Two-Certificate Architecture
Key Insight: Akamai uses TWO separate SSL/TLS connections. Problems with your edge certificate don't affect your origin certificate, and vice versa.
These are two completely separate SSL connections. Edge certificate issues affect visitors. Origin certificate issues affect Akamai's connection to your server.
Edge Certificate Options
Akamai offers several ways to secure the connection between visitors and the edge:
| Option | Cost | Best For | Details |
|---|---|---|---|
| Standard TLS | Free | Most sites | Shared SAN certificate |
| Enhanced TLS | $$ | Compliance-sensitive | Dedicated certificate |
| Third-Party | Cert cost | Full control | Bring your own cert |
| Let's Encrypt | Free | Dedicated + free | Auto-renewed DV cert |
Tip: Standard TLS works for most use cases. Enhanced TLS is required for PCI DSS compliance or when you need EV/OV validation visible to visitors.
Origin SSL Settings (Property Manager)
These settings control how Akamai validates your origin server's certificate:
Verification Modes
| Setting | What It Does | Security |
|---|---|---|
| Trust | Accepts any cert including self-signed | ⚠️ Insecure |
| Verify | Validates against CA bundle | ✓ Good |
| Verify + Hostname | Validates cert AND hostname match | ✓ Best |
Warning: "Trust" mode is insecure
Like Cloudflare's "Flexible" mode, Trust disables certificate validation entirely. Use only for testing or when you have no other option. Never in production with sensitive data.
Other Important Settings
Origin Port
- •
80- HTTP (no SSL) - •
443- HTTPS (SSL required) - • Custom ports supported
SNI (Server Name Indication)
- • Enable if origin hosts multiple sites
- • Required for shared hosting
- • Sends hostname in TLS handshake
Common Errors & Fixes
Property Manager Checklist
Work through this checklist when setting up or troubleshooting SSL:
Akamai vs Cloudflare: SSL Settings Comparison
| Setting | Akamai | Cloudflare |
|---|---|---|
| No origin SSL | Port 80 (HTTP) | Flexible |
| Any origin cert | Trust | Full |
| Valid origin cert | Verify | Full (Strict) |
| Valid + hostname match | Verify + Hostname ✓ | Full (Strict) ✓ |
| Free origin cert | Let's Encrypt | Cloudflare Origin CA |
Debug with Pragma Headers
Akamai provides debug headers to help troubleshoot issues. Add Pragma headers to see detailed information about caching, SSL, and request routing:
# Basic debug headers curl -I -H "Pragma: akamai-x-cache-on, akamai-x-get-request-id" https://yourdomain.com # Full SSL debug (for certificate troubleshooting) curl -I -H "Pragma: akamai-x-get-extracted-values, akamai-x-get-request-id, akamai-x-get-ssl-client-session-id, akamai-x-cache-on" https://yourdomain.com
Key response headers to look for:
- •
X-Akamai-Request-ID- Unique request ID for support tickets - •
X-Cache- Shows TCP_HIT or TCP_MISS for cache status - •
X-True-Cache-Key- The actual cache key used
Frequently Asked Questions
Can I use a self-signed certificate with Akamai?
Yes, but only with "Trust" verification mode. This disables certificate validation entirely, which is insecure. For production, use Let's Encrypt or a proper CA certificate and enable "Verify" or "Verify + Hostname".
How long does edge certificate provisioning take?
Standard TLS (DV) typically provisions within minutes once DNS is correctly configured. Enhanced TLS with OV/EV validation can take 1-5 business days due to manual verification steps.
Why does my site work directly but fail through Akamai?
Your browser may accept certificates that Akamai won't. Common issues: missing intermediate certs (browsers may fetch them, Akamai doesn't), hostname mismatches, or SNI requirements. Test with openssl s_client to see what Akamai sees.
Do I need different certificates for edge and origin?
Yes, they're completely separate. The edge certificate secures visitor-to-Akamai traffic. The origin certificate secures Akamai-to-origin traffic. They can be from different CAs, have different hostnames, and expire at different times.
What CAA records does Akamai need?
Akamai uses DigiCert, Let's Encrypt, and GlobalSign for certificate issuance. Add CAA records allowing digicert.com, letsencrypt.org, and globalsign.com if you have CAA records configured.
Related Resources
Cloudflare Error 526
Fix Invalid SSL Certificate errors when using Cloudflare Full (Strict) mode.
AWS CloudFront SSL Errors
Fix ACM certificate issues and the us-east-1 requirement for CloudFront.
Chain Builder & Troubleshooting
Build complete certificate chains and diagnose chain validation failures.
How TLS Works
Understand the TLS handshake and certificate validation process.
Certificate Anatomy
Learn what's inside an X.509 certificate and how each field affects validation.
Certificate File Formats
PEM, DER, PKCS#12 - understand and convert between certificate formats.