Support Shared Certificates

Registered by Amit Gandhi

Customers want to be able to serve content from the edge using a secure certificate (https://)

Poppy will offer 3 options to be able to do this:

1. Shared Domain - this is when the user is given an operator owned domain that they must use. e.g. The user will not be able set the domain containing a dot. Validation will need to be updated to enforce this when shared cert is chosen. The access url will be the same as the above domain. The user should not CNAME to this access url.

2. SAN Certificate - this is when the user uses https on their own domain, but the cert itself is shared with many other domains. The user will be able to CNAME their own domain to an operator access_url. e.g. CNAME to

3. Custom Certificate - this is when the user gets a dedicated certificate for the domain they entered.
With Akamai - akamai will provision the certificate - see Akamai Secure Cert Provisioning API [1].
With other providers, they allow the user to upload the certificate. In this case, we should utilize Barbican do generate a cert, and upload to the provider via their API.

The API is defined in apiary to allow the user to specify the type of cert to use. The operator should be able to define which certificate types are offered via the poppy.conf file.

Vendor Provisioning:
[1] Akamai SSL Provisioning API -

Using Barbican to generate and upload:
[2] CloudFront SSL API -
[4] (Shared Domain)

Blueprint information

Amit Gandhi
Tony Tan
Series goal:
Accepted for kilo
Milestone target:
milestone icon kilo-3
Started by
Amit Gandhi
Completed by
Amit Gandhi

Related branches



Gerrit topic:,topic:bp/shared-ssl,n,z

Addressed by:
    add shared_ssl property to domain model

Addressed by:
    Implement Shared SSL domain feature Implements: blueprint shared-ssl

Gerrit topic:,topic:bug/1406579,n,z

Addressed by:
    Add Akamai provider SPS configs Implements blueprint: shared-ssl

Addressed by:
    Add API tests for ssl cert feature

Addressed by:
    Impelment SAN and Custom ssl cert Implments blueprint: shared-ssl

Gerrit topic:,topic:SAN-ssl-cert-background,n,z

Gerrit topic:,topic:Custom-ssl-cert,n,z

Gerrit topic:,topic:manual-ssl,n,z


Work Items

Work items:
Implement Shared SSL : TODO
Implement SAN: TODO
Implement Custom Certificates: TODO
Implement Akamai: TODO
Implement Fastly: TODO
Implement MaxCDN: TODO
Implement CloudFront: TODO

This blueprint contains Public information 
Everyone can see this information.


No subscribers.