DocsICP FilingConsole
官方文档
首页

SSL/TLS certificate configuration

更新时间:
复制 MD 格式
产品详情
我的收藏

Edge Security Acceleration (ESA) supports edge, client, and origin certificates for securing traffic. Configure each type to meet your security requirements.

Edge certificates

Edge certificates on the ESA platform encrypt requests between clients and edge nodes. By default, ESA has the SSL/TLS feature enabled. Configure your edge certificate by configuring an edge certificate or configuring an edge certificate.

ESA provides additional features to improve access speed and security:

  • Always Use HTTPS: Redirects HTTP requests to HTTPS with a 301 response at the ESA POP.

  • TLS settings: During the TLS handshake, the client and the ESA POP negotiate a cipher suite and protocol version to secure transmission.

  • OCSP stapling: Caches certificate validation results on ESA and serves them to clients, eliminating direct CA queries and reducing TLS handshake latency.

  • Opportunistic Encryption: When a supporting browser visits your site, an ESA POP adds the Alt-Svc header to HTTP responses, signaling that HTTP/2 over TLS (port 443) is available.

  • HSTS: HTTP Strict Transport Security (HSTS) instructs browsers to access your website only over HTTPS.

Procedure

To configure Edge Certificates, Always Use HTTPS, or opportunistic encryption:

  1. In the ESA console, select Websites. In the Website column, click the target website.

  2. In the left navigation pane, select Edge Certificates.

  3. On the Edge Certificates page, configure the certificate, TLS settings, and Always Use HTTPS as needed.

Client certificates

Client certificates authenticate clients connecting to servers. Create a client certificate using the ESA-provided CA, or configure a custom client certificate via OpenAPI.

Bind a client certificate to a domain and enable edge mTLS for mutual authentication. ESA validates client certificates per request. To block failed requests, create an mTLS rule in ESA.

Procedure

To configure client certificates:

  1. In the ESA console, select Websites. In the Website column, click the target website.

  2. In the left navigation pane, select Client Certificates.

  3. On the Client Certificates page, configure the certificate and domain information.

Origin certificates

The Origin certificates feature in ESA lets you configure origin protocols and ports, verify origin server certificates, and enable authenticated origin pulls (mTLS) so ESA and your origin mutually authenticate each other.

Procedure

To configure Origin Protocol and Port, Enforce Validation of Origin Certificate, or Authenticated Origin Pulls:

  1. In the ESA console, select Websites. In the Website column, click the target website.

  2. In the left navigation pane, select Origin Certificates.

  3. On the Origin Certificates page, configure Origin Protocol and Port, Enforce Validation of Origin Certificate, and Authenticated Origin Pulls as needed.

Previous:SSL/TLSNext:Configure edge certificates