Use Let's Encrypt With KeyCDN to Enable TLS
Let's Encrypt is a certificate issuing authority that allows users to issue SSL certificates free of charge. Let’s Encrypt with KeyCDN gives customers a third option when securing their content vian SSL from the KeyCDN edge servers to their website’s visitors.
Let’s Encrypt certificates require domain validation in order to properly succeed. To satisfy this validation, the ACME challenge must be passed, which requires you to CNAME your custom CDN URL (e.g. cdn.example.com) to the kxcdn.com domain. This is why you must first create the CNAME record and then add your Zone Alias once the DNS record has fully propagated for successful domain validation.
When using our Let’s Encrypt SSL option, there is no need to worry about any certificate and private key information as all of this happens automatically once LE is chosen. Follow the steps below to setup Let’s Encrypt SSL with your KeyCDN Zone.
How To Use Let’s Encrypt With KeyCDN
This feature is still in Beta, however enabling Let’s Encrypt with KeyCDN is simple and can be done in just a few steps.
- Navigate to your Zone’s settings (Zones > Manage > Edit) and select Show Advanced Features. Scroll down to the SSL section and from the drop-down list, select the letsencrypt option.
- Add a CNAME record in your DNS (Zone Alias -> Zone URL). DNS changes take some time depending on the TTL. Check that your new DNS record is active with the DNS Check Tool.
- Create a Zone Alias for that Zone.
Note: If your Zone already has a Zone Alias, you must either remove it before changing the SSL option to letsencrypt or save it afterwards. Further, you cannot add a Zone Alias if the CNAME record is not fully propagated.
Once the above steps are completed you will have secured your website with SSL for content delivery between the KeyCDN edge servers and your end users.
Zero-Downtime Migration to Let’s Encrypt
If you currently have a custom SSL certificate configured but want to migrate to Let’s Encrypt without any downtime, then you must follow these steps:
- Create a Zone and Zone Alias with a custom SSL certificate
- After the changes are fully deployed (approx. 5-10 minutes), change the CNAME accordingly (if not already done)
- Switch the SSL option for your Zone from custom to letsencrypt and wait until the Zone is fully re-deployed (wait approx. 5-10 minutes)
- Save the Zone Alias again (this will issue the LE certificate and attach it to the Zone)
That’s it! Now your KeyCDN Zone is using Let’s Encrypt to deliver your assets over HTTPS. This means that you no longer need to purchase custom SSL certificates for your CDN assets nor do you need to update the certificates once they expire. Let’s Encrypt does this automatically and is completely free.
- The Let’s Encrypt SSL feature is still in Beta which means there are currently restrictions in place regarding the amount of certificates per domain. The current limitation on certificates / domain is 20 certificates for a registered domain per week. Check out Let’s Encrypt’s complete rate limits post for more details.
- Let’s Encrypt also publicly discloses the certificates they issue with the goal of increasing certificate transparency. This helps eliminate flaws of the SSL certificate system that can weaken the reliability of SSL encrypted connections. Certificates issued by Let’s Encrypt can be identified by using the CA Search tool.
- Upon enabling Let’s Encrypt SSL, delivering assets vian SSL using the kxcdn domain is no longer possible and will return an error.
- Let’s Encrypt certificates are known to be currently incompatible with the following devices:
- Blackberry OS 10, 7, & 6
- Android 2.3.5 (HTC Wildfire S, Stock Browser)