Secure Delivery

Use HTTPS to securely deliver content from an edge server to the end user.

Note: The following protocols are supported by the edge servers: TLS1.0, TLS1.1, TLS1.2. SSLv2, SSLv3, and RC4 (refer to RFC7465) are not supported.

Certificates for Origin Servers

If you use a virtual server or a load balancer as your origin server, you must provide a certificate that links with the certificates shown in the table below.

Table 1. List of Server Certificates That Can Be Used with an Origin Server for Access via HTTPS
Common Name Expiry Date SHA-1 Fingerprint
AddTrust External CA Root May 30 2020 02faf3e291435468607857694df5e45b68851868
AffirmTrust Commercial December 31 2030 f9b5b632455f9cbeec575f80dce96e2cc7b278b7
AffirmTrust Networking December 31 2030 293621028b20ed02f566c532d1d6ed909f45002f
AffirmTrust Networking May 29 2029 5f3b8cf2f810b37d78b4ceec1919c37334b9c774
AffirmTrust Premium December 31 2040 d8a6332ce0036fb185f6634f7d6a066526322827
AffirmTrust Premium September 30 2023 36b12b49f9819ed74c9ebc380fc6568f5dacb2f7
America Online Root Certification Authority 2 September 29 2037 85b5ff679b0c79961fc86e4422004613db179284
Baltimore CyberTrust Root May 13 2025 d4de20d05e66fc53fe1a50882c78db2852cae474
Certum CA June 11 2027 6252dc40f71143a22fde9ef7348e064251b18118
Class 2 Primary CA July 7 2019 74207441729cdd92ec7931d823108dc28192e2bb
COMODO Certification Authority January 1 2030 6631bf9ef74f9eb6c9d5a60cba6abed1f7bdef7b
Cybertrust Global Root December 15 2021 5f43e5b1bff8788cac1cc7ca4a9ac6222bcc34c6
DigiCert Assured ID Root CA November 10 2031 0563b8630d62d75abbc8ab1e4bdfb5a899b24d43
DigiCert Global Root CA November 10 2031 a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
DigiCert High Assurance EV Root CA November 10 2031 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
DST Root CA X3 September 30 2021 dac9024f54d8f6df94935fb1732638ca6ad77c13
Entrust Root Certification Authority November 28 2026 b31eb1b740e36c8402dadc37d44df5d4674952f9 Certification Authority (2048) July 24 2029 503006091d97d4f5ae39f7cbe7927d7d652d3431
GeoTrust Global CA May 21 2022 de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
GeoTrust Primary Certification Authority July 17 2036 323c118e1bf7b8b65254e2e2100dd6029037f096
GeoTrust Primary Certification Authority - G3 December 2 2037 039eedb80be7a03c6953893b20d2d9323a4c2afd
Global Chambersign Root October 1 2037 339b6b1450249b557a01877284d9e02fc3d2d8e9
GlobalSign December 15 2021 75e0abb6138512271c04f85fddde38e4b7242efe
GlobalSign March 18 2029 d69b561148f01c77c54578c10926df5b856976ad
GlobalSign Root CA January 28 2028 b1bc968bd4f49d622aa89a81f2150152a41d829c
Go Daddy Root Certificate Authority - G2 January 1 2038 47beabc922eae80e78783462a79f45c254fde68b
Network Solutions Certificate Authority January 1 2030 74f8a3c3efe7b390064b83903c21646020e5dfce
QuoVadis Root CA 2 November 25 2031 ca3afbcf1240364b44b216208880483919937cf7
QuoVadis Root CA 2 June 30 2034 2796bae63f1801e277261ba0d77770028f20eee4
QuoVadis Root CA 3 November 25 2031 1f4914f7d874951dddae02c0befd3a2d82755185
QuoVadis Root Certification Authority March 18 2021 de3f40bd5093d39b6c60f6dabc076201008976c9
SecureTrust CA January 1 2030 8782c6c304353bcfd29692d2593e7d44d934ff11
StartCom Certification Authority September 18 2036 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f
SwissSign Gold CA - G2 October 25 2036 d8c5388ab7301b1b6ed47ae645253a6f9f1a2761
SwissSign Silver CA - G2 October 25 2036 9baae59f56ee21cb435abe2593dfa7f040d11dcb
SwissSign Silver CA - G2 June 6 2037 feb8c432dcf9769aceae3dd8908ffd288665647d
TC TrustCenter Class 2 CA II January 1 2026 ae5083ed7cf45cbc8f61c621fe685d794221156e
thawte Primary Root CA July 17 2036 91c6d6ee3e8ac86384e548c299295c756c817b81
thawte Primary Root CA - G3 December 2 2037 f18b538d1be903b6a6f056435b171589caf36bf2
UTN - DATACorp SGC June 25 2019 58119f0e128287ea50fdd987456f4f78dcfad6d4
UTN-USERFirst-Hardware July 10 2019 0483ed3399ac3608058722edbc5e4600e3bef9d7
VeriSign Class 3 Public Primary Certification Authority - G3 July 17 2036 132d0d45534b6997cdb2d5c339e25576609b5cc6
VeriSign Class 3 Public Primary Certification Authority - G5 July 17 2036 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
VeriSign Class 4 Public Primary Certification Authority - G3 July 17 2036 c8ec8c879269cb4bab39e98d7e5767f31495739d
VeriSign Universal Root Certification Authority December 2 2037 3679ca35668772304d30a5fb873b0fa77bb70d54
  • Self-signed certificates created by the user are not supported.
  • An unlimited license is not required.
  • If you already have the certificate for a domain name that will be used on an application (example:, it can be used as the certificate for the origin server. If you do not have a certificate, prepare one for only the origin server (example:

When Using a Unique Domain

When using a unique domain, it is necessary to register the server certificate on the edge server. It is necessary to apply using an application form. Obtain the "Content Delivery Service Unique Domain Secure Delivery Form" application form from customer service.

  • We apply for the certificate on your behalf, and arrange and manage it on the edge server.

    • It is not possible to use a certificate that you already have.
    • It is not possible to download the private key for your certificate.
    • The certificate is a Subject Alternative Name (SAN) certificate.
    • It is not possible to use wildcard certificates.
    • The TLS Version and Cipher Set are automatically updated.
    • Use is not possible in China and Russia.
    • It is not possible to change a domain name that has been applied for to another domain name.
  • The updating of certificates is performed automatically.

    • The Certificate Authority regularly authenticates domain names.
    • When updating is successful, the limit of the certificate is automatically extended.
    • When update fails due to a reason such as communication not being possible, there is a possibility that the certificate for the relevant domain has expired.
  • It is also necessary to apply using an application form when deleting a certificate. Charges will be incurred for the certificate until the application is processed.
  • The types of certificates are DV (Domain Validated) and SNI (Server Name Indication).
  • A single certificate is shared with other customers. The name of the customer's domain is stored in the DNS Name field of the certificate.
  • Signing is performed by Let's Encrypt.
  • It is usually possible to start use within five working days.
  • As domain validation is performed during authentication, build an accessible origin server in the domain name that will be applied for. At that time, open TCP port 80, and configure redirection as below. As updating will be performed on the edge server side, port 80 can be closed if so desired.

    Table 2. Redirect Settings
    Item Value
    Access destination Under "http://Application_domain/.well-known/acme-challenge/"
    Redirect destination