This topic describes the certificate types supported by Edge Security Acceleration (ESA) and how to configure them.
Edge certificate
You can configure edge certificates on ESA and enable the SSL/TLS feature to encrypt communications between clients and points of presence (POPs), ensuring the security and integrity of data transmission. By default, the SSL/TLS feature is enabled. You can configure an edge certificate for your website by requesting a free certificate or uploading a custom certificate.
To further improve access speed and security performance, ESA provides the following features:
Force redirect to HTTPS: Upon receiving an HTTP request from a client, ESA redirects the request to HTTPS using a 301 redirect.
TLS cipher suites and versions: When a client initiates an HTTPS request to an ESA POP, the POP responds to the request and triggers the Transport Layer Security (TLS) handshake. The client and POP then negotiate a compatible cipher suite and version. This ensures secure bi-directional data transmission.
OCSP stapling: ESA caches certificate verification results and sends the results to clients without querying the certificate status from certificate authorities (CAs). This reduces the certificate verification time and accelerates access speed.
Opportunistic encryption: When browsers visit a website that has this enabled, ESA POPs automatically add the
Alt-Svcresponse header to inform the browsers that the website is available over a secure connection, such as HTTP/2 over TLS, typically on port 443.HSTS: a web security policy mechanism that enables websites to declare themselves accessible only via secure connections (HTTPS).
Procedure
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose .
On the Edge Certificates page, configure an edge certificate and other settings such as Always Use HTTPS and TLS Cipher Suite and Version.
Client certificate
A client certificate is used to verify a client's identity during network communication. When a client attempts to connect to a server that requires authentication, it can prove its identity by presenting a client certificate. You can directly use the ESA-managed CA to create client certificates, or configure your custom client certificates by calling APIs.
You can also bind client certificates to specific domain names and enable mTLS. After mTLS is enabled, only the validity of client certificates is verified. To return a block page for requests that failed the authentication, create an mTLS rule.
Procedure
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose .
On the Client Certificates page, configure certificate and domain information.
Origin certificate
You can configure the following features:
Origin Protocol and Port: configures the protocol that ESA uses to pull content from your origin and corresponding origin port.
Enforce Validation of Origin Certificate: enforces validation of the origin certificate to ensure its validity.
Authenticated Origin Pulls: verifies the ESA's identity when mTLS is enabled for your origin to ensure that requests to your origin come from ESA.
Procedure
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose .
On the Origin Certificates page, configure Origin Protocol and Port, Enforce Validation of Origin Certificate, and Authenticated Origin Pulls as needed.