Manage custom certificates
Certificate requirements
Certificates are parsed and checked for validity before being accepted. Each certificate uploaded must:
-
Be encoded in PEM format (PEM, PKCS#7, or PKCS#12), see Converting Using OpenSSL for conversion examples.
-
Not have a key file password .
-
Not be expiring in less than 14 days from time of upload.
-
Have a subject alternative name (SAN) matching at least one hostname in the zone where it’s being uploaded.
-
Use a private key greater than or equal to a minimum length (currently 2048 bit for RSA and 225 bit for ECDSA).
-
Be publicly trusted by a major browser, unless the
User Defined
bundling method is used. -
Be one of the following certificate types:
- Unified Communications Certificates (UCC)
- Extended Validation (EV)
- Domain Validated (DV)
- Organization Validated (OV)
Upload a custom certificate
Using the dashboard
To upload a custom SSL certificate in the dashboard:
-
Log in to the Cloudflare dashboard and select your account.
-
Select your application.
-
Navigate to SSL/TLS.
-
In Edge Certificates, click Upload Custom SSL Certificate.
-
Copy and paste relevant values into SSL Certificate and Private key text areas (or click Paste from file).
-
Choose the appropriate Bundle Method .
-
Select a value for Private Key Restriction .
-
Select a value for Legacy Client Support, which toggles Server Name Indication (SNI) support:
- Modern (recommended): SNI only
- Legacy: Supports non-SNI
-
Click Upload Custom Certificate. If you see an error for
The key you provided does not match the certificate
, contact your Certificate Authority to ensure the private key matches the certificate. -
(optional) Add a CAA DNS record .
Using the API
The call below will upload a certificate for use with app.example.com
. Cloudflare will automatically bundle the certificate with a certificate chain optimized for maximum compatibility with browsers.
Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the -----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS-----
section of the file.
Step 1 — Update the file and build the payload
$ cat app_example_com.pem
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIQD0ifmj/Yi5NP/2gdUySbfzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
...
SzSHfXp5lnu/3V08I72q1QNzOCgY1XeL4GKVcj4or6cT6tX6oJH7ePPmfrBfqI/O
OeH8gMJ+FuwtXYEPa4hBf38M5eU5xWG7
-----END CERTIFICATE-----
$ MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\n/'|sed -e 's/..$//')"
$ MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\n/'|sed -e's/..$//')"
With the certificate and key saved to environment variables (using escaped newlines), build the payload:
$ request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method":"ubiquitous"
}
EOF
))
You can optionally add geographic restrictions that specify where your private key can physically be decrypted:
$ request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method":"ubiquitous",
"geo_restrictions":{"label":"us"}'
}
))
You can also enable support for legacy clients which do not include SNI in the TLS handshake.
$ request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method":"ubiquitous",
"geo_restrictions":{"label":"us"}',
"type":"sni_custom"
}
))
sni_custom
is recommended by Cloudflare. Use legacy_custom
when a specific client requires non-SNI support. The Cloudflare API treats all Custom SSL certificates as Legacy by default.
Step 2 — Upload your certificate and key
Use the POST endpoint to upload your certificate and key.
$ curl -sX POST https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json" -d "$request_body"
Step 3 (optional) — Add a CAA record
A Certificate Authority Authorization (CAA) DNS record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.For more guidance, refer to Create a CAA record .
Update a certificate
Using the dashboard
To update a certificate:
- Log in to the Cloudflare dashboard and select your account.
- Select your application.
- Navigate to SSL/TLS.
- In Edge Certificates, locate a custom certificate.
- Click the wrench icon and click Replace SSL certificate and key.
- Follow the same steps as create a new certificate .
Using the API
Use a PATCH command.