All Products
Search
Document Center

Edge Security Acceleration:Configure client certificates

Last Updated:Mar 24, 2025

After configuring a client certificate, you can enable mutual TLS (mTLS) authentication between the client and a point of presence (POP) in Edge Security Acceleration (ESA), making the access to your client more secure.

Issue a certificate provided by ESA

Create and deploy a client certificate using the Certificate Authority (CA) provided by ESA, which is unique per account and trusted by POPs by default.

Create a certificate

  1. In the ESA console, choose Websites and click the website name you want to manage.

  2. In the left-side navigation pane, choose SSL/TLS > Client Certificates. Then, click Create Certificate.

  3. Set CSR Generation, Private Key Type, and Certificate Validity as needed.

    Note

    The default validity period for a certificate is one year.

  4. Click OK.

    Important

    In the Preview Certificate dialog box, copy the certificate and key to your client. After you close the dialog box, they will no longer be accessible.

Bind a domain name

Binding a client certificate to a domain name enables mTLS authentication. It allows only users with the correct and valid client certificate to access designated services or resources.

  1. In the ESA console, choose Websites and click the website name you want to manage.

  2. In the left-side navigation pane, choose SSL/TLS > Client Certificates.

  3. In the Domain Names section, click Configure and set Domain Name.

    Note
    • You can enter up to 50 domain names at a time.

    • The domain name that you enter must be the one of your website.

  4. Click OK.

Revoke a certificate

If a certificate will no longer be in use, you can revoke it:

  1. In the ESA console, choose Websites and click the website name you want to manage.

  2. In the left-side navigation pane, choose SSL/TLS > Client Certificates.

  3. In the Actions column, click Revoke.

  4. In the dialog box that appears, select I confirm that the certificate is no longer required and click OK.

Issue a custom certificate

In addition to client certificates issued by the CA of ESA, you can also use those from your own private channels. When using such certificates, you must configure the CA.

Note

Custom certificates can be issued only in OpenAPI Explorer. Up to five certificates can be uploaded per plan.

Create a certificate

  1. Call the UploadClientCaCertificate API to upload the CA root certificate and record the certificate ID returned in the response message in OpenAPI Explorer.

  2. Call the SetClientCertificateHostnames API to bind the effective host list for the certificate. Only bound hosts can use the mTLS authentication feature and authenticate the CA certificate.

  3. Call other APIs as needed by referring to the following table.

    API Name

    Description

    UploadClientCaCertificate

    Upload an issued custom CA certificate.

    ListClientCaCertificates

    Display all issued custom CA certificates that have been uploaded.

    DeleteClientCaCertificate

    Delete an issued custom CA certificate.

    GetClientCaCertificate

    Query details of an issued custom CA certificate.

    SetClientCertificateHostnames

    Bind domain names to an issued custom CA certificate.

    GetClientCertificateHostnames

    Query the name of the domain bound to an issued custom CA certificate.

Intercept failed authentication requests

Establish Web Application Firewall (WAF) rules to intercept any requests that failed the authentication of the client certificate.

Create a WAF rule

  1. In the ESA console, choose Websites and click the website name you want to manage.

  2. In the left-side navigation pane, choose SSL/TLS > Client Certificates. Then, click Create mTLS Rule.

    image

  3. In the panel that appears, customize a WAF rule.

    • Client Certificate Verified: Retain the default setting image.png.

    • Hostname: Enter the name of the domain that you want to intercept.

      Important

      Make sure to configure the hostname condition. If it is not configured, all requests that haven't been authenticated or failed the certificate authentication will be intercepted.

    image

  4. Set Action to Block. In other cases, you can also set it to another value as needed.

    image

  5. Click OK.

    After the rule is created, requests to the domain name will be intercepted and return an error code 403 if they haven't been authenticated or failed the certificate authentication.