generate certificates on that domain. If so, proceed to domain control validation.
If there are CAA DNS entries defined on your hostname or parent hostname, and if the Let’s Encrypt’s CAA entry is not among those, you will have to add an additional CAA entry for Let’s Encrypt.
From your DNS service provider, add the following CAA DNS record:
By default, some DNS service providers add CAA DNS record(s), while others do not allow the creation of CAA DNS records and therefore allow any CA to generate certificates.
Before Edgio may issue a certificate request on your behalf, we require that you validate your control over each of your hostnames by adding a CNAME record. From your DNS service provider, add the following CNAME DNS entry for each desired hostname:
Host:_acme-challenge.<HOSTNAME>
Example:
If your hostname is cdn.example.com, then you would set it to _acme-challenge.cdn.example.com.
Value:_acme-challenge.xdn-validation.com
GoDaddy Example:
Gandi Example:
Verify each CNAME record using your preferred tool. For example, you can use any of the following tools:
1# Run the following 'dig' command to verify the presence of the '_acme-challenge.' CNAME :
2dig +short cname _acme-challenge.<your-domain>
3
4# For example:
5dig +short cname _acme-challenge.mywebsite.xyz
Expected result for the DNS query:
1_acme-challenge.xdn-validation.com.
If you use multiple domains for your website, like mywebsite.xyz and www.mywebsite.xyz, you will have to make sure that the _acme-challenge DNS record has been added for both domains:
If you have previously used Let’s Encrypt to generate certificates for your hostnames, you should verify that all _acme-challenge.<HOSTNAME> TXT records have been removed.
Skip this section if you plan on using autogenerated TLS certificate or if you already have an existing TLS certificate that you plan to upload.
TLS certificates are issued by Certificate Authorities (CA) based on your Certificate Signing Request (CSR). Although a single command generates a CSR and a private key, you should only share your CSR with the CA. You should also securely store your private key.
The following procedure indicates how to create a CSR and a private key with OpenSSL. OpenSSL is an open-source toolkit for the TLS protocol. We recommend using OpenSSL because it ensures that your private key will only be stored locally on your infrastructure.
Review your CA’s documentation to check for additonal requirements or a custom certification workflow.
To generate a CSR and a private key
From the command line, verify that OpenSSL is installed:
MacOS: Install it by using brew package manager (e.g., brew install openssl).
Windows: Install it by using Chocolatey package manager (e.g., choco install openssl).
Linux/Unix: Install it by running the built-in OS package manager (e.g., apt-get install openssl, apk add openssl, and so on).
Go to the directory of your choice and create a configuration file (e.g., edgio_cert.conf) based on this template:
1[req]
2default_bits=2048
3distinguished_name = req_distinguished_name
4req_extensions = v3_req
5
6[req_distinguished_name]
7countryName=Country Name (2 letter code)
8countryName_default=US
9stateOrProvinceName=State or Province Name (full name)
10stateOrProvinceName_default=California
11localityName=Locality Name (e.g., city)
12localityName_default=San Francisco
13organizationName=Organization Name (e.g., company)
14organizationName_default=YourCompanyName
15commonName=Fully Qualified Domain Name (FQDN) e.g., www.your-company-name.com
16commonName_default=www.your-company-domain.com
17
18[v3_req]
19subjectAltName=@alt_names
20
21[alt_names] # Other domains: apex domain, wildcard domain for staging and dev, and so on
22DNS.1=*.your-main-domain.com
23DNS.2=*.your-dev-domain.com
24DNS.3=your-apex-domain.com
25# And so on
Replace the country, state/province, locality, organization name, and Common Name (CN). Set the CN to your hostname’s fully qualified domain name (e.g., cdn.example.com).
Edgio strongly encourages the use of wildcard certificates. However, if you are not using a wildcard certificate, then you will need to add the remaining hostnames into the alt_names section.
The intermediate certificates (IC) used by the CA, including the CA’s signing certificate.
The private key that was generated with the CSR.
To upload your TLS certificate
Load the TLS Certificate page.
From the Edgio Console, select the desired private or team space.
Select the desired property.
From the left-hand pane, select the desired environment from under the Environments section.
From the left-hand pane, select TLS Certificate.
Clear the Automatically create an TLS certificate for my custom domains. option.
Copy the certificate, intermediate certificates, and the private key into the corresponding options.
The private key is non-public data and must not be shared with parties other than Edgio. Edgio securely stores your private key. It is never shown in the Edgio Console and it is only used to provision parts of the infrastructure that are used to terminate TLS connections.
Click Changes Saved. Certificate activation typically takes a few minutes.
Contact technical customer support if the status does not become Active within an hour.
Gandi Example:
Learn more on:
Edgio will generate a TLS certificate for that hostname within a few minutes.