[Yandex Cloud documentation](../../index.md) > [Yandex Cloud CDN](../index.md) > [Concepts](index.md) > Data exchange between clients and the CDN > TLS certificates

# Configuring TLS certificates for HTTPS connections between clients and the CDN

To enable clients to request files over HTTPS (e.g., if you use a URI with the `https` scheme or enabled redirection from HTTP to HTTPS in the [CDN resource](resource.md) settings), you need to configure a TLS certificate for the [domain name used to distribute content](resource.md#hostnames) specified in the resource.

Certificates from [Yandex Certificate Manager](../../certificate-manager/index.md) are supported. You can [issue a new Let's Encrypt® certificate](../../certificate-manager/operations/managed/cert-create.md) or [upload one of your own](../../certificate-manager/operations/import/cert-create.md).

The certificate must be located in the same [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) as your CDN resource.

The certificate is configured when creating a resource. You can change it afterwards together with other basic resource settings. For more information, see these guides:

* [Creating a resource](../operations/resources/create-resource.md)
* [Updating the basic settings of a resource](../operations/resources/configure-basics.md)

## TLS profiles {#tls-profiles}

Cloud CDN supports TLS 1.0 and higher for client connections.

For added CDN resource security, configure a dedicated profile to restrict the allowed TLS versions.

Supported security profiles:
* `PROFILE_STRICT`: Only TLS 1.3-compatible ciphers.

    {% note info %}

    All TLS 1.3 ciphers are considered secure.

    {% endnote %}

* `PROFILE_SECURE`: Ciphers compatible with TLS 1.2+ that support PFS (Perfect Forward Secrecy) and AEAD (Authenticated Encryption with Asssociated Data).
* `PROFILE_COMPATIBLE`: Ciphers compatible with TLS 1.2+ that have no known critical vulnerabilities.

    This profile is used by default.
* `PROFILE_LEGACY`: Ciphers compatible with TLS 1.0+ that have no known critical vulnerabilities.

You can do the setup via the API when [creating](../operations/resources/create-resource.md) or [updating](../operations/resources/configure-basics.md) a CDN resource. For more information, see [Configuring a TLS profile for a CDN resource](../operations/resources/configure-tls-profile.md).


## Domain rights check {#domain-name-challenge}

If you [issued a Let's Encrypt certificate in Certificate Manager](../../certificate-manager/concepts/managed-certificate.md) and use it in a CDN resource, you need to pass the [domain rights check](../../certificate-manager/concepts/challenges.md). Cloud CDN only supports the `DNS` type domain rights check using a `TXT` or `CNAME` DNS record. The CDN load balancer will return the `404` status code in response to file requests over paths formatted as `/.well-known/acme-challenge/<file_name>` that are used for `HTTP` domain rights checks.

If you use a certificate of your own uploaded to Certificate Manager in a CDN resource, no domain rights check is required.


## Use cases {#examples}

* [Migrating to Yandex Cloud CDN from a third-party CDN provider](../tutorials/migrate-to-yc-cdn.md)
* [Providing secure access to content in Cloud CDN](../tutorials/protected-access-to-content/index.md)