---
title: Setting up TLS with certificates Fastly manages
summary: null
url: >-
  https://www.fastly.com/documentation/guides/getting-started/domains/securing-domains/setting-up-tls-with-certificates-fastly-manages
---


This guide describes how to use [Fastly TLS](https://docs.fastly.com/products/tls-service-options#fastly-tls) to enable HTTPS for a domain using a certificate managed by Fastly. To serve secure traffic from Fastly using HTTPS, a website or application needs to provide clients with a valid TLS certificate signed by a trusted certification authority. TLS (Transport Level Security) and its predecessor SSL (Secure Sockets Layer) are the protocols that allow clients to form secure server connections so traffic can be served over HTTPS.

Fastly-managed certificates use the [ACME protocol](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment) to procure and renew TLS certificates. You have several options for certification authorities:

* [Certainly](https://docs.fastly.com/products/certainly), Fastly's publicly-trusted certification authority
* [Let’s Encrypt](https://letsencrypt.org/), a third-party non-profit certification authority
* [GlobalSign](https://www.globalsign.com/), a third-party commercial certification authority (only available for paid accounts)

[Trial accounts](https://docs.fastly.com/products/tls-service-options) include Fastly-managed certificates for two domains using the Certainly or Let's Encrypt certification authority. Upgrade to a paid account to use GlobalSign or secure additional domains.

> **HINT:** Our [TLS subscriptions API](/reference/api/tls/subs/) allows you to manage Fastly TLS subscriptions programmatically.

## Before you begin

Before setting up TLS on your domains, be sure to review the [Fastly TLS prerequisites and limitations](/guides/getting-started/domains/securing-domains/tls-prerequisites-and-limitations).

## Setting up TLS for a domain

Setting up TLS for a domain requires you to secure the domain by registering it with a certification authority. To start this process through the Fastly control panel (instead of [programmatically](/reference/api/tls/subs/)) follow these steps.

<!-- TabbedPanels component: 
<Panel id="first-time-set-up" label="First-time set up">

To set up TLS for the first time, complete the following:

   1. <Partial name='step-login-secure' inline />
   1. Click **Manage certificates**.
   1. Click **Get started**.
   1. In the **Domain Name** field, enter the apex domain (e.g., `example.com`), subdomain (e.g., `www.example.com` or `api.example.com`), or wildcard domain (e.g., `*.example.com`) you want to secure.
   1. From the **Certification Authority** menu, select one of the certification authorities to secure your certificate. Prices vary between certification authorities, sometimes significantly. Be sure to review the details about these differences on our [pricing page](https://www.fastly.com/pricing).
   1. From the **Select a TLS Configuration** menu, select the TLS configuration to apply. The configuration defines both the IPs that the certificate will be deployed to and the associated TLS settings that will be applied. The default option is **HTTP/3 & TLS v1.3 +0RTT (t.sni)**.
   1. Click **Continue**. The Domains page appears displaying your domain along with detailed steps on how to [verify that you own it](#verifying-domain-ownership).

</Panel>
<Panel id="setting-up-additional-domains" label="Setting up additional domains">

After you've set up TLS for your first domain, you can secure multiple additional domains from the Domains page.

   1. <Partial name='step-click-domains' inline />
   1. Click **Secure another domain**.
   1. In the **Domain** field, enter one or more apex domains (e.g., `example.com`), subdomains (e.g., `www.example.com` or `api.example.com`), or a wildcard domain (e.g., `*.example.com`) and click the **Add** button. Domains you add appear in the Common name area of the page.

      If you only have one domain, the common name will be the same as the domain name. If you add more than one domain, they will appear in a menu. By default, the first domain you add will be selected for you. Select another domain from the **Common name** menu if that's not the one you want.

   1. From the selection menu that appears, select **Use certificates Fastly obtains for you**. The Enter subscription details page appears.
   1. From the **Select a certification authority** controls, choose one of the certification authorities to secure your certificate. Prices vary between certification authorities, sometimes significantly. Be sure to review the details about these differences on our [pricing page](https://www.fastly.com/pricing).
   1. From the **Select a TLS Configuration** menu, select the TLS configuration to apply. The configuration defines both the IPs that the certificate will be deployed to and the associated TLS settings that will be applied. The default option is **HTTP/3 & TLS v1.3 +0RTT (t.sni)**.
   1. Click **Submit**. The Subscription details page appears displaying your domains along with detailed steps on how to [verify you own them](#verifying-domain-ownership).

</Panel>
 -->

## Verifying domain ownership

To begin serving HTTPS traffic, Fastly needs to verify that you control any domain you’ve added to the control panel. Fastly allows you to verify apex domains and subdomains via the ACME DNS challenge, the ACME HTTP challenge, or via email validation. Each requires you to make specific DNS changes. Wildcard domains require the DNS challenge or email validation challenge type.

> **IMPORTANT:** If you have the same domain in Fastly and another location and use the ACME protocol to manage your certificates in that other location, you may run into issues with conflicting CNAME or TXT records. Fastly has a solution for this that may help you. Contact [support] (https://support.fastly.com) for more information.

<!-- TabbedPanels component: 
<Panel id="acme-dns-challenge" label="ACME DNS challenge">

> **IMPORTANT:** Fastly may modify the behavior of your services to complete ACME challenges for domain verification.

The default method for verifying you control a domain being added to a Fastly managed TLS certificate uses the ACME DNS challenge type. It’s suitable for all kinds of domains (apex, subdomains, and wildcards). It will only point the `_acme-challenge` subdomain at Fastly, allowing you to set up TLS first, before pointing production traffic at Fastly.

  To use this verification method, create a CNAME record with a unique target for your domain. Follow the steps below to view the formats for the CNAME record and target.

  1. <Partial name='step-login' inline />
  1. Go to **Domains** > **TLS management** > [**Subscriptions**](https://manage.fastly.com/network/subscriptions).
  1. Click **View subscription details** for the subscription you want to make changes to.
  1. Click **Verification options** in the **Verification** column for the domain you want to verify. The Verify domain ownership page appears with formats for the record and target.

  ![the cname to use for the acme dns challenge when verifying domain ownership](/img/acme-dns-challenge-cname.png)

The steps to create the CNAME record will vary depending on your DNS provider's control panel interfaces. Refer to your DNS provider's documentation for exact instructions on how to do this. Your CNAME record must use the format `_acme-challenge.DOMAIN_NAME` (e.g., `_acme-challenge.www.example.com`) and must be pointed to a unique target for your domain (e.g., `domain_token.fastly-validations.com`). Once you’ve pointed your DNS records at Fastly, we encourage you to keep the `_acme-challenge` subdomain CNAME in place to avoid interruptions in service.

</Panel>
<Panel id="acme-http-challenge" label="ACME HTTP challenge">

> **IMPORTANT:** Fastly may modify the behavior of your services to complete ACME challenges for domain verification.

Another method for verifying you control a domain uses the ACME HTTP challenge. This method is only suitable for apex domains and subdomains (wildcard domains can only be verified using DNS or email challenges). It will point traffic immediately at Fastly and handle the HTTP challenge automatically for you.

  > **WARNING:** The ACME HTTP challenge domain verification method can potentially point all end-user traffic to Fastly before you’ve completed TLS setup. This means that your end users may get an insecure warning in their browser related to your website or be totally unable to access your domain. To avoid this, ensure you have a properly configured Fastly service and have disabled any forced [TLS redirection](/guides/full-site-delivery/domains-and-origins/forcing-an-https-redirect) before you use this verification method.

  To use this verification method, follow the steps below to view the formats for the CNAME record and target.
  1. <Partial name='step-login' inline />
  1. Go to **Domains** > **TLS management** > [**Subscriptions**](https://manage.fastly.com/network/subscriptions).
  1. Click **View subscription details** for the subscription you want to make changes to.
  1. Click **Verification options** in the **Verification** column for the domain you want to verify.
  1. Choose the verification alternative that suits your needs for the ACME HTTP challenge:
   * for a subdomain, [create a CNAME record](/guides/getting-started/domains/working-with-domains/working-with-cname-records-and-your-dns-provider) that points directly to the Fastly hostname
   * for an apex domain, [create A records](/guides/full-site-delivery/domains-and-origins/using-fastly-with-apex-domains) for the domain with the noted IP addresses

Once set up using either alternative, production traffic will immediately begin flowing through Fastly.

</Panel>
<Panel id="email-challenge" label="Email challenge">

Domain control can also be verified via email when you've chosen GlobalSign as your certification authority. (Let's Encrypt does not support email challenges for domain verification.) To use this verification method, follow the steps below.

  1. [Contact support](https://support.fastly.com) to enable the setting for verifying domain control via email.
  1. <Partial name='step-login' inline />
  1. Go to **Domains** > **TLS management** > [**Subscriptions**](https://manage.fastly.com/network/subscriptions).
  1. Click **View subscription details** for the subscription you want to make changes to.
  1. Click **Verification options** in the **Verification** column for the domain you want to verify.
  1. In the **Email validation** section, use the menu to select the email address you want email verification sent to. When selected as the certification authority, GlobalSign will provide Fastly with a list of acceptable email addresses to which a verification email can be sent. Generally, the list will include email addresses like the following:
      * `admin@example.com`
      * `administrator@example.com`
      * `hostmaster@example.com`
      * `postmaster@example.com`
      * `webmaster@example.com`
  1. Click **Get verification email**.

Fastly will then instruct GlobalSign to send a verification email to the address you specify. It will contain a link that you must click to complete the domain ownership verification process.

</Panel>
 -->

## What happens next

It should take no more than an hour for the TLS enablement process to progress through all of the TLS statuses shown below:

TLS Status | Description
-----------|------------
Checking domain DNS records…<br />Step 1 of 3 | Domain validation is in progress. Fastly is checking domain DNS records to verify that you control the domain being added to a certificate. To advance to the next enablement state, you must verify control of the domain by updating that domain’s DNS records to complete one of the ACME challenge types.
Certificate requested. Waiting for response from CA…<br />Step 2 of 3 | Domain validation has been confirmed. Fastly has verified you control the domain and has requested a TLS certificate for it from the certification authority.
TLS enabled (certificate being deployed globally) | The certification authority has issued a TLS certificate. While most certificates are fully deployed across Fastly's global network within 60 seconds, in some cases it can take up to an hour.

> **HINT:** If using GlobalSign certificates, after verifying domain ownership you must monitor the DNS resolution process and ensure the domain [resolves globally](#subscriptions-listed-as-failed) before the TLS certificate will validate and issue. Depending on your DNS vendor, it may take up to 72 hours for your DNS to resolve.

## Troubleshooting

If more than an hour has passed and TLS enablement appears to be stalled in one of the stages of adding a domain, there is likely an issue.

### Domains stuck in the Checking domain DNS records state

If the domain is stuck in the `Checking domain DNS records` state, it is likely that you have not configured your DNS records correctly in order to verify domain ownership. You can check the DNS records yourself using a `dig` command in a command line application as follows:

ACME challenge type | Command to type
--------------------|----------------
HTTP  |  `dig www.example.com +short`
DNS  |  `dig _acme-challenge.www.example.com +short`

Be sure to replace `example.com` with the hostname you used when you configured your DNS records.

If you have correctly configured your DNS records, the result from this command will include one of the CNAME or A Records required for verification as defined in the [Verifying domain ownership](#verifying-domain-ownership) instructions.

If you recently added or modified DNS records, you may need to wait up to 72 hours for your DNS changes to propagate across the internet. If you don’t see these addresses within that time period, you may have misconfigured your DNS records.

If you are still having issues, there may be a Certification Authority Authorization (CAA) record on your domain that is blocking the certification authority from issuing certificates. This CAA record is used to specify which certification authorities (CAs) are allowed to issue certificates for a domain. If a CAA record exists, you may need to correct or remove this record in order to use a managed Fastly TLS certificate.

The following lists the CAA record value needed for each certification authority supported by Fastly TLS:

Certification authority | CAA record value
--------------------|----------------
Certainly  |  `certainly.com`
Let's Encrypt  |  `letsencrypt.org`
GlobalSign  |  `globalsign.com`

### Domains stuck in the Certificate requested state

If the domain is stuck in the `Waiting for a response from CA` state, this is likely a temporary issue with the certification authority. Be sure to allow up to an hour in this state before contacting [support](https://support.fastly.com) for assistance. If this is a new certificate request, you can also try deleting the domain and starting again.

### TLS activated but certificate not deployed everywhere

If the domain displays the `Activated` state but the certificate doesn’t appear to be available everywhere, the certificate is likely still in the process of being deployed throughout the Fastly network. While most certificates are fully deployed across Fastly's global network within 60 seconds, in some cases it can take up to an hour. Be sure to allow up to an hour in this state before contacting [support](https://support.fastly.com) for assistance.

### Subscriptions listed as failed

A subscription displays the `Failed` state if it is a new subscription and fails to issue a certificate for seven days or an existing subscription that fails to renew a certificate for seven days beyond its expiration date. You will also receive an email notification about failed subscriptions.

Subscriptions typically fail if you are not [pointing traffic to Fastly](#pointing-dns-to-serve-https-traffic) or if you don't have proper [DNS records](/guides/getting-started/domains/working-with-domains/working-with-cname-records-and-your-dns-provider) in place. GlobalSign subscriptions specifically may fail if the domain hasn't resolved globally, meaning it's not accessible from anywhere in the world. Use a tool like [DNS Checker](https://dnschecker.org/) to ensure your domain is propagated globally.

Once you resolve these issues, you can try to re-issue the subscription using the steps below:

1. <Partial name='step-login' inline />
1. Go to **Domains** > **TLS management** > [**Subscriptions**](https://manage.fastly.com/network/subscriptions).
1. Click **View subscription details** for the failed subscription.
1. Click **Retry now**.

After you retry a failed subscription, we will try to issue or renew the associated certificate for a 24-hour period. If we still cannot obtain a certificate after 24 hours, the subscription will again be marked as failed.

## Pointing DNS to serve HTTPS traffic

To serve secure traffic via HTTPS once the certificate is deployed, follow these steps.

1. Ensure that the domains you've added via the TLS domains interface have been [added to a properly configured Fastly service](/guides/getting-started/domains/working-with-domains/working-with-domains).
1. Configure your DNS records to point traffic at the newly created certificate’s IP addresses. If you used the HTTP challenge method to verify domain ownership, you’re already pointing traffic at the certificate. All DNS details (CNAME, A records, and optionally AAAA records) can be found by clicking **See DNS details** to view the TLS configuration associated with the domain.

   For an apex domain (e.g., `example.com`), you'll need to [create an A record](/guides/full-site-delivery/domains-and-origins/using-fastly-with-apex-domains) with your DNS provider. For subdomains and wildcard domains (e.g, `www.example.com` or `*.example.com`), you'll need to [create a relevant CNAME record](/guides/getting-started/domains/working-with-domains/working-with-cname-records-and-your-dns-provider).

Your domains and certificates can be set to use one or more TLS configurations. For more information, refer to the details on [managing DNS and TLS configurations](/guides/getting-started/domains/securing-domains/setting-up-tls-with-your-own-certificates#applying-a-tls-configuration-to-a-domain).

> **WARNING:** If you point your DNS away from Fastly after the initial setup, we will be unable to terminate TLS on your behalf and we will also be unable to renew your certificate, which will expire after 90 days.

## Managing TLS subscriptions

You can use the Subscriptions page to manage your TLS subscriptions and take actions such as:

* [adding or removing domains](#managing-domains-on-tls-subscriptions)
* [changing the domain common name](#managing-domains-on-tls-subscriptions)
* [migrating to Certainly, Fastly's certification authority](#migrating-to-certainly)
* [deactivating TLS](#deactivating-tls-and-deleting-a-tls-domain)

### Managing domains on TLS subscriptions

To manage the domains on your TLS subscriptions, such as to add or remove domains or to change the domain common name, follow these steps:

1. <Partial name='step-login' inline />
1. Go to **Domains** > **TLS management** > [**Subscriptions**](https://manage.fastly.com/network/subscriptions).
1. Click **View subscription details** for the subscription you want to make changes to.

   ![the view subscription details link shown at the bottom of a subscription card](/img/tls-view-subscription-details-link.png)

1. Click **Manage Subscription**.

   > **HINT:** You can only manage a subscription in `Pending`, `Issued`, and `Renewing` states.

1. From the Manage Subscription details page, you can do the following:

   ![the manage subscription details page](/img/tls-manage-subscription-details.png)

   * __Add new domains:__ In the **Domain** field, enter one or more apex domains (e.g., `example.com`), subdomains (e.g., `www.example.com` or `api.example.com`), or a wildcard domain (e.g., `*.example.com`) and click **Add**. Separate multiple domains with a comma.
   * __Remove existing domains:__ Click the trash <span class="inline-icons"><img src="/img/icons/trash.png" alt="Trash icon" /></span> in the **Actions** column on the same line as the domain you want to delete. Follow the instructions in the confirmation window to complete the deletion.
   * __Change the subscription common name:__ From the **Common name** menu, select the domain used to represent this subscription.
1. After making any changes to the subscription, click **Submit**. A message appears asking to confirm your changes.
1. Click **Confirm changes** to submit your changes. To return to the previous screen, click **No, review changes**.

> **IMPORTANT:** If you added a new domain, you must validate domain ownership after confirming the change. See [Domain validation for TLS certificates](#verifying-domain-ownership).

### Migrating to Certainly

If you're using the Let’s Encrypt or GlobalSign certification authorities to secure your domains, you can use the Fastly control panel to migrate to Certainly, Fastly's publicly-trusted certification authority.

> **IMPORTANT:** To migrate from GlobalSign to Certainly, first [contact Fastly Support](https://support.fastly.com).

To migrate to Certainly:

1. <Partial name='step-login' inline />
1. Go to **Domains** > **TLS management** > [**Subscriptions**](https://manage.fastly.com/network/subscriptions).
1. Click **View subscription details** for the subscription you want to make changes to.
1. Click **Migrate to Certainly**.

   ![the migrate to certainly link shown at the top of a subscription card](/img/migrate-to-certainly.png)

1. Confirm that you want to migrate your certificate, then click **Migrate to Certainly**.

After clicking migrate, Fastly will automatically replace your certificate with a Certainly certificate and verify domain ownership without any downtime. Fastly will continue to serve your existing certificate until it is replaced by Certainly. If there were changes to your DNS records that prohibit Certainly from validating your domain and Fastly can't automatically verify the ownership, a notice will appear with instructions you'll need to make to your DNS details.

### Deactivating TLS and deleting a TLS domain

> **WARNING:** If you set up a Fastly-managed TLS certificate as part of domain validation for the [System for Cross-domain Identity Management (SCIM)](/guides/account-info/user-and-account-management/automating-user-management/#prerequisites), you can delete the TLS certificate after proving ownership, but the domain must remain in your account.

Once a domain has TLS activated, you have the option to deactivate TLS via the **Deactivate TLS** button listed on each domain card on the TLS domains page. If a domain has multiple certificates, you can elect to deactivate a specific certificate by clicking **Add/Edit Activations** and clicking the **Deactivate** button next to any active configurations. If all certificates are deactivated, Fastly will no longer serve TLS traffic on the selected domain and it will become disabled. Fastly will attempt to renew a certificate for a disabled domain. To prevent this renewal process, delete the associated subscription after you disable it. Fastly will not renew certificates for deleted subscriptions.

## Certificate management and renewals

Each certification authority has a separate verification and renewal time frame that Fastly follows when managing your certificates:

* __Certainly renewals.__ Certainly issues certificates that are valid for 30 days. Fastly will attempt to re-verify your domain and renew your certificate after 20 days. However, if your DNS records no longer point at Fastly or if a CAA record blocks Certainly, the certificate will lapse at the end of the 30-day period.

* __Let's Encrypt renewals.__ Let’s Encrypt issues certificates that are valid for 64 days. Fastly will attempt to re-verify your domain and renew your certificate after 54 days. However, if DNS records no longer point at Fastly or if a CAA record blocks Let's Encrypt, the certificate will lapse at the end of the 64-day period.

* __GlobalSign renewals.__ GlobalSign issues certificates that are valid for 198 days. Fastly will attempt to re-verify your domain and renew your certificate after 143 days. However, if DNS records no longer point at Fastly, or if a CAA record blocks GlobalSign, the certificate will lapse at the end of the 198-day period. Certificates provided by GlobalSign are subject to the terms of GlobalSign's Subscriber Agreement, which can be found at https://www.globalsign.com/repository.

Fastly automatically runs a DNS check for certificate renewals within the following timeframes:

* **Certainly:** 10 days before certificates are due to expire
* **Let's Encrypt:** 10 days before certificates are due to expire
* **GlobalSign:** 45 days before certificates are due to expire

If a DNS check indicates that a renewal is failing, Fastly will automatically email all account users with TLS management permissions, notifying them of the upcoming expiration. If the renewal continues to fail, Fastly will continue to email users on the account on a schedule up until the expiry date.

In addition, you must verify domain ownership as part of the management process. If you have the correct DNS records for verifying domain ownership and there is [no blocking CAA record](#domains-stuck-in-the-checking-domain-dns-records-state), but you are still receiving renewal failure emails, [contact support](https://support.fastly.com) for assistance.


## Related content

* [TLS quick start](/guides/getting-started/domains/securing-domains/tls-quick-start)
* [Enabling HSTS through Fastly](/guides/full-site-delivery/domains-and-origins/forcing-an-https-redirect)
* [TLS Subscriptions API documentation](/reference/api/tls/subs/)