Manage Private Certificate Authority

Last update:2024-07-15 14:30:33

mTLS (Mutual Transport Layer Security) is a security authentication method that ensures the authenticity of both ends over a network connection.
Unlike traditional one-way SSL/TLS where only the client verifies the server’s identity, mTLS requires both the client and the server to verify each other’s identities before establishing a secure connection. This process ensures a highly secure communication channel. CDNetworks allows you to upload your private CA certificates to implement mTLS mutual authentication between the CDN and your client end, ensuring the authenticity of both parties and preventing attackers from impersonating legitimate entities and stealing sensitive data.

How mTLS Works
In traditional one-way SSL/TLS authentication, the client downloads and verifies the server’s public key certificate. mTLS goes a step further with the following process:

  1. Certificate Exchange: The client and server exchange their digital certificates, which contain public key information and identity information.
  2. Identity Verification: The client and server use each other’s public keys to verify the legality of the received certificates, ensuring the authenticity of each other’s identities.
  3. Establish Secure Connection: Only after successful mutual authentication is a secure communication channel established, allowing for data transmission.

CDNetworks allows you to enable one-way or two-way authentication in the CDN console as needed:

  • Client Authenticates Server (One-way Authentication): Upload your server certificate file, which should include the public and private keys, and associate it with your domain. (For more details on adding certificates, refer to Managing SSL/TLS Certificates.)
  • Server Authenticates Client (Two-way Authentication): In addition to configuring one-way authentication, upload your private CA certificate file and associate it with your domain. During the client authentication phase, the CDN node uses the uploaded CA certificate to verify the legitimacy of the certificate presented by the client.

How to Upload a CA Certificate

  1. Log in to the CDNetworks Console, and in the left menu, navigate to: Certificate MGMT - CA Certificates - My Certificates. Click the Upload Certificate button. You can also find this upload button on the certificate Overview page.


  1. Select the type of CA certificate you’re uploading: Root CA or Subordinate CA.

If you choose an subordinate CA certificate, please specify its parent root CA certificate.

  1. Enter the CA Name to easily identify and manage the root CA certificate.
  2. In the CA Content area, you can either import the certificate file or directly copy and paste the certificate content into the designated area. The system will automatically parse the certificate information.
  3. After completing the above steps, click Next to parse the certificate.

How to Associate a CA Certificate with Your Domain

  1. In My Certificates, select the uploaded CA certificate.
  2. Click Associate Domain.
  3. Check the box next to the domain you want to associate the certificate with.
  4. Complete the certificate deployment process by click Deploy Now.

How to Modify a CA Certificate

CDNetworks allows you to modify and delete uploaded private certificates to ensure that your certificate information is always up-to-date.

  1. Log in to the CDNetworks Console, and in the left menu, navigate to: Certificate Management - CA Certificates - My Certificates. Find the certificate you wish to modify.
  2. Click the Edit button in the operation column for the desired certificate.
  3. On the certificate editing page, you can modify the CA certificate name, re-upload the CA certificate file, directly paste modified certificate content, or update the remarks.
  4. After completing the modifications, click the Next button to update the certificate information.

How to Delete a CA Certificate

If you no longer need a CA certificate, you can delete it.

  1. Find the certificate you want to delete in the certificate list. Click the Delete button in the operation column on the right.
  2. In the pop-up confirmation box, click Next to delete the certificate.

Note:
You can only delete a CA certificate if it has no subordinate certificates and is not associated with any domain.
You can disassociate a domain from a certificate in the CA Certificates - My Deployment list.
Deleting a certificate is irreversible, so please proceed with caution.

How to Configure mTLS Mutual Authentication

  1. Log in to the CDNetworks Console and select the appropriate product.
  2. Navigate to the Configuration, locate the domain you wish to configure,and click on Edit Configuration on the top or the Edit button to the right of the domain[Feature Upgrade] Advanced Access Control.
  3. On the Edit Configuration page, locate HTTP Protocol Optimization - Client mTLS Mutual Authentication.


  1. There are four modes available for mTLS mutual authentication:
  • Strict Authentication: The CDN edge server strictly verifies the validity of the client certificate and the trustworthiness of the issuing certificate authority. Requests with failed verification will not be able to connect. You must associate a CA certificate with your domain before selecting this option.
  • Only Authenticate Client Certificate and CA: The CDN edge server verifies the validity of the client certificate and the trustworthiness of the issuing certificate authority. Requests that fail validation can still connect. It is recommended to associate the CA certificate with your domain before selecting this option.
  • Only Authenticate Client Certificate: The CDN edge server only verifies the validity of the client certificate without validating the trustworthiness of the issuing certificate authority. Requests that fail validation can still connect. It is recommended to associate the CA certificate with your domain before selecting this option.
  • Close Authentication: The CDN edge server does not verify the client certificate. You do not need to configure your domain to associate the CA certificate for this option.

After completing the configuration, click Next to submit your settings. To minimize any potential disruptions to your production environment, we strongly recommend conducting a Pre-deploy test in a staging environment. This crucial step ensures that your configurations are accurate before they go live. Once you have verified the accuracy of the settings, click Deploy Now to implement them in the live environment. The configurations typically become effective within 3-5 minutes. For comprehensive guidance on pre-deployment testing and to verify the effectiveness of your configurations, please consult the tutorial Deploy the Configurations to Staging Environment for Validation.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!