Submitting a TLS Certificate

This article is only applicable if you would like to leverage a previously purchased TLS certificate to serve HTTPS traffic over the CDN. The recommended approach for HTTPS support is to allow CDN personnel to acquire a TLS certificate on your behalf.
Learn more.

A prerequisite for submitting a TLS certificate is to contact your CDN account manager. Your CDN account manager will enable the SSL Certificate Submission page (Tools menu | SSL Certificate Submission). Use this page to submit a TLS certificate by providing the following items:

Item	Description
Intermediate Certificate	An intermediate certificate is provided by a CA. More Information: An intermediate certificate proves ownership over a public key and establishes a chain of trust through which the requester's device can verify that the TLS certificate can be traced back to a trusted source (i.e., Root CA). In other words, it proves that your chosen CA is trusted by one of the root CAs. The use of an intermediate certificate is one of the security measures taken by CAs to ensure the integrity of the keys used by root certificates.
Public Key	A certificate containing a public key is provided by a CA. A public key allows a requester to verify the TLS certificate's digital signature.
Private Key	A private key should be stored on the server where the CSR was generated. This private key allows the server to encrypt/decrypt communication with the client.

Item

Description

Intermediate Certificate

An intermediate certificate is provided by a CA.

More Information:

An intermediate certificate proves ownership over a public key and establishes a chain of trust through which the requester's device can verify that the TLS certificate can be traced back to a trusted source (i.e., Root CA). In other words, it proves that your chosen CA is trusted by one of the root CAs.

The use of an intermediate certificate is one of the security measures taken by CAs to ensure the integrity of the keys used by root certificates.

Public Key

A certificate containing a public key is provided by a CA. A public key allows a requester to verify the TLS certificate's digital signature.

Private Key

A private key should be stored on the server where the CSR was generated. This private key allows the server to encrypt/decrypt communication with the client.

PEM Format

Please provide certificate and keys in PEM format.

Key information:

Submitting a certificate or key in a different format will generate an error.
Run the following OpenSSL command to check whether the certificate is in PEM format. This command will return an error if the certificate is in a different format.
openssl x509 -in CertificateName.crt -text -noout
Useful OpenSSL commands, including how to convert a certificate into PEM, can be found on the following web page:
https://www.sslshopper.com/article-most-common-openssl-commands.html
If you do not wish to convert your certificate to PEM format, then it will need to be submitted using a different method that may not offer the same level of security. For more information, please contact your CDN account manager.

To submit a TLS certificate

Gather the following items:
- Intermediate certificate
- Public key
- Private key
Perform the following:
- Verify that the PEM-encoded public key certificate matches the private key.
  
  Learn how.
- Verify that the CA signed the public key certificate.
  
  Learn how.
Open the intermediate certificate provided by the CA in a text editor.
Navigate to the SSL Certificate Submission page. If this page is unavailable, please contact your CDN account manager. How?From the main menu, navigate to Tools | SSL Certificate Submission.
Copy and paste the intermediate certificate into the Intermediate Certificate option.

View a sample intermediate certificate.

-----BEGIN CERTIFICATE-----

MIIDCTCCAfGgAwIBAgIJAPKeHhFoo9UvMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNV

BAMMEHd3dy5teWRvbWFpbi5jb20wHhcNMTQxMTE3MjAyMjMxWhcNMjQxMTE0MjAy

MjMxWjAbMRkwFwYDVQQDDBB3d3cubXlkb21haW4uY29tMIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAzTaxMLbRdvdTiRmaVt8RMDweKfYBWhe3i3VsloVd

4jGEFBtH1bAlbfN/S4hRH5F28h1Ga1Unh/LeeFnKS9ZH0CHazrA6Ug+CyqENdQ3M

OjvHn6VHLxMC5nVhoPkBlTVPGGtceZh0AsAT+H8mW4xgzGON9hq9yUpLIuHwVkMx

lcmIc0pn9QIbPyQz5fOvVBGEZJ+NbUjYDp6ByHJFUme9ONm41aq47tG4rXLWf7wl

0C5uhUIKhcw+XT88GCxwVjANoDVnc1fMVFsFt9ogfQ7uX3TK/R9Rn/Jh7zmoxXOj

Mb0Tfzc/CeWnBh3C4MXAXeHXVFcMkHR6EGwq+5esGqt0rQIDAQABo1AwTjAdBgNV

HQ4EFgQUkIfpiCBm61RL5ahAR1jBOkGSfmowHwYDVR0jBBgwFoAUkIfpiCBm61RL

5ahAR1jBOkGSfmowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAhFJ5

B4HM8ReYqestuv/D21ZgUq8BpWpqqI8bdptnz+GFEEPtu2tDoAWDNDaPjMZF7x6G

2oz75+sdiio9lMtDOFulZxXHa4kcWZkmhB86VLaFHcBWVojQKi3rcT+8hsPX0pG4

sHa1oGo7E83yyaNmbBKya9U13jCZHdbppA2iOUJZ+5Kz9K6mHmKTX1dOo2u+hfHR

2hI1MLELMpD3IEGwlp0HmorgwwCXW1tW7Y8dgtM9XR2G7CkF4Q8551rwDOhv1ghE

DTgFbRAwtKc+SZ23NSreej+SuPTJPc+Go66X+bT/22h5sfQaE9PyL3FtqGaIskfT

+Amj8JQ5Rpi3vrdiLw==

-----END CERTIFICATE-----
Open the public key certificate provided by the CA in a text editor.
Copy and paste the public key certificate into the Public Key option.

View a sample public key certificate.

-----BEGIN CERTIFICATE-----

MIIDCTCCAfGgAwIBAgIJAPKeHhFoo9UvMA0GCSqGSIb3DQEBBQUAMBsxGTAXBgNV

BAMMEHd3dy5teWRvbWFpbi5jb20wHhcNMTQxMTE3MjAyMjMxWhcNMjQxMTE0MjAy

MjMxWjAbMRkwFwYDVQQDDBB3d3cubXlkb21haW4uY29tMIIBIjANBgkqhkiG9w0B

AQEFAAOCAQ8AMIIBCgKCAQEAzTaxMLbRdvdTiRmaVt8RMDweKfYBWhe3i3VsloVd

4jGEFBtH1bAlbfN/S4hRH5F28h1Ga1Unh/LeeFnKS9ZH0CHazrA6Ug+CyqENdQ3M

OjvHn6VHLxMC5nVhoPkBlTVPGGtceZh0AsAT+H8mW4xgzGON9hq9yUpLIuHwVkMx

lcmIc0pn9QIbPyQz5fOvVBGEZJ+NbUjYDp6ByHJFUme9ONm41aq47tG4rXLWf7wl

0C5uhUIKhcw+XT88GCxwVjANoDVnc1fMVFsFt9ogfQ7uX3TK/R9Rn/Jh7zmoxXOj

Mb0Tfzc/CeWnBh3C4MXAXeHXVFcMkHR6EGwq+5esGqt0rQIDAQABo1AwTjAdBgNV

HQ4EFgQUkIfpiCBm61RL5ahAR1jBOkGSfmowHwYDVR0jBBgwFoAUkIfpiCBm61RL

5ahAR1jBOkGSfmowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAhFJ5

B4HM8ReYqestuv/D21ZgUq8BpWpqqI8bdptnz+GFEEPtu2tDoAWDNDaPjMZF7x6G

2oz75+sdiio9lMtDOFulZxXHa4kcWZkmhB86VLaFHcBWVojQKi3rcT+8hsPX0pG4

sHa1oGo7E83yyaNmbBKya9U13jCZHdbppA2iOUJZ+5Kz9K6mHmKTX1dOo2u+hfHR

2hI1MLELMpD3IEGwlp0HmorgwwCXW1tW7Y8dgtM9XR2G7CkF4Q8551rwDOhv1ghE

DTgFbRAwtKc+SZ23NSreej+SuPTJPc+Go66X+bT/22h5sfQaE9PyL3FtqGaIskfT

+Amj8JQ5Rpi3vrdiLw==

-----END CERTIFICATE-----
Open the private key in a text editor.
Copy and paste the private key into the Private Key option.
Click Submit.

To verify that the public key certificate and the private key match

Run the following two OpenSSL commands.

openssl x509 -noout -modulus -in CertificateName.crtReplace this term with the public key certificate's file name. | openssl md5

openssl rsa -noout -modulus -in private.keyReplace this term with the private key's file name. | openssl md5
Verify that the above two commands generate the same result.

To verify that the CA signed the public key certificate

Run the following command:

openssl verify -CAfile -verbose

Consider the public key certificate verified when the above command returns OK. All other results indicate that the public key certificate has not been properly signed.

To verify the public key certificate's attributes

Run the following command to verify the certificate's common name and issue\expire

openssl x509 -noout -text -in | grep -E "Subject:" && openssl x509 -noout -text -in | grep -E "Validity" -A 2 && openssl x509 -noout -text -in | grep -E "DNS:" -B 1