Announcing Certainly: Fastly’s own TLS Certification Authority

Update! As of August 16th, 2023 we're excited to announce the general availability of Certainly, Fastly’s publicly trusted Certification Authority. Certainly can now be used by all Fastly customers. We know that it takes resources to maintain and monitor the certificate lifecycle, and errors in this lifecycle can cause service downtime. With Certainly, Fastly is taking care of all of your certificate management needs with three key benefits. 

  1. Tighter security and lower risk at no extra cost with short, 30-day validity periods that reduce the time in which a compromised certificate is usable. 

  2. Simplified, expedited certificate management, even for hundreds of thousands of domains.

  3. More reliable service and better customer support by putting Fastly in control of resolving any issues.

Certainly maintains its commitment to complying with industry regulations and best practices. Our certification authority adheres to the latest standards and guidelines set by industry bodies, ensuring that our services remain aligned with the evolving landscape of digital security and trust.

Here are details, links to documentation, and everything you need to get started with Certainly.  

Our original post continues below.

Certainly is Fastly’s new publicly-trusted Transport Layer Security (TLS) Certification Authority (CA). Starting today, Fastly customers have the option of using a certificate issued by Certainly to secure any website or API endpoint served by the Fastly Content Delivery Network (CDN). Certainly certificates offer a high level of trust and reliability, and are fully supported by Fastly without any dependence on another organization.

We invested significant time and energy to build Certainly because we believe that it benefits our customers. We have experienced a number of incidents with other Certification Authorities (CAs) in the past that have affected our customers. Bringing the essential capability of issuing TLS certificates in-house gives us greater control over the level of service that we can provide, while also creating a fallback option when any other CA experiences a failure.

Certainly also serves as a platform for innovation. We are launching Certainly certificates with a 30-day validity period – the shortest default in the industry. Shorter validity periods coupled with automation achieve a higher level of security by reducing the time in which a compromised certificate is usable. In the future, we expect to leverage Certainly to further enhance the security of services that we offer to our customers.

When we set out to create Certainly, our aim was to build a modern CA that embraces industry best practices. For example:

  • Certainly does not offer costly and error-prone “organization validation” or “extended validation” certificates because they compromise automation and agility.

  • Certainly supports full Rivest-Shamir-Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) certificate chains.

  • Certainly implements the Automatic Certificate Management Environment (ACME) protocol for automated issuance.

  • Certainly is built on Boulder, the highly robust and compliant open-source CA system that is maintained by our colleagues at Let’s Encrypt.

Certainly’s trustworthiness has repeatedly been confirmed. We comply with the applicable CA/Browser Forum guidelines and have completed WebTrust for CAs audits and been awarded the WebTrust seal attesting to our full compliance. Certainly has also been accepted as a root CA by Mozilla after undergoing their rigorous public qualification process. Apple and Google have also accepted Certainly’s request to be included in their root stores. Finally, to ensure that our certificates are widely trusted by every client in use around the world, our intermediate CA certificates have been cross-signed by GoDaddy, a long-standing root CA. This allows Certainly to inherit the decades of trust accrued by GoDaddy CA certificates. Doing this presents a risk that GoDaddy accepted after thoroughly vetting Certainly’s policies and operations.

Certainly is now available to all Fastly customers. We’re proud of what we’ve built and we invite you to try it out.

Wayne Thayer
Senior Director of Engineering

3 min read

Want to continue the conversation?
Schedule time with an expert
Share this post
Wayne Thayer
Senior Director of Engineering

Wayne works on security products and TLS at Fastly. Prior to joining Fastly, Wayne managed Mozilla's Certificate Authority program and ran GoDaddy's public CA. He remains active in the Mozilla security community, as well as the CA/Browser Forum, where he is focused on improving the trustworthiness of CAs.

Ready to get started?

Get in touch or create an account.