Manage custom certificates · Cloudflare SSL/TLS docs (2024)

Table of Contents
​​Certificate requirements ​​Upload a custom certificate ​​Update an existing custom certificate FAQs

This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API.

​​Certificate requirements

Before accepting custom certificates, Cloudflare parses them and checks for validity according to a list of requirements.

Full list of requirements

Each custom certificate you upload must:

  • Be encoded in PEM format (PEM, PKCS#7, or PKCS#12). See Converting Using OpenSSLOpen external link for conversion examples.

  • Not have a key file password.

  • Not be expiring in less than 14 days from time of upload.

  • Have a subject alternative name (SAN) matching at least one hostname in the zone where it is being uploaded.

  • Use a private key greater than or equal to a minimum length. Currently, 2048 bit for RSA and 225 bit for ECDSA.

  • Be publicly trusted by a major browser. This does not apply for certificates that specify User Defined as their bundling methodology.

  • Be one of the following certificate types:

    • Unified Communications Certificates (UCC)
    • Extended Validation (EV)
    • Domain Validated (DV)
    • Organization Validated (OV)

​​Upload a custom certificate

To upload a custom SSL certificate in the dashboard:

  1. Log in to the Cloudflare dashboardOpen external link and select your account.

  2. Select your application.

  3. Go to SSL/TLS.

  4. In Edge Certificates, select Upload Custom SSL Certificate.

  5. Copy and paste relevant values into SSL Certificate and Private key text areas (or select Paste from file).

  1. Choose the appropriate Bundle Method.

  2. Select a value for Private Key Restriction.

    See Also
    KB5017811—Manage Transport Layer Security (TLS) 1.0 and 1.1 after default behavior change on September 20, 2022How to Access and Change Hidden Advanced Settings in Chrome and FirefoxError when accessing: Unsafe TLS Security Settings - Encyro, Inc.How to Check the TLS Version on a Website: 4 Easy Methods

  3. Select a value for Legacy Client Support, which toggles Server Name Indication (SNI) support:

    • Modern (recommended): SNI only
    • Legacy: Supports non-SNI

  4. Select Upload Custom Certificate. If you see an error for The key you provided does not match the certificate, contact your Certificate Authority to ensure the private key matches the certificate.

  5. (optional) Add a CAA DNS record.

The following call will upload a certificate for use with app.example.com. Cloudflare will automatically bundle the certificate with a certificate chain optimized for maximum compatibility with browsers.

  1. Update the file and build the payload
$ cat app_example_com.pem
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIQD0ifmj/Yi5NP/2gdUySbfzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
...
SzSHfXp5lnu/3V08I72q1QNzOCgY1XeL4GKVcj4or6cT6tX6oJH7ePPmfrBfqI/O
OeH8gMJ+FuwtXYEPa4hBf38M5eU5xWG7
-----END CERTIFICATE-----
$ MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')"
$ MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')"

With the certificate and key saved to environment variables (using escaped newlines), build the payload:

$ request_body=$(< <(cat <<EOF
{
 "certificate": "$MYCERT",
See Also
Microsoft Edge security for your business
 "private_key": "$MYKEY",
 "bundle_method":"ubiquitous"
}
EOF
))

You can optionally add geographic restrictionsOpen external link that specify where your private key can physically be decrypted:

$ request_body=$(< <(cat <<EOF
{
 "certificate": "$MYCERT",
 "private_key": "$MYKEY",
 "bundle_method":"ubiquitous",
 "geo_restrictions":{"label":"us"}'
}
EOF
))

You can also enable support for legacy clients which do not include SNI in the TLS handshake.

$ request_body=$(< <(cat <<EOF
{
 "certificate": "$MYCERT",
 "private_key": "$MYKEY",
 "bundle_method":"ubiquitous",
 "geo_restrictions":{"label":"us"}',
 "type":"sni_custom"
}
EOF
))

sni_custom is recommended by Cloudflare. Use legacy_custom when a specific client requires non-SNI support. The Cloudflare API treats all Custom SSL certificates as Legacy by default.

  1. Upload your certificate and key

Use the POSTOpen API docs link endpoint to upload your certificate and key.

$ curl -sX POST https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \
 -H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
 -H "Content-Type: application/json" -d "$request_body"
  1. (Optional) Add a CAA record.

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

For more guidance, refer to Create a CAA record.

​​Update an existing custom certificate

Before you update an existing custom certificate, you might want to consider having active universal or advanced certificates as fallback options. Go to SSL/TLS > Edge CertificatesOpen external link to check a list of hostnames and status of the edge certificates in your zone.

If you are on an Enterprise plan and want to update a custom (modern) certificate, also consider requesting access to Staging environment (Beta).

To update a certificate in the dashboard:

  1. Log in to the Cloudflare dashboardOpen external link and select your account.
  2. Select your application.
  3. Go to SSL/TLS.
  4. In Edge Certificates, locate a custom certificate.
  5. Select the wrench icon and select Replace SSL certificate and key.
  6. Follow the same steps as upload a new certificate.

To update a certificate using the API, send a PATCHOpen API docs link command.

Manage custom certificates · Cloudflare SSL/TLS docs (2024)

FAQs

How do I remove a universal certificate from Cloudflare? ›

​​ Disable Universal SSL certificate

Log in to the Cloudflare dashboard Open external link and select your account. Select your domain. Go to SSL/TLS > Edge Certificates. For Disable Universal SSL, select Disable Universal SSL.

Read On
Does Cloudflare do SSL certificates? ›

Cloudflare offers free SSL/TLS encryption and was the first company to do so, launching Universal SSL in September 2014. The free version of SSL shares SSL certificates among multiple customer domains. Cloudflare also offers customized SSL certificates for enterprise customers.

Discover More Details
How much is advanced certificate manager Cloudflare? ›

The fee for ACM is $10/zone/month on the activated zones. You can generate 100 different certificates per zone, but not across zones. Certificates are from either Let's Encrypt, Digicert or Google Trust Services. The keys are managed by Cloudflare, and cannot be downloaded.

Continue Reading
How are SSL certificates managed? ›

TLS/SSL Certificates ensure that the sensitive user data on websites remains encrypted and secure while in transit. SSL certificates are managed individually or through a certificate management platform like DigiCert® CertCentral.

See Details
How to configure TLS certificate? ›

Go to Security > TLS management > Self-managed certificates. From the Upload key or certificate menu, select Add a new key or certificate. We recommend generating a new key for the new certificate.

Find Out More
What is the difference between SSL and TLS? ›

SSL is technology your applications or browsers may have used to create a secure, encrypted communication channel over any network. However, SSL is an older technology that contains some security flaws. Transport Layer Security (TLS) is the upgraded version of SSL that fixes existing SSL vulnerabilities.

Tell Me More
How do I configure an SSL certificate? ›

Under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites. Scroll down to the Install an SSL Website and click Browse Certificates. Select the certificate that you want to activate and click Use Certificate. This will auto-fill the fields for the certificate.

Show Me More
What is universal SSL in Cloudflare? ›

Origin Server Connection Security with Universal SSL

Earlier today, CloudFlare enabled Universal SSL: HTTPS support for all sites by default. Universal SSL provides state-of-the-art encryption between browsers and CloudFlare's edge servers keeping web traffic private and secure from tampering....

Explore More
What is Cloudflare Total TLS? ›

Total TLS allows Cloudflare to issue individual certificates for your proxied hostnames.

Continue Reading
How do I set SSL to full in Cloudflare? ›

When you set your encryption mode to Full, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses http , then Cloudflare connects to the origin using plaintext HTTP and vice versa.

Show Me More

Does Cloudflare automatically renew an SSL certificate? ›

Formerly known as SSL, Transport Layer Security (TLS) encrypts web traffic and authenticates origin servers. Cloudflare TLS certificates auto-renew, saving time and money and preventing service disruptions.

Read The Full Story
Top Articles
Travelex Insurance - Provider Information
Here's why you don't feel hungry after a run – and how to get post-run nutrition right - Women's Running
Will Byers X Male Reader
Walgreens Pharmqcy
How Many Cc's Is A 96 Cubic Inch Engine
Federal Fusion 308 165 Grain Ballistics Chart
Videos De Mexicanas Calientes
Waive Upgrade Fee
Does Publix Have Sephora Gift Cards
Was sind ACH-Routingnummern? | Stripe
Nj Scratch Off Remaining Prizes
Shooting Games Multiplayer Unblocked
Nonne's Italian Restaurant And Sports Bar Port Orange Photos
Kris Carolla Obituary
Aldi Sign In Careers
Idaho Harvest Statistics
Gdp E124
"Une héroïne" : les funérailles de Rebecca Cheptegei, athlète olympique immolée par son compagnon | TF1 INFO
Comics Valley In Hindi
Odfl4Us Driver Login
Vrachtwagens in Nederland kopen - gebruikt en nieuw - TrucksNL
Labby Memorial Funeral Homes Leesville Obituaries
ZURU - XSHOT - Insanity Mad Mega Barrel - Speelgoedblaster - Met 72 pijltjes | bol
Hermitcraft Texture Pack
Village
Shadbase Get Out Of Jail
48 Oz Equals How Many Quarts
Divide Fusion Stretch Hoodie Daunenjacke für Herren | oliv
What Is a Yurt Tent?
As families searched, a Texas medical school cut up their loved ones
4.231 Rounded To The Nearest Hundred
Ugly Daughter From Grown Ups
Star News Mugshots
Fedex Walgreens Pickup Times
Fridley Tsa Precheck
Upstate Ny Craigslist Pets
#1 | Rottweiler Puppies For Sale In New York | Uptown
Laurin Funeral Home | Buried In Work
The Transformation Of Vanessa Ray From Childhood To Blue Bloods - Looper
Leena Snoubar Net Worth
Infinite Campus Parent Portal Hall County
Ucsc Sip 2023 College Confidential
Lady Nagant Funko Pop
Avance Primary Care Morrisville
Timothy Warren Cobb Obituary
15 Best Places to Visit in the Northeast During Summer
Congruent Triangles Coloring Activity Dinosaur Answer Key
Naomi Soraya Zelda
Minute Clinic Mooresville Nc
The 5 Types of Intimacy Every Healthy Relationship Needs | All Points North
BYU Football: Instant Observations From Blowout Win At Wyoming
Latest Posts
Most Dangerous Cities in England | PropertyClub
Project Scheduling 101
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6470

Rating: 4 / 5 (61 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.