After configuring a client certificate, you can enable mutual TLS (mTLS) authentication between the client and a point of presence (POP) in Edge Security Acceleration (ESA), making the access to your client more secure.
Issue a certificate provided by ESA
Create and deploy a client certificate using the Certificate Authority (CA) provided by ESA, which is unique per account and trusted by POPs by default.
Create a certificate
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose
. Then, click Create Certificate.Set CSR Generation, Private Key Type, and Certificate Validity as needed.
NoteThe default validity period for a certificate is one year.
Click OK.
ImportantIn the Preview Certificate dialog box, copy the certificate and key to your client. After you close the dialog box, they will no longer be accessible.
Bind a domain name
Binding a client certificate to a domain name enables mTLS authentication. It allows only users with the correct and valid client certificate to access designated services or resources.
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose
.In the Domain Names section, click Configure and set Domain Name.
NoteYou can enter up to 50 domain names at a time.
The domain name that you enter must be the one of your website.
Click OK.
Revoke a certificate
If a certificate will no longer be in use, you can revoke it:
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose
.In the Actions column, click Revoke.
In the dialog box that appears, select I confirm that the certificate is no longer required and click OK.
Issue a custom certificate
In addition to client certificates issued by the CA of ESA, you can also use those from your own private channels. When using such certificates, you must configure the CA.
Custom certificates can be issued only in OpenAPI Explorer. Up to five certificates can be uploaded per plan.
Create a certificate
Call the UploadClientCaCertificate API to upload the CA root certificate and record the certificate ID returned in the response message in OpenAPI Explorer.
Call the SetClientCertificateHostnames API to bind the effective host list for the certificate. Only bound hosts can use the mTLS authentication feature and authenticate the CA certificate.
Call other APIs as needed by referring to the following table.
API Name
Description
Upload an issued custom CA certificate.
Display all issued custom CA certificates that have been uploaded.
Delete an issued custom CA certificate.
Query details of an issued custom CA certificate.
Bind domain names to an issued custom CA certificate.
Query the name of the domain bound to an issued custom CA certificate.
Intercept failed authentication requests
Establish Web Application Firewall (WAF) rules to intercept any requests that failed the authentication of the client certificate.
Create a WAF rule
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose
. Then, click Create mTLS Rule.In the panel that appears, customize a WAF rule.
Client Certificate Verified: Retain the default setting
.
Hostname: Enter the name of the domain that you want to intercept.
ImportantMake sure to configure the hostname condition. If it is not configured, all requests that haven't been authenticated or failed the certificate authentication will be intercepted.
Set Action to Block. In other cases, you can also set it to another value as needed.
Click OK.
After the rule is created, requests to the domain name will be intercepted and return an error code 403 if they haven't been authenticated or failed the certificate authentication.