- Managing SSL certificates on Akamai is critical for ensuring uninterrupted access to Internet-facing applications.
- This guide covers the Akamai certificate renewal process, SSL pinning, and testing procedures on staging environments.
๐ Topics Covered- Akamai Certificate Renewal Method — How Akamai CPS automates and manages SSL renewals.
- SSL Pinning: What It Is and Why It’s Required — Understanding its purpose, risks during renewal, and testing procedures.
- Testing on Staging Environment (Web & Mobile) — Validating renewed certificates on Akamai’s staging edge before production rollout.
⚠️ Note: SSL certificate renewal on Akamai affects Internet-facing apps using the wildcard domain *.yourdomainapp.com. Intranet-based apps are not affected.
- Managing SSL certificates on Akamai is critical for ensuring uninterrupted access to Internet-facing applications.
- This guide covers the Akamai certificate renewal process, SSL pinning, and testing procedures on staging environments.
- Akamai Certificate Renewal Method — How Akamai CPS automates and manages SSL renewals.
- SSL Pinning: What It Is and Why It’s Required — Understanding its purpose, risks during renewal, and testing procedures.
- Testing on Staging Environment (Web & Mobile) — Validating renewed certificates on Akamai’s staging edge before production rollout.
⚙️ Akamai CPS Fail-Safe Deployment Features
1️⃣ 7-Day Auto Push
If “Always Test on Staging before Deployment” is enabled, CPS automatically promotes the renewed certificate from staging to production 7 days before expiry, ensuring uninterrupted service.
2️⃣ Safety Net
CPS overrides manual holds to prevent expired certificates or DoS risks. For DV Wildcards like *.middlewarebox.com, renewal and activation happen automatically.
3️⃣ Renewal Timing
Auto-renewal starts 30 days before expiry, and the 7-day fail-safe window ensures timely production rollout even if manual steps are delayed.
๐ฅ Impacted Applications , Temporary SSL-Handshake or Connectivity issue.
- Mobile Applications – Android and iOS apps using HTTPS or certificate SHA256 pinning for API communication with *.yourdomain.com.
- Web-Based Applications – Internet-facing portals, dashboards, or web services behind Akamai using the same domain.
- API Endpoints / Partner Integrations – Public or partner-facing APIs secured via *.yourdomain.com, often validating SSL through public key pinning.
✅ Note: Internal or intranet-only apps remain unaffected.
๐ SSL Certificate Pinning – Why It Matters
- SSL Pinning ensures client apps (especially mobile apps) trust only a specific SSL certificate or public key, not just any CA-signed certificate.
- This protects against Man-in-the-Middle (MITM) attacks, even if a CA is compromised.
⚠️ Important: During renewal, the public key or hash fingerprint may change. If your app uses certificate pinning, old pins will cause SSL handshake failures until updated with the new certificate.
-------------------------------------------------------------------------------------------------------
๐งฉ Extracting Public Key & Certificate Hash for Pinning
Step 1: Get the new SSL certificate from the Akamai team from the staging environment.
Step 2: Extract the public key SSL-pinning SHA256:
command:-
openssl x509 -in certificate.cer -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
Example Output:
Aq7AoU/d/6jl4LBYRNpR4BrssWrtkgu7jTnp95Ibrsc=
Note:
- This SSL pinning value (SHA-256 hash) should be updated in your mobile applications (Android/iOS) to ensure successful HTTPS communication after certificate renewal.
- Failing to update this pin may result in SSL handshake errors or connection failures when the new certificate goes live in production.
Step 3: Get full certificate fingerprint:
command :-
openssl x509 -in certificate.cer -outform DER | openssl dgst -sha256 -binary | openssl enc -base64
Example Output:
4BmfNA+XSJnIoSizRiRT/d3AqW27pBROTPUMxFbpEfM=
-------------------------------------------------------------------------------------------------------
๐งช Testing the New SSL Certificate from Staging:
Ask the Akamai team to push the new SSL certificate to the staging environment.
1️⃣ Web-Based Applications :
Step 1: Perform DNS lookup for staging:
[applicationname].middlewarebox.com.edgekey.staging.net
Output Example:
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Addresses: 2600:1f18:4ae:c608:83f8:2f9c:4a61:7b6a
54.165.131.183
52.44.244.98
Aliases: middlewarebox.com.edgekey.staging.net
Step 2: Edit hosts file on your laptop: "C:\Windows\System32\drivers\etc\hosts"
52.44.244.98 middlewarebox.com
Step 4: Validate staging certificate in browser (use Incognito mode) via:
2️⃣ Mobile Applications:
Step 1: Perform same DNS lookup as above.
Step 2: Update hosts file with staging IP. same as above
Step 3: Enable Windows Mobile Hotspot: run below command or
In Windows PC - Open Settings >> Then Mobile Hostpot.
Step 4: Connect your iOS/Android device to the hotspot.
Step 5: Open the mobile app (ensure mobile Internet is disabled) and log in to validate the new SSL certificate.
To test for Production,test via Browser / SSL Labs
- Use https://www.ssllabs.com/ssltest/ add the URLs.
- To verify: Public Key SSLPinning , Certificate chain validity , Expiry date , TLS protocol and cipher compatibility
 |
| SSL Pinning |
Flow Chart:
Akamai Auto-Renewal → Staging Deployment → Extract New Certificate Pins → Test Web[hosts file change for local] & Mobile Apps [Pinning Code Deploy] → Production Deployment
ProTip: "Renewal is automated, but testing is manual - don't skip validation! This ensures true zero-downtime for ALL your applications."
No comments:
Post a Comment