Skip to content
Cloudflare API
Start here
API Reference
Custom Certificates

SSL Configuration Details

client.CustomCertificates.Get(ctx, customCertificateID, query) (*CustomCertificate, error)
GET/zones/{zone_id}/custom_certificates/{custom_certificate_id}

Retrieves details for a specific custom SSL certificate, including certificate metadata, bundle method, geographic restrictions, and associated keyless server configuration.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Access: Mutual TLS Certificates WriteAccess: Mutual TLS Certificates ReadSSL and Certificates WriteSSL and Certificates Read
ParametersExpand Collapse
customCertificateID string

Identifier.

maxLength32
query CustomCertificateGetParams
ZoneID param.Field[string]

Identifier.

maxLength32
ReturnsExpand Collapse
type CustomCertificate struct{…}
ID string

Identifier.

maxLength32
ZoneID string

Identifier.

maxLength32
BundleMethod BundleMethodoptional

A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it.

One of the following:
const BundleMethodUbiquitous BundleMethod = "ubiquitous"
const BundleMethodOptimal BundleMethod = "optimal"
const BundleMethodForce BundleMethod = "force"
CustomCsrID stringoptional

The identifier for the Custom CSR that was used.

ExpiresOn Timeoptional

When the certificate from the authority expires.

formatdate-time
GeoRestrictions GeoRestrictionsoptional

Specify the region where your private key can be held locally for optimal TLS performance. HTTPS connections to any excluded data center will still be fully encrypted, but will incur some latency while Keyless SSL is used to complete the handshake with the nearest allowed data center. Options allow distribution to only to U.S. data centers, only to E.U. data centers, or only to highest security data centers. Default distribution is to all Cloudflare datacenters, for optimal performance.

Label GeoRestrictionsLabeloptional
One of the following:
const GeoRestrictionsLabelUs GeoRestrictionsLabel = "us"
const GeoRestrictionsLabelEu GeoRestrictionsLabel = "eu"
const GeoRestrictionsLabelHighestSecurity GeoRestrictionsLabel = "highest_security"
Hosts []stringoptional
Issuer stringoptional

The certificate authority that issued the certificate.

KeylessServer KeylessCertificateoptional
ID string

Keyless certificate identifier tag.

maxLength32
CreatedOn Time

When the Keyless SSL was created.

formatdate-time
Enabled bool

Whether or not the Keyless SSL is on or off.

Host string

The keyless SSL name.

formathostname
maxLength253
ModifiedOn Time

When the Keyless SSL was last modified.

formatdate-time
Name string

The keyless SSL name.

maxLength180
Permissions []string

Available permissions for the Keyless SSL for the current user requesting the item.

Port float64

The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server.

maxLength65535
Status KeylessCertificateStatus

Status of the Keyless SSL.

One of the following:
const KeylessCertificateStatusActive KeylessCertificateStatus = "active"
const KeylessCertificateStatusDeleted KeylessCertificateStatus = "deleted"
Tunnel Tunneloptional

Configuration for using Keyless SSL through a Cloudflare Tunnel

PrivateIP string

Private IP of the Key Server Host

VnetID string

Cloudflare Tunnel Virtual Network ID

ModifiedOn Timeoptional

When the certificate was last modified.

formatdate-time
PolicyRestrictions stringoptional

The policy restrictions returned by the API. This field is returned in responses when a policy has been set. The API accepts the "policy" field in requests but returns this field as "policy_restrictions" in responses.

Specifies the region(s) where your private key can be held locally for optimal TLS performance. Format is a boolean expression, for example: "(country: US) or (region: EU)"

Priority float64optional

The order/priority in which the certificate will be used in a request. The higher priority will break ties across overlapping 'legacy_custom' certificates, but 'legacy_custom' certificates will always supercede 'sni_custom' certificates.

Signature stringoptional

The type of hash used for the certificate.

Status CustomCertificateStatusoptional

Status of the zone's custom SSL.

One of the following:
const CustomCertificateStatusActive CustomCertificateStatus = "active"
const CustomCertificateStatusExpired CustomCertificateStatus = "expired"
const CustomCertificateStatusDeleted CustomCertificateStatus = "deleted"
const CustomCertificateStatusPending CustomCertificateStatus = "pending"
const CustomCertificateStatusInitializing CustomCertificateStatus = "initializing"
UploadedOn Timeoptional

When the certificate was uploaded to Cloudflare.

formatdate-time

SSL Configuration Details

package main

import (
  "context"
  "fmt"

  "github.com/cloudflare/cloudflare-go"
  "github.com/cloudflare/cloudflare-go/custom_certificates"
  "github.com/cloudflare/cloudflare-go/option"
)

func main() {
  client := cloudflare.NewClient(
    option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
  )
  customCertificate, err := client.CustomCertificates.Get(
    context.TODO(),
    "023e105f4ecef8ad9ca31a8372d0c353",
    custom_certificates.CustomCertificateGetParams{
      ZoneID: cloudflare.F("023e105f4ecef8ad9ca31a8372d0c353"),
    },
  )
  if err != nil {
    panic(err.Error())
  }
  fmt.Printf("%+v\n", customCertificate.ID)
}

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
    "bundle_method": "ubiquitous",
    "custom_csr_id": "7b163417-1d2b-4c84-a38a-2fb7a0cd7752",
    "expires_on": "2016-01-01T05:20:00Z",
    "geo_restrictions": {
      "label": "us"
    },
    "hosts": [
      "example.com"
    ],
    "issuer": "GlobalSign",
    "keyless_server": {
      "id": "4d2844d2ce78891c34d0b6c0535a291e",
      "created_on": "2014-01-01T05:20:00Z",
      "enabled": false,
      "host": "example.com",
      "modified_on": "2014-01-01T05:20:00Z",
      "name": "example.com Keyless SSL",
      "permissions": [
        "#ssl:read",
        "#ssl:edit"
      ],
      "port": 24008,
      "status": "active",
      "tunnel": {
        "private_ip": "10.0.0.1",
        "vnet_id": "7365377a-85a4-4390-9480-531ef7dc7a3c"
      }
    },
    "modified_on": "2014-01-01T05:20:00Z",
    "policy_restrictions": "(country: US) or (region: EU)",
    "priority": 1,
    "signature": "SHA256WithRSA",
    "status": "active",
    "uploaded_on": "2014-01-01T05:20:00Z"
  }
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
    "bundle_method": "ubiquitous",
    "custom_csr_id": "7b163417-1d2b-4c84-a38a-2fb7a0cd7752",
    "expires_on": "2016-01-01T05:20:00Z",
    "geo_restrictions": {
      "label": "us"
    },
    "hosts": [
      "example.com"
    ],
    "issuer": "GlobalSign",
    "keyless_server": {
      "id": "4d2844d2ce78891c34d0b6c0535a291e",
      "created_on": "2014-01-01T05:20:00Z",
      "enabled": false,
      "host": "example.com",
      "modified_on": "2014-01-01T05:20:00Z",
      "name": "example.com Keyless SSL",
      "permissions": [
        "#ssl:read",
        "#ssl:edit"
      ],
      "port": 24008,
      "status": "active",
      "tunnel": {
        "private_ip": "10.0.0.1",
        "vnet_id": "7365377a-85a4-4390-9480-531ef7dc7a3c"
      }
    },
    "modified_on": "2014-01-01T05:20:00Z",
    "policy_restrictions": "(country: US) or (region: EU)",
    "priority": 1,
    "signature": "SHA256WithRSA",
    "status": "active",
    "uploaded_on": "2014-01-01T05:20:00Z"
  }
}