# Client Certificates ## List Client Certificates `client.clientCertificates.list(ClientCertificateListParamsparams, RequestOptionsoptions?): V4PagePaginationArray` **get** `/zones/{zone_id}/client_certificates` List all of your Zone's API Shield mTLS Client Certificates by Status and/or using Pagination ### Parameters - `params: ClientCertificateListParams` - `zone_id: string` Path param: Identifier. - `limit?: number` Query param: Limit to the number of records returned. - `offset?: number` Query param: Offset the results - `page?: number` Query param: Page number of paginated results. - `per_page?: number` Query param: Number of records per page. - `status?: "all" | "active" | "pending_reactivation" | 2 more` Query param: Client Certitifcate Status to filter results by. - `"all"` - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` ### Returns - `ClientCertificate` - `id?: string` Identifier. - `certificate?: string` The Client Certificate PEM - `certificate_authority?: CertificateAuthority` Certificate Authority used to issue the Client Certificate - `id?: string` - `name?: string` - `common_name?: string` Common Name of the Client Certificate - `country?: string` Country, provided by the CSR - `csr?: string` The Certificate Signing Request (CSR). Must be newline-encoded. - `expires_on?: string` Date that the Client Certificate expires - `fingerprint_sha256?: string` Unique identifier of the Client Certificate - `issued_on?: string` Date that the Client Certificate was issued by the Certificate Authority - `location?: string` Location, provided by the CSR - `organization?: string` Organization, provided by the CSR - `organizational_unit?: string` Organizational Unit, provided by the CSR - `serial_number?: string` The serial number on the created Client Certificate. - `signature?: string` The type of hash used for the Client Certificate.. - `ski?: string` Subject Key Identifier - `state?: string` State, provided by the CSR - `status?: Status` Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` - `validity_days?: number` The number of days the Client Certificate will be valid after the issued_on date ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); // Automatically fetches more pages as needed. for await (const clientCertificate of client.clientCertificates.list({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', })) { console.log(clientCertificate.id); } ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "023e105f4ecef8ad9ca31a8372d0c353", "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----", "certificate_authority": { "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb", "name": "Cloudflare Managed CA for account" }, "common_name": "Cloudflare", "country": "US", "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----", "expires_on": "2033-02-20T23:18:00Z", "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea", "issued_on": "2023-02-23T23:18:00Z", "location": "Somewhere", "organization": "Organization", "organizational_unit": "Organizational Unit", "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182", "signature": "SHA256WithRSA", "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949", "state": "CA", "status": "active", "validity_days": 3650 } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Client Certificate Details `client.clientCertificates.get(stringclientCertificateId, ClientCertificateGetParamsparams, RequestOptionsoptions?): ClientCertificate` **get** `/zones/{zone_id}/client_certificates/{client_certificate_id}` Get Details for a single mTLS API Shield Client Certificate ### Parameters - `clientCertificateId: string` Identifier. - `params: ClientCertificateGetParams` - `zone_id: string` Identifier. ### Returns - `ClientCertificate` - `id?: string` Identifier. - `certificate?: string` The Client Certificate PEM - `certificate_authority?: CertificateAuthority` Certificate Authority used to issue the Client Certificate - `id?: string` - `name?: string` - `common_name?: string` Common Name of the Client Certificate - `country?: string` Country, provided by the CSR - `csr?: string` The Certificate Signing Request (CSR). Must be newline-encoded. - `expires_on?: string` Date that the Client Certificate expires - `fingerprint_sha256?: string` Unique identifier of the Client Certificate - `issued_on?: string` Date that the Client Certificate was issued by the Certificate Authority - `location?: string` Location, provided by the CSR - `organization?: string` Organization, provided by the CSR - `organizational_unit?: string` Organizational Unit, provided by the CSR - `serial_number?: string` The serial number on the created Client Certificate. - `signature?: string` The type of hash used for the Client Certificate.. - `ski?: string` Subject Key Identifier - `state?: string` State, provided by the CSR - `status?: Status` Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` - `validity_days?: number` The number of days the Client Certificate will be valid after the issued_on date ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const clientCertificate = await client.clientCertificates.get('023e105f4ecef8ad9ca31a8372d0c353', { zone_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(clientCertificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----", "certificate_authority": { "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb", "name": "Cloudflare Managed CA for account" }, "common_name": "Cloudflare", "country": "US", "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----", "expires_on": "2033-02-20T23:18:00Z", "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea", "issued_on": "2023-02-23T23:18:00Z", "location": "Somewhere", "organization": "Organization", "organizational_unit": "Organizational Unit", "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182", "signature": "SHA256WithRSA", "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949", "state": "CA", "status": "active", "validity_days": 3650 } } ``` ## Create Client Certificate `client.clientCertificates.create(ClientCertificateCreateParamsparams, RequestOptionsoptions?): ClientCertificate` **post** `/zones/{zone_id}/client_certificates` Create a new API Shield mTLS Client Certificate ### Parameters - `params: ClientCertificateCreateParams` - `zone_id: string` Path param: Identifier. - `csr: string` Body param: The Certificate Signing Request (CSR). Must be newline-encoded. - `validity_days: number` Body param: The number of days the Client Certificate will be valid after the issued_on date ### Returns - `ClientCertificate` - `id?: string` Identifier. - `certificate?: string` The Client Certificate PEM - `certificate_authority?: CertificateAuthority` Certificate Authority used to issue the Client Certificate - `id?: string` - `name?: string` - `common_name?: string` Common Name of the Client Certificate - `country?: string` Country, provided by the CSR - `csr?: string` The Certificate Signing Request (CSR). Must be newline-encoded. - `expires_on?: string` Date that the Client Certificate expires - `fingerprint_sha256?: string` Unique identifier of the Client Certificate - `issued_on?: string` Date that the Client Certificate was issued by the Certificate Authority - `location?: string` Location, provided by the CSR - `organization?: string` Organization, provided by the CSR - `organizational_unit?: string` Organizational Unit, provided by the CSR - `serial_number?: string` The serial number on the created Client Certificate. - `signature?: string` The type of hash used for the Client Certificate.. - `ski?: string` Subject Key Identifier - `state?: string` State, provided by the CSR - `status?: Status` Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` - `validity_days?: number` The number of days the Client Certificate will be valid after the issued_on date ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const clientCertificate = await client.clientCertificates.create({ zone_id: '023e105f4ecef8ad9ca31a8372d0c353', csr: '-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----', validity_days: 3650, }); console.log(clientCertificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----", "certificate_authority": { "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb", "name": "Cloudflare Managed CA for account" }, "common_name": "Cloudflare", "country": "US", "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----", "expires_on": "2033-02-20T23:18:00Z", "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea", "issued_on": "2023-02-23T23:18:00Z", "location": "Somewhere", "organization": "Organization", "organizational_unit": "Organizational Unit", "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182", "signature": "SHA256WithRSA", "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949", "state": "CA", "status": "active", "validity_days": 3650 } } ``` ## Reactivate Client Certificate `client.clientCertificates.edit(stringclientCertificateId, ClientCertificateEditParamsparams, RequestOptionsoptions?): ClientCertificate` **patch** `/zones/{zone_id}/client_certificates/{client_certificate_id}` If a API Shield mTLS Client Certificate is in a pending_revocation state, you may reactivate it with this endpoint. ### Parameters - `clientCertificateId: string` Identifier. - `params: ClientCertificateEditParams` - `zone_id: string` Path param: Identifier. - `reactivate?: boolean` Body param ### Returns - `ClientCertificate` - `id?: string` Identifier. - `certificate?: string` The Client Certificate PEM - `certificate_authority?: CertificateAuthority` Certificate Authority used to issue the Client Certificate - `id?: string` - `name?: string` - `common_name?: string` Common Name of the Client Certificate - `country?: string` Country, provided by the CSR - `csr?: string` The Certificate Signing Request (CSR). Must be newline-encoded. - `expires_on?: string` Date that the Client Certificate expires - `fingerprint_sha256?: string` Unique identifier of the Client Certificate - `issued_on?: string` Date that the Client Certificate was issued by the Certificate Authority - `location?: string` Location, provided by the CSR - `organization?: string` Organization, provided by the CSR - `organizational_unit?: string` Organizational Unit, provided by the CSR - `serial_number?: string` The serial number on the created Client Certificate. - `signature?: string` The type of hash used for the Client Certificate.. - `ski?: string` Subject Key Identifier - `state?: string` State, provided by the CSR - `status?: Status` Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` - `validity_days?: number` The number of days the Client Certificate will be valid after the issued_on date ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const clientCertificate = await client.clientCertificates.edit('023e105f4ecef8ad9ca31a8372d0c353', { zone_id: '023e105f4ecef8ad9ca31a8372d0c353', }); console.log(clientCertificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----", "certificate_authority": { "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb", "name": "Cloudflare Managed CA for account" }, "common_name": "Cloudflare", "country": "US", "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----", "expires_on": "2033-02-20T23:18:00Z", "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea", "issued_on": "2023-02-23T23:18:00Z", "location": "Somewhere", "organization": "Organization", "organizational_unit": "Organizational Unit", "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182", "signature": "SHA256WithRSA", "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949", "state": "CA", "status": "active", "validity_days": 3650 } } ``` ## Revoke Client Certificate `client.clientCertificates.delete(stringclientCertificateId, ClientCertificateDeleteParamsparams, RequestOptionsoptions?): ClientCertificate` **delete** `/zones/{zone_id}/client_certificates/{client_certificate_id}` Set a API Shield mTLS Client Certificate to pending_revocation status for processing to revoked status. ### Parameters - `clientCertificateId: string` Identifier. - `params: ClientCertificateDeleteParams` - `zone_id: string` Identifier. ### Returns - `ClientCertificate` - `id?: string` Identifier. - `certificate?: string` The Client Certificate PEM - `certificate_authority?: CertificateAuthority` Certificate Authority used to issue the Client Certificate - `id?: string` - `name?: string` - `common_name?: string` Common Name of the Client Certificate - `country?: string` Country, provided by the CSR - `csr?: string` The Certificate Signing Request (CSR). Must be newline-encoded. - `expires_on?: string` Date that the Client Certificate expires - `fingerprint_sha256?: string` Unique identifier of the Client Certificate - `issued_on?: string` Date that the Client Certificate was issued by the Certificate Authority - `location?: string` Location, provided by the CSR - `organization?: string` Organization, provided by the CSR - `organizational_unit?: string` Organizational Unit, provided by the CSR - `serial_number?: string` The serial number on the created Client Certificate. - `signature?: string` The type of hash used for the Client Certificate.. - `ski?: string` Subject Key Identifier - `state?: string` State, provided by the CSR - `status?: Status` Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` - `validity_days?: number` The number of days the Client Certificate will be valid after the issued_on date ### Example ```node import Cloudflare from 'cloudflare'; const client = new Cloudflare({ apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted }); const clientCertificate = await client.clientCertificates.delete( '023e105f4ecef8ad9ca31a8372d0c353', { zone_id: '023e105f4ecef8ad9ca31a8372d0c353' }, ); console.log(clientCertificate.id); ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "023e105f4ecef8ad9ca31a8372d0c353", "certificate": "-----BEGIN CERTIFICATE-----\nMIIDmDCCAoC...dhDDE\n-----END CERTIFICATE-----", "certificate_authority": { "id": "568b6b74-7b0c-4755-8840-4e3b8c24adeb", "name": "Cloudflare Managed CA for account" }, "common_name": "Cloudflare", "country": "US", "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICY....\n-----END CERTIFICATE REQUEST-----", "expires_on": "2033-02-20T23:18:00Z", "fingerprint_sha256": "256c24690243359fb8cf139a125bd05ebf1d968b71e4caf330718e9f5c8a89ea", "issued_on": "2023-02-23T23:18:00Z", "location": "Somewhere", "organization": "Organization", "organizational_unit": "Organizational Unit", "serial_number": "3bb94ff144ac567b9f75ad664b6c55f8d5e48182", "signature": "SHA256WithRSA", "ski": "8e375af1389a069a0f921f8cc8e1eb12d784b949", "state": "CA", "status": "active", "validity_days": 3650 } } ``` ## Domain Types ### Client Certificate - `ClientCertificate` - `id?: string` Identifier. - `certificate?: string` The Client Certificate PEM - `certificate_authority?: CertificateAuthority` Certificate Authority used to issue the Client Certificate - `id?: string` - `name?: string` - `common_name?: string` Common Name of the Client Certificate - `country?: string` Country, provided by the CSR - `csr?: string` The Certificate Signing Request (CSR). Must be newline-encoded. - `expires_on?: string` Date that the Client Certificate expires - `fingerprint_sha256?: string` Unique identifier of the Client Certificate - `issued_on?: string` Date that the Client Certificate was issued by the Certificate Authority - `location?: string` Location, provided by the CSR - `organization?: string` Organization, provided by the CSR - `organizational_unit?: string` Organizational Unit, provided by the CSR - `serial_number?: string` The serial number on the created Client Certificate. - `signature?: string` The type of hash used for the Client Certificate.. - `ski?: string` Subject Key Identifier - `state?: string` State, provided by the CSR - `status?: Status` Client Certificates may be active or revoked, and the pending_reactivation or pending_revocation represent in-progress asynchronous transitions - `"active"` - `"pending_reactivation"` - `"pending_revocation"` - `"revoked"` - `validity_days?: number` The number of days the Client Certificate will be valid after the issued_on date