The Fastly web interface allows you to add and manage domains on one of Fastly's shared TLS certificates. For example, to serve HTTPS traffic for a single website you can add a single domain like www.example.com. However, if you add a wildcard domain, like *.example.com, you will be able to serve HTTPS traffic on any related subdomain, like api.example.com and docs.example.com.
IMPORTANT: Due to improved security standards adopted by the CA/Browser Forum, the validity period of random values used for domain validation when requesting TLS certificates will be reduced to a 30-day rolling window. This change will take effect for our Shared TLS options and our Certificate Procurement, Management, and Hosting service on May 25, 2020.
In addition, we plan to retire shared certificates for TLS 1.2 connections by December 31, 2020. Fastly TLS, with its associated web interface and API, offers similar functionality to the shared certificate products. For general questions about this announcement, contact our customer support team at fastlytlsupdates@fastly.com.
Before you begin
Be sure you understand your TLS options:
- If you don't have a TLS certificate, you can add a domain to one of Fastly's shared certificates. Simply complete the steps for adding a TLS domain described in this guide. You'll automatically be billed for this service monthly.
- If you already have a TLS certificate or if you require a dedicated certificate, contact support@fastly.com to purchase one of Fastly's hosted TLS certificate options.
Also, when you are managing your TLS domains, keep the following in mind:
- You can only manage certificates with a paid Fastly account. If you're currently using a developer trial account, switch to a paid account first.
- You must be assigned the role of superuser or have been granted permission to manage account-level TLS. Only users with TLS management capabilities can manage domains on certificates.
- You can add up to a total of five TLS domains. If you require more than five domains, contact support@fastly.com.
- Each domain you add to a Fastly shared certificate increases your monthly bill. You'll be automatically charged for each addition the first full month in which it gets used.
Creating a TLS domain
To create a TLS domain, follow these steps:
- Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
-
Click the Shared and procured TLS link. The Shared and procured TLS page appears.
-
In the Domains area, click the Create TLS Domain button. A billing increase notification appears.
-
Click Proceed. The Create TLS domain page appears.
-
Fill out the Create TLS domain form as follows:
- In the Domain name field, type the fully qualified domain name to be added to the selected TLS certificate (e.g.,
www.example.comor*.example.com). - If the Certificate menu appears, select the certificate on which to create the domain. This menu only appears if you've previously arranged for Fastly to procure a certificate on your behalf.
- From the Verification option controls, select the method you prefer to use for domain ownership verification. The DNS verification method will be used by default unless you select another option.
- In the Domain name field, type the fully qualified domain name to be added to the selected TLS certificate (e.g.,
- Click the Create button. The request is sent to Fastly for creation and appears as a row in a table in the Domains area of the Transport Layer Security page.
TIP: The table in the Domains area always reflects the current state of your request during processing. You'll need to review that state as you verify domain ownership and when you connect your service to your TLS domain. Always review the state of your request before contacting support if you suspect trouble.
Verifying domain ownership
Any time you request addition of a domain to a certificate, you must verify you own the domain. This helps us ensure no one else is using your domain without your permission. To verify domain ownership, follow these steps:
-
On the Shared and procured TLS page, look in the Domains list for the TLS domain name you created and review the State.
-
When the State changes to Verification required (usually only a few minutes after Fastly receives your request), click the Verify link. The Verify TLS domain window appears.
- Depending on the verification method you selected, do one of the following:
- Verify the domain via DNS. You'll need to validate domain ownership by adding a DNS TXT record for your domain with your DNS provider.
- Verify the domain via email. You'll need to validate domain ownership by clicking the link that GlobalSign emails to the contact you've designated for your domain's WHOIS records.
- Verify the domain via URL. You'll need to validate domain ownership by uploading a text file to a specifically named web page served at the domain you're adding.
- Click the Verify button after you've completed the domain verification steps. This is Fastly's cue to add your domain to the certificate.
Within a few minutes of verification, you'll see the State change to Issued. This means the domain has begun propagating throughout Fastly's cache nodes and you're ready to connect a service. Within 60 minutes, the domain should be live and Fastly will begin the monthly billing process for these specific TLS certificate services.
Enabling TLS for your service
Once you've verified your domain ownership, you need to connect a service to your TLS domain. Follow these steps:
- On the Shared and procured TLS page, look in the Domains list for the TLS domain name you verified and review the State.
-
When the domain's State changes to Issued, click the DNS details link. The Domain details page appears.
- Use the information on the Domain details page to update the CNAME record or A Record for your domain with your DNS provider.
TIP: Once you've updated the CNAME or A record for your domain with your DNS provider, we suggest adding that domain to a new or existing service if you haven't already done so.
Deleting a TLS domain
IMPORTANT: Before you delete a TLS domain, we strongly recommend first modifying or deleting any DNS records pointing to the Fastly hostname associated with it. Follow the instructions on your DNS provider's website.
To delete a TLS domain, follow these steps:
- Log in to the Fastly web interface and click the Account link from the user menu. Your account information appears.
- Click the Shared and procured TLS link. The Shared and procured TLS page appears.
- In the Domains area, find the domain to be deleted and click the Delete link that appears to the right of the domain name on the same line. The deletion confirmation window appears.
- In the Re-enter domain name field, type the domain name to be deleted.
- Click the Confirm and Delete button. The request to remove the domain from the SAN certificate will be sent. This is Fastly's cue to remove the domain from the certificate.
- Watch the State for the submitted domain. Once the domain's state changes to Removed, the domain has been removed from the certificate and Fastly will discontinue charging you for these specific TLS certificate services.
Understanding domain states
The State column on the Shared and procured TLS page changes to reflect the current stage of processing for all domain requests.
| State | Description |
|---|---|
| Request initiated | We've sent your domain request to our partner certification authority. |
| Phishing check | Our partner certification authority is performing extra domain ownership verification on this request. |
| Verification required | The domain request is complete. Your domain ownership verification is now required. |
| Verifying | Your domain ownership verification is being confirmed by our partner certification authority. |
| Email verification sent | Our partner certification authority has sent you a domain ownership verification email that requires action on your part. |
| Issuing | The domain ownership verification was successful and now awaits final issuing before being added to your certificate. |
| Issued | The domain was successfully added to the certificate. It may take up to 60 minutes to become active. |
| Removing | Your request to remove a domain from a certificate is being processed. |
| Removed | A domain was successfully removed from the certificate. |
NOTE: Domains that do not get issued due to an error will be automatically removed after 3 weeks of inactivity. You can also manually remove domains if they get stuck in an error state in order to begin the verification process again.