Manage custom certificates · Cloudflare SSL/TLS docs (2024)

Table of Contents
​​Certificate requirements ​​Upload a custom certificate ​​Update an existing custom certificate FAQs

This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API.

​​Certificate requirements

Before accepting custom certificates, Cloudflare parses them and checks for validity according to a list of requirements.

Full list of requirements

Each custom certificate you upload must:

  • Be encoded in PEM format (PEM, PKCS#7, or PKCS#12). See Converting Using OpenSSLOpen external link for conversion examples.

  • Not have a key file password.

  • Not be expiring in less than 14 days from time of upload.

  • Have a subject alternative name (SAN) matching at least one hostname in the zone where it is being uploaded.

  • Use a private key greater than or equal to a minimum length. Currently, 2048 bit for RSA and 225 bit for ECDSA.

  • Be publicly trusted by a major browser. This does not apply for certificates that specify User Defined as their bundling methodology.

  • Be one of the following certificate types:

    • Unified Communications Certificates (UCC)
    • Extended Validation (EV)
    • Domain Validated (DV)
    • Organization Validated (OV)

​​Upload a custom certificate

To upload a custom SSL certificate in the dashboard:

  1. Log in to the Cloudflare dashboardOpen external link and select your account.

  2. Select your application.

  3. Go to SSL/TLS.

  4. In Edge Certificates, select Upload Custom SSL Certificate.

  5. Copy and paste relevant values into SSL Certificate and Private key text areas (or select Paste from file).

  1. Choose the appropriate Bundle Method.

  2. Select a value for Private Key Restriction.

    See Also
    KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022How to Access and Change Hidden Advanced Settings in Chrome and FirefoxError when accessing: Unsafe TLS Security Settings - Encyro, Inc.How to Check the TLS Version on a Website: 4 Easy Methods

  3. Select a value for Legacy Client Support, which toggles Server Name Indication (SNI) support:

    • Modern (recommended): SNI only
    • Legacy: Supports non-SNI

  4. Select Upload Custom Certificate. If you see an error for The key you provided does not match the certificate, contact your Certificate Authority to ensure the private key matches the certificate.

  5. (optional) Add a CAA DNS record.

The following call will upload a certificate for use with app.example.com. Cloudflare will automatically bundle the certificate with a certificate chain optimized for maximum compatibility with browsers.

  1. Update the file and build the payload
$ cat app_example_com.pem
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIQD0ifmj/Yi5NP/2gdUySbfzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
...
SzSHfXp5lnu/3V08I72q1QNzOCgY1XeL4GKVcj4or6cT6tX6oJH7ePPmfrBfqI/O
OeH8gMJ+FuwtXYEPa4hBf38M5eU5xWG7
-----END CERTIFICATE-----
$ MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')"
$ MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')"

With the certificate and key saved to environment variables (using escaped newlines), build the payload:

$ request_body=$(< <(cat <<EOF
{
 "certificate": "$MYCERT",
See Also
Microsoft Edge security for your business
 "private_key": "$MYKEY",
 "bundle_method":"ubiquitous"
}
EOF
))

You can optionally add geographic restrictionsOpen external link that specify where your private key can physically be decrypted:

$ request_body=$(< <(cat <<EOF
{
 "certificate": "$MYCERT",
 "private_key": "$MYKEY",
 "bundle_method":"ubiquitous",
 "geo_restrictions":{"label":"us"}'
}
EOF
))

You can also enable support for legacy clients which do not include SNI in the TLS handshake.

$ request_body=$(< <(cat <<EOF
{
 "certificate": "$MYCERT",
 "private_key": "$MYKEY",
 "bundle_method":"ubiquitous",
 "geo_restrictions":{"label":"us"}',
 "type":"sni_custom"
}
EOF
))

sni_custom is recommended by Cloudflare. Use legacy_custom when a specific client requires non-SNI support. The Cloudflare API treats all Custom SSL certificates as Legacy by default.

  1. Upload your certificate and key

Use the POSTOpen API docs link endpoint to upload your certificate and key.

$ curl -sX POST https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \
 -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
 -H "Content-Type: application/json" -d "$request_body"
  1. (Optional) Add a CAA record.

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

For more guidance, refer to Create a CAA record.

​​Update an existing custom certificate

Before you update an existing custom certificate, you might want to consider having active universal or advanced certificates as fallback options. Go to SSL/TLS > Edge CertificatesOpen external link to check a list of hostnames and status of the edge certificates in your zone.

If you are on an Enterprise plan and want to update a custom (modern) certificate, also consider requesting access to Staging environment (Beta).

To update a certificate in the dashboard:

  1. Log in to the Cloudflare dashboardOpen external link and select your account.
  2. Select your application.
  3. Go to SSL/TLS.
  4. In Edge Certificates, locate a custom certificate.
  5. Select the wrench icon and select Replace SSL certificate and key.
  6. Follow the same steps as upload a new certificate.

To update a certificate using the API, send a PATCHOpen API docs link command.

Manage custom certificates · Cloudflare SSL/TLS docs (2024)

FAQs

How do I remove a universal certificate from Cloudflare? ›

​​ Disable Universal SSL certificate

Log in to the Cloudflare dashboard Open external link and select your account. Select your domain. Go to SSL/TLS > Edge Certificates. For Disable Universal SSL, select Disable Universal SSL.

Read On
Does Cloudflare do SSL certificates? ›

Cloudflare offers free SSL/TLS encryption and was the first company to do so, launching Universal SSL in September 2014. The free version of SSL shares SSL certificates among multiple customer domains. Cloudflare also offers customized SSL certificates for enterprise customers.

Discover More Details
How much is advanced certificate manager Cloudflare? ›

The fee for ACM is $10/zone/month on the activated zones. You can generate 100 different certificates per zone, but not across zones. Certificates are from either Let's Encrypt, Digicert or Google Trust Services. The keys are managed by Cloudflare, and cannot be downloaded.

Continue Reading
How are SSL certificates managed? ›

TLS/SSL Certificates ensure that the sensitive user data on websites remains encrypted and secure while in transit. SSL certificates are managed individually or through a certificate management platform like DigiCert® CertCentral.

See Details
How to configure TLS certificate? ›

Go to Security > TLS management > Self-managed certificates. From the Upload key or certificate menu, select Add a new key or certificate. We recommend generating a new key for the new certificate.

Find Out More
What is the difference between SSL and TLS? ›

SSL is technology your applications or browsers may have used to create a secure, encrypted communication channel over any network. However, SSL is an older technology that contains some security flaws. Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities.

Tell Me More
How do I configure an SSL certificate? ›

Under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites. Scroll down to the Install an SSL Website and click Browse Certificates. Select the certificate that you want to activate and click Use Certificate. This will auto-fill the fields for the certificate.

Show Me More
What is universal SSL in Cloudflare? ›

Origin Server Connection Security with Universal SSL

Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. Universal SSL provides state-of-the-art encryption between browsers and CloudFlare's edge servers keeping web traffic private and secure from tampering....

Explore More
What is Cloudflare Total TLS? ›

Total TLS allows Cloudflare to issue individual certificates for your proxied hostnames.

Continue Reading
How do I set SSL to full in Cloudflare? ›

When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http , then Cloudflare connects to the origin using plaintext HTTP and vice versa.

Show Me More

Does Cloudflare automatically renew an SSL certificate? ›

Formerly known as SSL, Transport Layer Security (TLS) encrypts web traffic and authenticates origin servers. Cloudflare TLS certificates auto-renew, saving time and money and preventing service disruptions.

Read The Full Story
Top Articles
Learn - Chicago Coalition to end Homelessness
Top 30 Bitcoin Interview Questions & Answers [UPDATED 2024]
Maxtrack Live
The Largest Banks - ​​How to Transfer Money With Only Card Number and CVV (2024)
Lexi Vonn
Sound Of Freedom Showtimes Near Governor's Crossing Stadium 14
Dricxzyoki
Ffxiv Palm Chippings
Fat Hog Prices Today
Tyson Employee Paperless
Phcs Medishare Provider Portal
Jeremy Corbell Twitter
Eric Rohan Justin Obituary
Ub Civil Engineering Flowsheet
CHESAPEAKE WV :: Topix, Craigslist Replacement
Hallowed Sepulchre Instances &amp; More
Apnetv.con
Back to basics: Understanding the carburetor and fixing it yourself - Hagerty Media
W303 Tarkov
Socket Exception Dunkin
2015 Honda Fit EX-L for sale - Seattle, WA - craigslist
Magic Mike's Last Dance Showtimes Near Marcus Cedar Creek Cinema
Wisconsin Women's Volleyball Team Leaked Pictures
Epro Warrant Search
Ms Rabbit 305
Satisfactory: How to Make Efficient Factories (Tips, Tricks, & Strategies)
Days Until Oct 8
Rural King Credit Card Minimum Credit Score
Self-Service ATMs: Accessibility, Limits, & Features
Xfinity Cup Race Today
Weve Got You Surrounded Meme
CohhCarnage - Twitch Streamer Profile & Bio - TopTwitchStreamers
Airg Com Chat
What does wym mean?
Sun-Tattler from Hollywood, Florida
Ark Unlock All Skins Command
School Tool / School Tool Parent Portal
That1Iggirl Mega
Myfxbook Historical Data
Frank 26 Forum
Spn-523318
Directions To Advance Auto
Craigslist Tulsa Ok Farm And Garden
Ferguson Employee Pipeline
Fwpd Activity Log
Jamesbonchai
Craigslist Woodward
RubberDucks Front Office
10 Best Tips To Implement Successful App Store Optimization in 2024
Bradshaw And Range Obituaries
Oak Hill, Blue Owl Lead Record Finastra Private Credit Loan
Psalm 46 New International Version
Latest Posts
Going green with plant-based meat sustainability
Is an Increase in a Company's Capital Stock a Bad Sign?
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6470

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.