API Reference

Custom Certificates

Prioritize

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Re-prioritize SSL Certificates

client.customCertificates.prioritize.update(PrioritizeUpdateParams { zone_id, certificates } params, RequestOptionsoptions?): SinglePage<CustomCertificate { id, zone_id, bundle_method, 12 more } >

PUT/zones/{zone_id}/custom_certificates/prioritize

If a zone has multiple SSL certificates, you can set the order in which they should be used during a request. The higher priority will break ties across overlapping 'legacy_custom' certificates.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Mutual TLS Certificates WriteSSL and Certificates Write

ParametersExpand Collapse

params: PrioritizeUpdateParams { zone_id, certificates }

zone_id: string

Path param: Identifier.

maxLength32

certificates: Array<Certificate>

Body param: Array of ordered certificates.

id?: string

Identifier.

maxLength32

priority?: number

The order/priority in which the certificate will be used in a request. The higher priority will break ties across overlapping 'legacy_custom' certificates, but 'legacy_custom' certificates will always supercede 'sni_custom' certificates.

ReturnsExpand Collapse

CustomCertificate { id, zone_id, bundle_method, 12 more }

id: string

Identifier.

maxLength32

zone_id: string

Identifier.

maxLength32

bundle_method?: BundleMethod

A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it.

One of the following:

"ubiquitous"

"optimal"

"force"

custom_csr_id?: string

The identifier for the Custom CSR that was used.

expires_on?: string

When the certificate from the authority expires.

formatdate-time

geo_restrictions?: GeoRestrictions { label }

Specify the region where your private key can be held locally for optimal TLS performance. HTTPS connections to any excluded data center will still be fully encrypted, but will incur some latency while Keyless SSL is used to complete the handshake with the nearest allowed data center. Options allow distribution to only to U.S. data centers, only to E.U. data centers, or only to highest security data centers. Default distribution is to all Cloudflare datacenters, for optimal performance.

label?: "us" | "eu" | "highest_security"

One of the following:

"us"

"eu"

"highest_security"

hosts?: Array<string>

issuer?: string

The certificate authority that issued the certificate.

keyless_server?: KeylessCertificate { id, created_on, enabled, 7 more }

id: string

Keyless certificate identifier tag.

maxLength32

created_on: string

When the Keyless SSL was created.

formatdate-time

enabled: boolean

Whether or not the Keyless SSL is on or off.

host: string

The keyless SSL name.

formathostname

maxLength253

modified_on: string

When the Keyless SSL was last modified.

formatdate-time

name: string

The keyless SSL name.

maxLength180

permissions: Array<string>

Available permissions for the Keyless SSL for the current user requesting the item.

port: number

The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server.

maxLength65535

status: "active" | "deleted"

Status of the Keyless SSL.

One of the following:

"active"

"deleted"

tunnel?: Tunnel { private_ip, vnet_id }

Configuration for using Keyless SSL through a Cloudflare Tunnel

private_ip: string

Private IP of the Key Server Host

vnet_id: string

Cloudflare Tunnel Virtual Network ID

modified_on?: string

When the certificate was last modified.

formatdate-time

policy_restrictions?: string

The policy restrictions returned by the API. This field is returned in responses when a policy has been set. The API accepts the "policy" field in requests but returns this field as "policy_restrictions" in responses.

Specifies the region(s) where your private key can be held locally for optimal TLS performance. Format is a boolean expression, for example: "(country: US) or (region: EU)"

priority?: number

The order/priority in which the certificate will be used in a request. The higher priority will break ties across overlapping 'legacy_custom' certificates, but 'legacy_custom' certificates will always supercede 'sni_custom' certificates.

signature?: string

The type of hash used for the certificate.

status?: "active" | "expired" | "deleted" | 2 more

Status of the zone's custom SSL.

One of the following:

"active"

"expired"

"deleted"

"pending"

"initializing"

uploaded_on?: string

When the certificate was uploaded to Cloudflare.

formatdate-time

Re-prioritize SSL Certificates

TypeScript

HTTP

TypeScript

Python

Go

Terraform

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

// Automatically fetches more pages as needed.
for await (const customCertificate of client.customCertificates.prioritize.update({
  zone_id: '023e105f4ecef8ad9ca31a8372d0c353',
  certificates: [{}, {}],
})) {
  console.log(customCertificate.id);
}

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "id": "023e105f4ecef8ad9ca31a8372d0c353",
      "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
      "bundle_method": "ubiquitous",
      "custom_csr_id": "7b163417-1d2b-4c84-a38a-2fb7a0cd7752",
      "expires_on": "2016-01-01T05:20:00Z",
      "geo_restrictions": {
        "label": "us"
      },
      "hosts": [
        "example.com"
      ],
      "issuer": "GlobalSign",
      "keyless_server": {
        "id": "4d2844d2ce78891c34d0b6c0535a291e",
        "created_on": "2014-01-01T05:20:00Z",
        "enabled": false,
        "host": "example.com",
        "modified_on": "2014-01-01T05:20:00Z",
        "name": "example.com Keyless SSL",
        "permissions": [
          "#ssl:read",
          "#ssl:edit"
        ],
        "port": 24008,
        "status": "active",
        "tunnel": {
          "private_ip": "10.0.0.1",
          "vnet_id": "7365377a-85a4-4390-9480-531ef7dc7a3c"
        }
      },
      "modified_on": "2014-01-01T05:20:00Z",
      "policy_restrictions": "(country: US) or (region: EU)",
      "priority": 1,
      "signature": "SHA256WithRSA",
      "status": "active",
      "uploaded_on": "2014-01-01T05:20:00Z"
    }
  ],
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000,
    "total_pages": 100
  }
}

Returns Examples

200 example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": [
    {
      "id": "023e105f4ecef8ad9ca31a8372d0c353",
      "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
      "bundle_method": "ubiquitous",
      "custom_csr_id": "7b163417-1d2b-4c84-a38a-2fb7a0cd7752",
      "expires_on": "2016-01-01T05:20:00Z",
      "geo_restrictions": {
        "label": "us"
      },
      "hosts": [
        "example.com"
      ],
      "issuer": "GlobalSign",
      "keyless_server": {
        "id": "4d2844d2ce78891c34d0b6c0535a291e",
        "created_on": "2014-01-01T05:20:00Z",
        "enabled": false,
        "host": "example.com",
        "modified_on": "2014-01-01T05:20:00Z",
        "name": "example.com Keyless SSL",
        "permissions": [
          "#ssl:read",
          "#ssl:edit"
        ],
        "port": 24008,
        "status": "active",
        "tunnel": {
          "private_ip": "10.0.0.1",
          "vnet_id": "7365377a-85a4-4390-9480-531ef7dc7a3c"
        }
      },
      "modified_on": "2014-01-01T05:20:00Z",
      "policy_restrictions": "(country: US) or (region: EU)",
      "priority": 1,
      "signature": "SHA256WithRSA",
      "status": "active",
      "uploaded_on": "2014-01-01T05:20:00Z"
    }
  ],
  "result_info": {
    "count": 1,
    "page": 1,
    "per_page": 20,
    "total_count": 2000,
    "total_pages": 100
  }
}