Custom TLS certificates

Fastly offers an API for uploading and managing your keys and certificates used to enable TLS for your domains on Fastly.

To start, you must generate a new key and certificate with your preferred certification authority. You may then use our endpoints to upload a key and then upload the matching certificate. To terminate TLS for a specific domain, you'll need to enable that domain for a given certificate by creating a protocol policy. Finally, for Fastly to begin to terminate TLS you will need to update the DNS records for the domain with the provided DNS Names returned to you.

We also provide a way for you to replace your certificates when they are nearing expiration. When regenerating a new certificate, you must ensure the list of SAN entries match the existing certificate. You can then replace the existing certificate with the new certificate.

This API also allows you to delete keys and certificates, list TLS domains for an uploaded certificate, and disable a protocol policy (which will disable TLS termination for that domain).