Announcing Certainly: Fastly’s own TLS Certification Authority
Certainly is Fastly’s new publicly-trusted Transport Layer Security (TLS) Certification Authority (CA). Starting today, Fastly customers have the option of using a certificate issued by Certainly to secure any website or API endpoint served by the Fastly Content Delivery Network (CDN). Certainly certificates offer a high level of trust and reliability, and are fully supported by Fastly without any dependence on another organization.
We invested significant time and energy to build Certainly because we believe that it benefits our customers. We have experienced a number of incidents with other Certification Authorities (CAs) in the past that have affected our customers. Bringing the essential capability of issuing TLS certificates in-house gives us greater control over the level of service that we can provide, while also creating a fallback option when any other CA experiences a failure.
Certainly also serves as a platform for innovation. We are launching Certainly certificates with a 30-day validity period – the shortest default in the industry. Shorter validity periods coupled with automation achieve a higher level of security by reducing the time in which a compromised certificate is usable. In the future, we expect to leverage Certainly to further enhance the security of services that we offer to our customers.
When we set out to create Certainly, our aim was to build a modern CA that embraces industry best practices. For example:
Certainly does not offer costly and error-prone “organization validation” or “extended validation” certificates because they compromise automation and agility.
Certainly supports full Rivest-Shamir-Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) certificate chains.
Certainly implements the Automatic Certificate Management Environment (ACME) protocol for automated issuance.
Certainly is built on Boulder, the highly robust and compliant open-source CA system that is maintained by our colleagues at Let’s Encrypt.
Certainly’s trustworthiness has repeatedly been confirmed. We comply with the applicable CA/Browser Forum guidelines and have completed WebTrust for CAs audits and been awarded the WebTrust seal attesting to our full compliance. Certainly has also been accepted as a root CA by Mozilla after undergoing their rigorous public qualification process. Apple and Google have also accepted Certainly’s request to be included in their root stores. Finally, to ensure that our certificates are widely trusted by every client in use around the world, our intermediate CA certificates have been cross-signed by GoDaddy, a long-standing root CA. This allows Certainly to inherit the decades of trust accrued by GoDaddy CA certificates. Doing this presents a risk that GoDaddy accepted after thoroughly vetting Certainly’s policies and operations.
Certainly is now available for Fastly customers in beta. We’re proud of what we’ve built and we invite you to try it out.