All Products
Search

This Product

    Edge Security Acceleration:SSL/TLS FAQ

    Document Center

    Edge Security Acceleration:SSL/TLS FAQ

    Last Updated:Mar 27, 2026

    This topic answers frequently asked questions about SSL/TLS to clarify its concepts, features, and use cases.

    How to handle certificate risk warnings?

    Problem

    After you configure an HTTPS certificate for a domain on the Edge Security Accelerator (ESA) console, a certificate risk warning still appears when you browse the website.

    Possible causes and solutions

    • The certificate has expired: Renew the certificate and then update it on the ESA console. If you purchased the certificate from SSL Certificates Service, refer to SSL Certificate Renewal and Expiration for renewal instructions, and then update the certificate.

    • Incorrect system time: An incorrect time on your computer can cause a certificate to appear expired or fail validation, which triggers a risk warning. Correct the system time on your computer and then try to access the website again.

    • A self-signed certificate is used: A self-signed certificate is one that you generate yourself, not one issued by a trusted CA. Major web browsers do not trust self-signed certificates, making your website vulnerable to spoofing and man-in-the-middle attacks, which triggers a risk warning. We recommend that you replace it with a certificate issued by a trusted CA. You can purchase a certificate from SSL Certificates Service.

    • The webpage contains HTTP resources (mixed content): Change all HTTP resource links to HTTPS.

    • The TLS version is outdated: The SSL/TLS protocol suite includes SSLv2, SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. Currently, only TLS 1.2 and TLS 1.3 are considered secure. On the ESA console, you must disable legacy TLS versions and enable TLS 1.2 or TLS 1.3. For more information, see Configure TLS Version and Cipher Suites.

    • A weak cipher suite is used: We recommend that you use a cipher suite with the 128-bit AES-GCM encryption algorithm.

    How to handle an expired ESA certificate?

    ESA supports automatic renewal for free certificates. This process does not affect the currently deployed certificate.

    • Automatic renewal schedule: ESA automatically attempts to renew the free certificate 15 days before it expires. This process does not require a new application and does not count against your certificate quota.

    • Risk of renewal failure: Because the free certificate is issued by Let's Encrypt, renewal may fail due to issues such as domain name resolution errors or validation failures.

    Note

    If automatic renewal fails, ESA notifies you by SMS and email. You must then manually upload a new certificate to prevent service disruptions.

    What is HTTPS?

    Hypertext Transfer Protocol Secure (HTTPS) is a secure protocol that encrypts data transmitted over the HTTP protocol. The HTTP protocol sends content in plaintext and provides no encryption. HTTPS is a secure version of HTTP that encapsulates web traffic within the SSL or TLS protocol. It provides authentication and encrypted communication and is widely used for sensitive communications on the World Wide Web, such as financial transactions. To configure HTTPS on ESA, refer to SSL/TLS Quick Start to deploy a certificate across all ESA nodes and enable network-wide data encryption.