Experimenting with Self-Managed TLS (BYOC) and PQC / self-signed certs – does this incur any cost?

General
1

Hi all,

I’m experimenting with Fastly’s TLS options and I’d like to clarify the cost and support boundaries around Self-Managed TLS (custom certificates / BYOC).

My current setup:

  • Domain is registered and hosted elsewhere (Hostinger: DNS + origin).

  • I’ve added the same domain as a TLS domain in Fastly.

  • I’ve successfully requested a Fastly-managed TLS certificate (Certainly).

  • Next I want to try uploading my own certificate and key using Self-Managed TLS, mainly for learning and lab usage.

Questions about cost

  1. Does enabling Self-Managed TLS for a domain incur any extra cost compared to using Fastly-managed TLS (Certainly/Let’s Encrypt), as long as I stay within:

    • the included/free TLS domain allowance, and

    • normal free-tier bandwidth / request limits?

  2. Is there any per-certificate, per-key, or per-TLS-subscription fee when I upload my own cert, or is pricing purely based on:

    • number of TLS domains, and

    • regular traffic usage?

  3. Are there any lab/test “gotchas” (for example switching a domain between managed TLS and Self-Managed TLS, or creating multiple test certs for the same domain) that could unexpectedly generate charges?

PQC / self-signed experiments

I’m also interested in post-quantum cryptography (PQC) experiments:

  • I understand from the docs that self-signed certificates are not supported for public edge TLS, and that certificates must be issued by a trusted public CA.

  • However, for lab-only experiments, I’d like to play with self-signed or PQC / hybrid certificates (for example, just to see how Fastly’s APIs and configuration behave, even if this isn’t supported for production traffic).

So a few more questions:

  1. Is it allowed/supported to upload self-signed certificates via Self-Managed TLS purely for experimentation, or will Fastly/Certainly reject those at upload/activation time?

  2. If self-signed or experimental PQC/hybrid certificates are rejected at the product level, is there any recommended way to experiment with PQC on Fastly today (for example, restricted to origin TLS only rather than edge TLS)?

  3. Do any of these PQC / self-signed experiments have billing implications, or is it still just governed by the usual domain and traffic pricing?

I’m basically trying to confirm that I can safely:

  • experiment with Self-Managed TLS, and

  • explore PQC-style certificates in a small lab setup,

without running into unexpected costs or relying on an unsupported configuration.

Any clarification or links to the most up-to-date docs would be greatly appreciated. :folded_hands:

Thanks!

1 Like
2

In general we do not have much in the way of public documentation related to pricing and costs for specific resources, so unfortunately most of these questions will need to be directed to our sales team.

For some of the features you are asking about, the API will not allow you to use them at all unless your account has a feature entitlement added to it, and the process for getting entitlements also involves the sales team.

3

Thank you for the clarification.