HTTPS

Last update:2023-03-14 09:21:07

1 Feature Intro

1.1 Brief Introduction

HTTPS has become the standard configuration for enterprises (Apple requires all iOS apps to use HTTPS connection, Google chrome browser labels HTTP websites as “not secure” ,etc.) as HTTPS effectively solve the problems of hijacking, tampering, and phishing that may arise in HTTP plain-text transmission.

CDNetworks can offer multiple HTTPS solutions for different customers. For HTTPS related features and solutions, we support:

  • TLS false start
  • HTTPS mutual authentication
  • SNI
  • Seamless deployment solution
  • Double certificates deployment solution
  • Keyless deployment solution

TLS false start, HTTPS mutual authentication and SNI are standard and well known HTTPS features, so we do not go into details. This function manual focuses on introducing CDNetworks’ seamless deployment solution, double certificates deployment solution and keyless deployment solution.

1.2 Applicable Product Lines

  • Content Acceleration
  • Dynamic Web Acceleration
  • Media Acceleration
  • Media Acceleration Live Broadcast

2 Feature Detail

2.1 Seamless Deployment Solution

2.1.1 Application Scenario

When customers are willing to share their private key with us, we recommend them a regular deployment solution, where they can upload and deploy the certificates by themselves easily in SI portal.

2.1.2 Solution Description

Self-Service Configuration for China Premium Service Onboarding

CDNetworks provides a certificate management platform for customers to upload their public and private certificates to us. With Seamless HTTPS Acceleration solution, certificates can be deployed to CDN platform. After the certificates have been successfully deployed, the HTTPS requests from customers will be supported.

2.2 Double Certificates Deployment Solution

2.2.1 Application Scenario

For the customers who are not willing to share their private key with CDNetworks due to security requirement, but willing to pay for another certificate, double certificates deployment solution is recommended.

2.2.2 Solution Description

Self-Service Configuration for China Premium Service Onboarding

CDNetworks can provide customers with another certificate (certificate A), which is used for setting up HTTPS connection with end users (Customer’s domain will be added into certificate A). When CDN sends request to origin server, HTTPS connection will be set up with customer’s own certificate (certificate B). In this way, we can support HTTPS communication between origin servers and end users without using customer’s private key.

2.3 Keyless Deployment Solution

2.3.1 Application Scenario

If customers are:

  1. Not willing to share their private key with CDNetworks for security reason;
  2. Not willing to pay for another certificate;
  3. Willing to install CDNetworks’ certificate software on their origin servers;

we can provide keyless deployment solution to customers.

2.3.2 Solution Description

How Keyless deployment solution works

Self-Service Configuration for China Premium Service Onboarding

  1. Customer deploys CDNetworks’ certificate software on origin server;
  2. User initiates HTTPS request and conducts SSL handshaking. In this session, client generates a pre-master secret and encrypts it with the public key (You could see the regular SSL handshake process as below. The pre-master secret will be generated in SSL handshake step 3).

Self-Service Configuration for China Premium Service Onboarding

  1. CDN passes the encrypted pre-master secret to origin server;
  2. The origin server decrypts the pre-master secret with the private key, then the CDNetworks’ certificate software sends the pre-master secret to the CDN edge PoP;
  3. With the pre-master secret, the SSL connection between CDN and end user is set up.

2.3.3 Notices

  1. The certificate software is responsible for delivering the pre-master secret to CDN. In this way, CDN could set up SSL handshake without customer’s private key.
  2. Using keyless deployment solution will increase the back-to-origin requests, since CDN needs to get the pre-master secret from origin.
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!