Bulk Certificates
WARNING: This information is part of a limited availability release. Portions of this API may be subject to changes and improvements over time. Fields marked deprecated may be removed in the future and their use is discouraged. For more information, see our product and feature lifecycle descriptions.
Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.
Limitations & conditions
The Platform TLS Certificate Deployment Service has the following general limitations:
- This service is not available for private CDN deployments.
- To take advantage of this service, you must procure your own certificates from the certification authority (CA) of your choice. Fastly will not procure certificates on your behalf.
In addition, certificates are deployed using the Platform TLS Certificate Service with the following conditions:
- Certificates hosted using SNI will only be served to browsers that support SNI. Browsers that do not support SNI will not receive the correct certificate for the domain requested.
- The certificate deployment process takes an average of approximately 20 minutes to complete once a certificate is submitted, but may take as long as an hour.
- Fastly will automatically choose the certificate delivered for a given request based on the host requested.
- The certificate with the most specific hostname will be prioritized over certificates with less specific hostnames. For example, on a request for
api.example.com
, Fastly will prioritize a certificate with a SAN entry forapi.example.com
over a different certificate with a SAN entry for*.example.com
. - If an identical hostname appears on more than one certificate, then the most recently uploaded certificate will be used. We recommend that you manage certificates such that hostnames remain unique for them.
Data model
All the domains (including wildcard domains) that are listed in any certificate's Subject Alternative Names (SAN) list.
tls_configurations | object | ||
tls_domains | object | ||
allow_untrusted_root | boolean | Allow certificates that chain to untrusted roots. [Default false ] | |
cert_blob | string | The PEM-formatted certificate blob. Required. | |
intermediates_blob | string | The PEM-formatted chain of intermediate blobs. Required. | |
relationships.tls_configurations.id | string | Alphanumeric string identifying a TLS configuration. | |
relationships.tls_domains.id | string | The domain name. | |
type | string | Resource type. [Default tls_bulk_certificate ] | |
created_at | string | Date and time in ISO 8601 format. Read-only. | |
deleted_at | string | Date and time in ISO 8601 format. Read-only. | |
id | string | Alphanumeric string identifying a TLS bulk certificate. Read-only. | |
not_after | string | Time-stamp (GMT) when the certificate will expire. Must be in the future to be used to terminate TLS traffic. Read-only. | |
not_before | string | Time-stamp (GMT) when the certificate will become valid. Must be in the past to be used to terminate TLS traffic. Read-only. | |
replace | boolean | A recommendation from Fastly indicating the key associated with this certificate is in need of rotation. Read-only. | |
updated_at | string | Date and time in ISO 8601 format. Read-only. |