Fastly - Renewing Custom Certs

Edit This Doc

Updating a Custom Cert in Fastly

Before you begin:

Know what type of cert(s) you need:
- Be sure that you have the certs that you need. There are different type of certs which may cover apex only or apex and subdomains. Check Fastly and see if there are separate entries for apex and subdomain - this will give you hints for what you need.

Be sure you have the correct files
- Cert files have the extension crt and key files have the extension key.
The screenshot below shows certs and keys for 2 different instances. example of files in finder

Ensure you are in the right place:
1. Navigate to Configure and select prod-site-delivery from the table of services. Select Configure from the main menu

2. Then ensure you’re on prod-site-delivery, if not click Switch services and select it. select prod-site-delivery if it's not already selected

3. Then select HTTPS and Network. Select HTTPS and Network

4. Select TLS Certificates. select TLS certificates

Cert Keys
- Only click Update on the cert if they have matching keys. If not, you’ll need to follow the steps below to 'renew' the cert.
If you do not know whether or not the keys match you can click Update, and try to upload the new cert. If there is a mismatch Fastly will show you an error. Click Update only if keys match

Steps to renew a cert/key

  1. Click on Upload a new key or certificate button. This will launch a Finder window and allow you to choose your file. upload a new cert
  2. Select the cert & upload the cert.
  3. a. Depending on the type of cert, Fastly might redirect you over to the TLS Domains section and prompt you to select a TLS Configuration (likely for any SAN cert)
  4. b. Otherwise you might need to go to TLS Domains, search for the domain you’re updating the cert for and then click ‘more details’ and then select the new cert.

  • Upload the matching Key
  • Confirm that traffic is being served through the new cert by going to the site and clicking the lock icon next to the domain name - Confirm that the expiration date is the new cert and not the soon-to-expire cert.

    1. a. Confirm that traffic is still terminating as expected: Use curl to ensure TLS is termination is still occurring - make sure response is 3xx or 2xx: `curl -I https://example.com` verify ssl via curl in terminal
    2. b. Confirm that traffic is being served through the custom cert (and not a Fastly managed cert). Navigate to TLS certs and search for the domain. Under Certificate you should not say Fastly Managed Cert. verify TLS cert is custom
    3. c. Things to check:
      1. i. Click on the lock icon in the browser's address bar located to the left of the domain - make sure org/locality is not zesty (which is what’s listed for Fastly managed certs)check the certs org and locality
      2. ii. Click on the lock icon in the browser's address bar located to the left of the domain. Look at the Cert chain - and make sure that it follows the chain that you would expect for the custom cert eg: cert auth -> cert -> domain check the cert chain

  • Under TLS Domains search for your domain and check the TLS Status. Wait until TLS Status says ‘Enabled’ (versus deploying across Fastly network...) and then ensure that a TLS domain is setup for using WWW & Apex - and make sure that both are using the new cert.

    1. a. Do not need to delete old certs from the TLS Certificates section.

  • If necessary confirm with customer that new cert is in place - can send a screenshot of the cert in place on the website.

    • In the terminal ensure new expiration date has populated:

    DOM="www.example.com"
    PORT="443"
    ## note echo added ##
    echo | openssl s_client -servername $DOM -connect $DOM:$PORT \
    | openssl x509 -noout -dates

    verify cert expiration date

    2021 - new images for cert renewal: https://docs.google.com/document/d/1G-w8kX8knwawsbiMsTg2Pjn4W1qPW3-dUGj45bRuiYM/edit?usp=sharing