---
title: TLS
summary: null
url: https://www.fastly.com/documentation/reference/api/tls
---

These APIs control the means by which TLS certificates are provisioned for your services. Refer to our [TLS service options](https://docs.fastly.com/products/tls-service-options) for more details on the product choices available and the benefits of each.

- [Bulk Certificates](https://www.fastly.com/documentation/reference/api/tls/platform/) - Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.
- [Custom TLS certificates](https://www.fastly.com/documentation/reference/api/tls/custom-certs/)
- [Mutual TLS](https://www.fastly.com/documentation/reference/api/tls/mutual-tls/)
- [TLS Configuration](https://www.fastly.com/documentation/reference/api/tls/configuration/) - Customers with access to multiple sets of IP pools are able to apply different configuration options to their TLS enabled domains.
- [TLS Subscriptions](https://www.fastly.com/documentation/reference/api/tls/subs/) - The TLS subscriptions API allows you to programmatically generate TLS certificates that are procured and renewed by Fastly. Once a subscription is created for a given hostname or wildcard domain, DNS records are checked to ensure that the domain on the subscription is owned by the subscription creator. Provided DNS records are maintained, TLS certificates will automatically renew. If Fastly is unable to issue a certificate, we will retry to issue the certificate for 7 days past subscription creation or the latest certificate's not_after date, whichever is later. If after 7 days Fastly is unable to issue a certificate, the subscription state will change to <code>failed</code> and Fastly will stop retrying.