SSL/TLS

Concepts

What are SSL/TLS certificates

SSL is a protocol that operates between the TCP/IP protocol and various application layer protocols. With SSL, a client such as a browser can verify the authenticity and integrity of the server it is connecting with, and use encryption to exchange information. The Internet Engineering Task Force (IETF) standardized SSL as Transport Layer Security (TLS). Thus, SSL and TLS are often collectively referred to as SSL/TLS.

SSL/TLS certificates are digital certificates issued by a certificate authority (CA) for website identity authentication and data encryption. These certificates facilitate secure communication over the SSL/TLS protocol. This helps ensure the confidentiality and integrity of data transmission.

HTTPS is a secure version of HTTP. HTTPS provides encryption for data transmission over SSL/TLS certificates, which enables website identity authentication and secure data exchange.

Why HTTPS

• HTTPS secure transmission safeguards communications against eavesdropping, tampering, impersonation, and hijacking. It encrypts sensitive information, such as session IDs and cookies, during transmission to reduce the risk of data breaches.

• HTTPS has become a mainstream standard. Persisting with HTTP not only poses security risks but also affects user experience due to insecure indicators displayed when end users visit your website.

• Mainstream search engines assign a higher weight to HTTPS-enabled websites. Enabling HTTPS can improve your website's search engine ranking.

How data transfer over HTTPS works

The SSL/TLS configurations can be divided into two parts:

• Access connection: the encrypted connection between clients and ESA points of presence (POPs). It can be set up in Edge certificates and Configure client certificates.

• Origin connection: the encrypted connection between ESA POPs and your origin. It can be set up in Origin certificates.

The following figure shows encryption with edge certificates:

Deploy the SSL certificate and enable SSL/TLS on ESA POPs. This way, clients can access ESA over HTTPS.

The following figure shows encryption with client certificates:

If mutual Transport Layer Security (mTLS) is required for the connection between clients and ESA, you can use the ESA-managed CA to generate a certificate and configure it on the client. When mTLS is enabled, ESA will require the client to present the certificate and verify it.

The following figure shows encryption with origin certificates:

You can configure the following SSL/TLS features for the connection to your origin:

• Origin protocol and port: Set the protocol (HTTP or HTTPS) and corresponding port for ESA to access the origin server.

• Enforce validation of the origin certificate: By default, the origin certificate is not validated for origin pulls over HTTPS. If you enable Enforce Validation of Origin Certificate, ESA will check the validity of the origin certificate, including its expiration and CA validation status. Any connections that fail the validation will be terminated.

• Authenticated origin pulls: The origin server requests and verifies the certificate of ESA to confirm its identity.

Availability