What termination means
TLS termination is where the encrypted connection is decrypted. When the CDN terminates TLS at the edge, the user's handshake completes at the nearby PoP rather than at a distant origin, cutting round trips on connection setup.
Why the edge is a good place
- Shorter handshakes because the costly TLS setup happens over a short hop.
- Session resumption lets returning users skip a full handshake.
- Certificate management is centralized at the CDN, which can automate issuance and rotation.
The trust hop to origin
After terminating at the edge, the CDN opens a separate connection to the origin. This second leg should also be encrypted, often with a check that the origin presents a valid certificate, so traffic is never in the clear between edge and origin.
Security considerations
Terminating at the edge means the CDN sees plaintext, so you trust the provider with content. Mitigations include strong origin authentication, modern protocol versions, and for the strictest cases, keeping private keys under your control while the edge still terminates.
Key idea
Terminating TLS at the edge shortens handshakes and centralizes certificates, but the edge sees plaintext, so the edge to origin leg must stay encrypted and authenticated.