---
title: Custom TLS certificates
summary: null
url: https://www.fastly.com/documentation/reference/api/tls/custom-certs
---

Fastly offers an API for uploading and managing your keys and certificates used to enable TLS for your domains on Fastly.

To start, you must generate a new key and certificate with your preferred certification authority. You may then use our endpoints to upload a key and then upload the matching certificate. To terminate TLS for a specific domain, you'll need to enable that domain for a given certificate by creating a protocol policy. Finally, for Fastly to begin to terminate TLS you will need to update the DNS records for the domain with the provided DNS Names returned to you.

We also provide a way for you to replace your certificates when they are nearing expiration. When regenerating a new certificate, you must ensure the list of SAN entries match the existing certificate. You can then replace the existing certificate with the new certificate.

This API also allows you to delete keys and certificates, list TLS domains for an uploaded certificate, and disable a protocol policy (which will disable TLS termination for that domain).

- [Certificate Signing Requests](https://www.fastly.com/documentation/reference/api/tls/custom-certs/csrs/) - A certificate signing request is needed to obtain a TLS certificate from a Certificate Authority (CA).
- [DNS Records](https://www.fastly.com/documentation/reference/api/tls/custom-certs/dns-records/) - DNS records are the available DNS addresses that can be used to enable TLS for a domain. DNS must be configured for a domain for TLS handshakes to succeed. If enabling TLS on an apex domain (e.g., <code>example.com</code>) you must create four A records (or four AAAA records for IPv6 support) using the displayed global A record's IP addresses with your DNS provider. For subdomains and wildcard domains (e.g., <code>www.example.com</code> or <code>*.example.com</code>) you will need to create a relevant CNAME record.
- [Private Keys](https://www.fastly.com/documentation/reference/api/tls/custom-certs/private-keys/) - A private key is used to sign a Certificate. A key can be used to sign multiple certificates.
- [TLS Activations](https://www.fastly.com/documentation/reference/api/tls/custom-certs/activations/) - TLS activations.
- [TLS Certificates](https://www.fastly.com/documentation/reference/api/tls/custom-certs/certificates/) - A TLS certificate is used to terminate TLS traffic for one or more of your <a href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/domains/">TLS domains</a>.
- [TLS Domains](https://www.fastly.com/documentation/reference/api/tls/custom-certs/domains/) - TLS domains are all the domains (including wildcard domains) included in any <a href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/certificates/">TLS certificate</a>'s Subject Alternative Names (SAN) list. Included in the response is information about which certificates reference this domain as well as the <a href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/activations/">TLS activation</a> indicating which certificate is enabled to serve TLS traffic for the domain.