Skip to content
Cloudflare API
Start here
API Reference
Client Certificates

Create Client Certificate

client.ClientCertificates.New(ctx, params) (*ClientCertificate, error)
POST/zones/{zone_id}/client_certificates

Create a new API Shield mTLS Client Certificate

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
SSL and Certificates Write
ParametersExpand Collapse
params ClientCertificateNewParams
ZoneID param.Field[string]

Path param: Identifier.

maxLength32
Csr param.Field[string]

Body param: The Certificate Signing Request (CSR). Must be newline-encoded.

ValidityDays param.Field[int64]

Body param: The number of days the Client Certificate will be valid after the issued_on date

ReturnsExpand Collapse
type ClientCertificate struct{…}
ID stringoptional

Identifier.

maxLength32
Certificate stringoptional

The Client Certificate PEM

CertificateAuthority ClientCertificateCertificateAuthorityoptional

Certificate Authority used to issue the Client Certificate

ID stringoptional
Name stringoptional
CommonName stringoptional

Common Name of the Client Certificate

Country stringoptional

Country, provided by the CSR

Csr stringoptional

The Certificate Signing Request (CSR). Must be newline-encoded.

ExpiresOn stringoptional

Date that the Client Certificate expires

FingerprintSha256 stringoptional

Unique identifier of the Client Certificate

IssuedOn stringoptional

Date that the Client Certificate was issued by the Certificate Authority

Location stringoptional

Location, provided by the CSR

Organization stringoptional

Organization, provided by the CSR

OrganizationalUnit stringoptional

Organizational Unit, provided by the CSR

SerialNumber stringoptional

The serial number on the created Client Certificate.

Signature stringoptional

The type of hash used for the Client Certificate..

Ski stringoptional

Subject Key Identifier

State stringoptional

State, provided by the CSR

Status Statusoptional

Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions

One of the following:
const StatusActive Status = "active"
const StatusPendingReactivation Status = "pending_reactivation"
const StatusPendingRevocation Status = "pending_revocation"
const StatusRevoked Status = "revoked"
ValidityDays int64optional

The number of days the Client Certificate will be valid after the issued_on date

Create Client Certificate

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/client_certificates"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  clientCertificate, err := client.ClientCertificates.New(context.TODO(), client_certificates.ClientCertificateNewParams{
    ZoneID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    Csr: cloudflare.F("-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----"),
    ValidityDays: cloudflare.F(int64(3650)),
  })
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", clientCertificate.ID)
}

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----",
    "certificate_authority": {
      "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb",
      "name": "Cloudflare Managed CA for account"
    },
    "common_name": "Cloudflare",
    "country": "US",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----",
    "expires_on": "2033-02-20T23:18:00Z",
    "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea",
    "issued_on": "2023-02-23T23:18:00Z",
    "location": "Somewhere",
    "organization": "Organization",
    "organizational_unit": "Organizational Unit",
    "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182",
    "signature": "SHA256WithRSA",
    "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949",
    "state": "CA",
    "status": "active",
    "validity_days": 3650
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----",
    "certificate_authority": {
      "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb",
      "name": "Cloudflare Managed CA for account"
    },
    "common_name": "Cloudflare",
    "country": "US",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----",
    "expires_on": "2033-02-20T23:18:00Z",
    "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea",
    "issued_on": "2023-02-23T23:18:00Z",
    "location": "Somewhere",
    "organization": "Organization",
    "organizational_unit": "Organizational Unit",
    "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182",
    "signature": "SHA256WithRSA",
    "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949",
    "state": "CA",
    "status": "active",
    "validity_days": 3650
  }
}