Platform TLS

WARNING: This information is part of a limited availability release. Portions of this API may be subject to changes and improvements over time. Fields marked deprecated may be removed in the future and their use is discouraged. For more information, see our product and feature lifecycle descriptions.

The Platform TLS Certificate Deployment Service is available to subscribers who have purchased the service.

Available to Platform TLS customers, these endpoints streamline the upload, deployment and management of large numbers of TLS certificates. A certificate is used to terminate TLS traffic for one or more of your fully qualified domain names (domains). Uploading a new certificate automatically enables TLS for all domains listed as Subject Alternative Names (SAN entries) on the certificate.

Data model

cert_blobStringThe PEM-formatted certificate blob. Required. Write Only.
created_atStringTime-stamp (GMT) when the certificate was created. Read Only.
intermediates_blobStringThe PEM-formatted chain of intermediate blobs. Required. Write Only.
not_afterStringTime-stamp (GMT) when the certificate will expire. Must be in the future to be used to terminate TLS traffic. Read Only.
not_beforeStringTime-stamp (GMT) when the certificate will become valid. Must be in the past to be used to terminate TLS traffic. Read Only.
replaceBooleanA recommendation from Fastly indicating the key associated with this certificate is in need of rotation. Read Only.
updated_atStringTime-stamp (GMT) when the certificate was last updated. Read Only.
tls_configurations.idStringThe identifiers for the dedicated IP address pool that will be used to route traffic from the domain. Required.
tls_domainsArrayAll the domains (including wildcard domains) that are listed in any certificate's Subject Alternative Names (SAN) list. Read Only.


List certificates


Get a certificate


Upload a certificate


Update a certificate


Delete a certificate


Limitations & conditions

The Platform TLS Certificate Deployment Service has the following general limitations:

  • This service is not available for private CDN deployments.
  • To take advantage of this service, you must procure your own certificates from the certification authority (CA) of your choice. Fastly will not procure certificates on your behalf.

In addition, certificates are deployed using the Platform TLS Certificate Service with the following conditions:

  • Certificates hosted using SNI will only be served to browsers that support SNI. Browsers that do not support SNI will not receive the correct certificate for the domain requested.
  • The certificate deployment process takes an average of approximately 20 minutes to complete once a certificate is submitted, but may take as long as an hour.
  • Fastly will automatically choose the certificate delivered for a given request based on the host requested.
  • The certificate with the most specific hostname will be prioritized over certificates with less specific hostnames. For example, on a request for, Fastly will prioritize a certificate with a SAN entry for over a different certificate with a SAN entry for *
  • If an identical hostname appears on more than one certificate, then the most recently uploaded certificate will be used. We recommend that you manage certificates such that hostnames remain unique for them.

User contributed notes

We welcome comments that add use cases, ideas, tips, and caveats. All comments will be moderated before publication. To post support questions, visit our support center and we'll find you the help you need.