Skip to content
Cloudflare API
Start here
API Reference

SSL

SSLAnalyze

Analyze Certificate
client.ssl.analyze.create(AnalyzeCreateParams { zone_id, bundle_method, certificate } params, RequestOptionsoptions?): AnalyzeCreateResponse
POST/zones/{zone_id}/ssl/analyze
ModelsExpand Collapse
AnalyzeCreateResponse = unknown

SSLCertificate Packs

List Certificate Packs
client.ssl.certificatePacks.list(CertificatePackListParams { zone_id, deploy, page, 2 more } params, RequestOptionsoptions?): V4PagePaginationArray<CertificatePackListResponse { id, certificates, hosts, 10 more } >
GET/zones/{zone_id}/ssl/certificate_packs
Get Certificate Pack
client.ssl.certificatePacks.get(stringcertificatePackId, CertificatePackGetParams { zone_id } params, RequestOptionsoptions?): CertificatePackGetResponse { id, certificates, hosts, 10 more }
GET/zones/{zone_id}/ssl/certificate_packs/{certificate_pack_id}
Order Advanced Certificate Manager Certificate Pack
client.ssl.certificatePacks.create(CertificatePackCreateParams { zone_id, certificate_authority, hosts, 4 more } params, RequestOptionsoptions?): CertificatePackCreateResponse { id, certificates, hosts, 10 more }
POST/zones/{zone_id}/ssl/certificate_packs/order
Restart Validation or Update Advanced Certificate Manager Certificate Pack
client.ssl.certificatePacks.edit(stringcertificatePackId, CertificatePackEditParams { zone_id, cloudflare_branding } params, RequestOptionsoptions?): CertificatePackEditResponse { id, certificates, hosts, 10 more }
PATCH/zones/{zone_id}/ssl/certificate_packs/{certificate_pack_id}
Delete Advanced Certificate Manager Certificate Pack
client.ssl.certificatePacks.delete(stringcertificatePackId, CertificatePackDeleteParams { zone_id } params, RequestOptionsoptions?): CertificatePackDeleteResponse { id }
DELETE/zones/{zone_id}/ssl/certificate_packs/{certificate_pack_id}
ModelsExpand Collapse
Host = string
RequestValidity = 7 | 30 | 90 | 4 more

The number of days for which the certificate should be valid.

One of the following:
7
30
90
365
730
1095
5475
Status = "initializing" | "pending_validation" | "deleted" | 18 more

Status of certificate pack.

One of the following:
"initializing"
"pending_validation"
"deleted"
"pending_issuance"
"pending_deployment"
"pending_deletion"
"pending_expiration"
"expired"
"active"
"initializing_timed_out"
"validation_timed_out"
"issuance_timed_out"
"deployment_timed_out"
"deletion_timed_out"
"pending_cleanup"
"staging_deployment"
"staging_active"
"deactivating"
"inactive"
"backup_issued"
"holding_deployment"
ValidationMethod = "http" | "cname" | "txt"

Validation method in use for a certificate pack order.

One of the following:
"http"
"cname"
"txt"
CertificatePackListResponse { id, certificates, hosts, 10 more }

A certificate pack with all its properties.

id: string

Identifier.

maxLength32
certificates: Array<Certificate>

Array of certificates in this pack.

id: string

Certificate identifier.

hosts: Array<string>

Hostnames covered by this certificate.

status: string

Certificate status.

bundle_method?: string

Certificate bundle method.

expires_on?: string

When the certificate from the authority expires.

formatdate-time
geo_restrictions?: GeoRestrictions { label }

Specify the region where your private key can be held locally.

label?: "us" | "eu" | "highest_security"
One of the following:
"us"
"eu"
"highest_security"
issuer?: string

The certificate authority that issued the certificate.

modified_on?: string

When the certificate was last modified.

formatdate-time
priority?: number

The order/priority in which the certificate will be used.

signature?: string

The type of hash used for the certificate.

uploaded_on?: string

When the certificate was uploaded to Cloudflare.

formatdate-time
zone_id?: string

Identifier.

maxLength32
hosts: Array<Host>

Comma separated list of valid host names for the certificate packs. Must contain the zone apex, may not contain more than 50 hosts, and may not be empty.

status: Status

Status of certificate pack.

type: "mh_custom" | "managed_hostname" | "sni_custom" | 5 more

Type of certificate pack.

One of the following:
"mh_custom"
"managed_hostname"
"sni_custom"
"universal"
"advanced"
"total_tls"
"keyless"
"legacy_custom"
certificate_authority?: "google" | "lets_encrypt" | "ssl_com"

Certificate Authority selected for the order. For information on any certificate authority specific details or restrictions see this page for more details.

One of the following:
"google"
"lets_encrypt"
"ssl_com"
cloudflare_branding?: boolean

Whether or not to add Cloudflare Branding for the order. This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true.

dcv_delegation_records?: Array<DCVDelegationRecord>

DCV Delegation records for domain validation.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

primary_certificate?: string

Identifier of the primary certificate in a pack.

validation_errors?: Array<ValidationError>

Domain validation errors that have been received by the certificate authority (CA).

message?: string

A domain validation error.

validation_method?: "txt" | "http" | "email"

Validation Method selected for the order.

One of the following:
"txt"
"http"
"email"
validation_records?: Array<ValidationRecord>

Certificates’ validation records.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

validity_days?: 14 | 30 | 90 | 365

Validity Days selected for the order.

One of the following:
14
30
90
365
CertificatePackGetResponse { id, certificates, hosts, 10 more }

A certificate pack with all its properties.

id: string

Identifier.

maxLength32
certificates: Array<Certificate>

Array of certificates in this pack.

id: string

Certificate identifier.

hosts: Array<string>

Hostnames covered by this certificate.

status: string

Certificate status.

bundle_method?: string

Certificate bundle method.

expires_on?: string

When the certificate from the authority expires.

formatdate-time
geo_restrictions?: GeoRestrictions { label }

Specify the region where your private key can be held locally.

label?: "us" | "eu" | "highest_security"
One of the following:
"us"
"eu"
"highest_security"
issuer?: string

The certificate authority that issued the certificate.

modified_on?: string

When the certificate was last modified.

formatdate-time
priority?: number

The order/priority in which the certificate will be used.

signature?: string

The type of hash used for the certificate.

uploaded_on?: string

When the certificate was uploaded to Cloudflare.

formatdate-time
zone_id?: string

Identifier.

maxLength32
hosts: Array<Host>

Comma separated list of valid host names for the certificate packs. Must contain the zone apex, may not contain more than 50 hosts, and may not be empty.

status: Status

Status of certificate pack.

type: "mh_custom" | "managed_hostname" | "sni_custom" | 5 more

Type of certificate pack.

One of the following:
"mh_custom"
"managed_hostname"
"sni_custom"
"universal"
"advanced"
"total_tls"
"keyless"
"legacy_custom"
certificate_authority?: "google" | "lets_encrypt" | "ssl_com"

Certificate Authority selected for the order. For information on any certificate authority specific details or restrictions see this page for more details.

One of the following:
"google"
"lets_encrypt"
"ssl_com"
cloudflare_branding?: boolean

Whether or not to add Cloudflare Branding for the order. This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true.

dcv_delegation_records?: Array<DCVDelegationRecord>

DCV Delegation records for domain validation.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

primary_certificate?: string

Identifier of the primary certificate in a pack.

validation_errors?: Array<ValidationError>

Domain validation errors that have been received by the certificate authority (CA).

message?: string

A domain validation error.

validation_method?: "txt" | "http" | "email"

Validation Method selected for the order.

One of the following:
"txt"
"http"
"email"
validation_records?: Array<ValidationRecord>

Certificates’ validation records.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

validity_days?: 14 | 30 | 90 | 365

Validity Days selected for the order.

One of the following:
14
30
90
365
CertificatePackCreateResponse { id, certificates, hosts, 10 more }

A certificate pack with all its properties.

id: string

Identifier.

maxLength32
certificates: Array<Certificate>

Array of certificates in this pack.

id: string

Certificate identifier.

hosts: Array<string>

Hostnames covered by this certificate.

status: string

Certificate status.

bundle_method?: string

Certificate bundle method.

expires_on?: string

When the certificate from the authority expires.

formatdate-time
geo_restrictions?: GeoRestrictions { label }

Specify the region where your private key can be held locally.

label?: "us" | "eu" | "highest_security"
One of the following:
"us"
"eu"
"highest_security"
issuer?: string

The certificate authority that issued the certificate.

modified_on?: string

When the certificate was last modified.

formatdate-time
priority?: number

The order/priority in which the certificate will be used.

signature?: string

The type of hash used for the certificate.

uploaded_on?: string

When the certificate was uploaded to Cloudflare.

formatdate-time
zone_id?: string

Identifier.

maxLength32
hosts: Array<Host>

Comma separated list of valid host names for the certificate packs. Must contain the zone apex, may not contain more than 50 hosts, and may not be empty.

status: Status

Status of certificate pack.

type: "mh_custom" | "managed_hostname" | "sni_custom" | 5 more

Type of certificate pack.

One of the following:
"mh_custom"
"managed_hostname"
"sni_custom"
"universal"
"advanced"
"total_tls"
"keyless"
"legacy_custom"
certificate_authority?: "google" | "lets_encrypt" | "ssl_com"

Certificate Authority selected for the order. For information on any certificate authority specific details or restrictions see this page for more details.

One of the following:
"google"
"lets_encrypt"
"ssl_com"
cloudflare_branding?: boolean

Whether or not to add Cloudflare Branding for the order. This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true.

dcv_delegation_records?: Array<DCVDelegationRecord>

DCV Delegation records for domain validation.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

primary_certificate?: string

Identifier of the primary certificate in a pack.

validation_errors?: Array<ValidationError>

Domain validation errors that have been received by the certificate authority (CA).

message?: string

A domain validation error.

validation_method?: "txt" | "http" | "email"

Validation Method selected for the order.

One of the following:
"txt"
"http"
"email"
validation_records?: Array<ValidationRecord>

Certificates’ validation records.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

validity_days?: 14 | 30 | 90 | 365

Validity Days selected for the order.

One of the following:
14
30
90
365
CertificatePackEditResponse { id, certificates, hosts, 10 more }

A certificate pack with all its properties.

id: string

Identifier.

maxLength32
certificates: Array<Certificate>

Array of certificates in this pack.

id: string

Certificate identifier.

hosts: Array<string>

Hostnames covered by this certificate.

status: string

Certificate status.

bundle_method?: string

Certificate bundle method.

expires_on?: string

When the certificate from the authority expires.

formatdate-time
geo_restrictions?: GeoRestrictions { label }

Specify the region where your private key can be held locally.

label?: "us" | "eu" | "highest_security"
One of the following:
"us"
"eu"
"highest_security"
issuer?: string

The certificate authority that issued the certificate.

modified_on?: string

When the certificate was last modified.

formatdate-time
priority?: number

The order/priority in which the certificate will be used.

signature?: string

The type of hash used for the certificate.

uploaded_on?: string

When the certificate was uploaded to Cloudflare.

formatdate-time
zone_id?: string

Identifier.

maxLength32
hosts: Array<Host>

Comma separated list of valid host names for the certificate packs. Must contain the zone apex, may not contain more than 50 hosts, and may not be empty.

status: Status

Status of certificate pack.

type: "mh_custom" | "managed_hostname" | "sni_custom" | 5 more

Type of certificate pack.

One of the following:
"mh_custom"
"managed_hostname"
"sni_custom"
"universal"
"advanced"
"total_tls"
"keyless"
"legacy_custom"
certificate_authority?: "google" | "lets_encrypt" | "ssl_com"

Certificate Authority selected for the order. For information on any certificate authority specific details or restrictions see this page for more details.

One of the following:
"google"
"lets_encrypt"
"ssl_com"
cloudflare_branding?: boolean

Whether or not to add Cloudflare Branding for the order. This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true.

dcv_delegation_records?: Array<DCVDelegationRecord>

DCV Delegation records for domain validation.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

primary_certificate?: string

Identifier of the primary certificate in a pack.

validation_errors?: Array<ValidationError>

Domain validation errors that have been received by the certificate authority (CA).

message?: string

A domain validation error.

validation_method?: "txt" | "http" | "email"

Validation Method selected for the order.

One of the following:
"txt"
"http"
"email"
validation_records?: Array<ValidationRecord>

Certificates’ validation records.

cname?: string

The CNAME record hostname for DCV delegation.

cname_target?: string

The CNAME record target value for DCV delegation.

emails?: Array<string>

The set of email addresses that the certificate authority (CA) will use to complete domain validation.

http_body?: string

The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.

http_url?: string

The url that will be checked during domain validation.

status?: string

Status of the validation record.

txt_name?: string

The hostname that the certificate authority (CA) will check for a TXT record during domain validation .

txt_value?: string

The TXT record that the certificate authority (CA) will check during domain validation.

validity_days?: 14 | 30 | 90 | 365

Validity Days selected for the order.

One of the following:
14
30
90
365
CertificatePackDeleteResponse { id }
id?: string

Identifier.

maxLength32

SSLCertificate PacksQuota

Get Certificate Pack Quotas
client.ssl.certificatePacks.quota.get(QuotaGetParams { zone_id } params, RequestOptionsoptions?): QuotaGetResponse { advanced }
GET/zones/{zone_id}/ssl/certificate_packs/quota
ModelsExpand Collapse
QuotaGetResponse { advanced }
advanced?: Advanced { allocated, used }
allocated?: number

Quantity Allocated.

used?: number

Quantity Used.

SSLRecommendations

SSLAutomatic Upgrader

SSLAuto Origin TLS Kex

Get Auto-Origin TLS KEX enrollment status for the given zone
client.ssl.autoOriginTLSKex.get(AutoOriginTLSKexGetParams { zone_id } params, RequestOptionsoptions?): AutoOriginTLSKexGetResponse { id, enabled, modified_on }
GET/zones/{zone_id}/settings/auto_origin_tls_kex
Patch Auto-Origin TLS KEX enrollment status for the given zone
client.ssl.autoOriginTLSKex.edit(AutoOriginTLSKexEditParams { zone_id, enabled } params, RequestOptionsoptions?): AutoOriginTLSKexEditResponse { id, enabled, modified_on }
PATCH/zones/{zone_id}/settings/auto_origin_tls_kex
ModelsExpand Collapse
AutoOriginTLSKexGetResponse { id, enabled, modified_on }
id: string
enabled: boolean

Whether Auto-Origin TLS KEX selection is enabled for the zone.

modified_on: string

Last time this setting was modified.

formatdate-time
AutoOriginTLSKexEditResponse { id, enabled, modified_on }
id: string
enabled: boolean

Whether Auto-Origin TLS KEX selection is enabled for the zone.

modified_on: string

Last time this setting was modified.

formatdate-time

SSLUniversal

SSLUniversalSettings

Universal SSL Settings Details
client.ssl.universal.settings.get(SettingGetParams { zone_id } params, RequestOptionsoptions?): UniversalSSLSettings { enabled }
GET/zones/{zone_id}/ssl/universal/settings
Edit Universal SSL Settings
client.ssl.universal.settings.edit(SettingEditParams { zone_id, enabled } params, RequestOptionsoptions?): UniversalSSLSettings { enabled }
PATCH/zones/{zone_id}/ssl/universal/settings
ModelsExpand Collapse
UniversalSSLSettings { enabled }
enabled?: boolean

Disabling Universal SSL removes any currently active Universal SSL certificates for your zone from the edge and prevents any future Universal SSL certificates from being ordered. If there are no advanced certificates or custom certificates uploaded for the domain, visitors will be unable to access the domain over HTTPS.

By disabling Universal SSL, you understand that the following Cloudflare settings and preferences will result in visitors being unable to visit your domain unless you have uploaded a custom certificate or purchased an advanced certificate.

  • HSTS
  • Always Use HTTPS
  • Opportunistic Encryption
  • Onion Routing
  • Any Page Rules redirecting traffic to HTTPS

Similarly, any HTTP redirect to HTTPS at the origin while the Cloudflare proxy is enabled will result in users being unable to visit your site without a valid certificate at Cloudflare’s edge.

If you do not have a valid custom or advanced certificate at Cloudflare’s edge and are unsure if any of the above Cloudflare settings are enabled, or if any HTTP redirects exist at your origin, we advise leaving Universal SSL enabled for your domain.

SSLVerification

SSL Verification Details
client.ssl.verification.get(VerificationGetParams { zone_id, retry } params, RequestOptionsoptions?): VerificationGetResponse { certificate_status, brand_check, cert_pack_uuid, 5 more }
GET/zones/{zone_id}/ssl/verification
Edit SSL Certificate Pack Validation Method
client.ssl.verification.edit(stringcertificatePackId, VerificationEditParams { zone_id, validation_method } params, RequestOptionsoptions?): VerificationEditResponse { status, validation_method }
PATCH/zones/{zone_id}/ssl/verification/{certificate_pack_id}
ModelsExpand Collapse
Verification { certificate_status, brand_check, cert_pack_uuid, 5 more }
certificate_status: "initializing" | "authorizing" | "active" | 4 more

Current status of certificate.

One of the following:
"initializing"
"authorizing"
"active"
"expired"
"issuing"
"timing_out"
"pending_deployment"
brand_check?: boolean

Certificate Authority is manually reviewing the order.

cert_pack_uuid?: string

Certificate Pack UUID.

signature?: "ECDSAWithSHA256" | "SHA1WithRSA" | "SHA256WithRSA"

Certificate’s signature algorithm.

One of the following:
"ECDSAWithSHA256"
"SHA1WithRSA"
"SHA256WithRSA"
validation_method?: ValidationMethod

Validation method in use for a certificate pack order.

verification_info?: VerificationInfo { record_name, record_target }

Certificate’s required verification information.

record_name?: "record_name" | "http_url" | "cname" | "txt_name"

Name of CNAME record.

formathostname
One of the following:
"record_name"
"http_url"
"cname"
"txt_name"
record_target?: "record_value" | "http_body" | "cname_target" | "txt_value"

Target of CNAME record.

formathostname
One of the following:
"record_value"
"http_body"
"cname_target"
"txt_value"
verification_status?: boolean

Status of the required verification information, omitted if verification status is unknown.

verification_type?: "cname" | "meta tag"

Method of verification.

One of the following:
"cname"
"meta tag"
VerificationGetResponse = Array<Verification { certificate_status, brand_check, cert_pack_uuid, 5 more } >
certificate_status: "initializing" | "authorizing" | "active" | 4 more

Current status of certificate.

One of the following:
"initializing"
"authorizing"
"active"
"expired"
"issuing"
"timing_out"
"pending_deployment"
brand_check?: boolean

Certificate Authority is manually reviewing the order.

cert_pack_uuid?: string

Certificate Pack UUID.

signature?: "ECDSAWithSHA256" | "SHA1WithRSA" | "SHA256WithRSA"

Certificate’s signature algorithm.

One of the following:
"ECDSAWithSHA256"
"SHA1WithRSA"
"SHA256WithRSA"
validation_method?: ValidationMethod

Validation method in use for a certificate pack order.

verification_info?: VerificationInfo { record_name, record_target }

Certificate’s required verification information.

record_name?: "record_name" | "http_url" | "cname" | "txt_name"

Name of CNAME record.

formathostname
One of the following:
"record_name"
"http_url"
"cname"
"txt_name"
record_target?: "record_value" | "http_body" | "cname_target" | "txt_value"

Target of CNAME record.

formathostname
One of the following:
"record_value"
"http_body"
"cname_target"
"txt_value"
verification_status?: boolean

Status of the required verification information, omitted if verification status is unknown.

verification_type?: "cname" | "meta tag"

Method of verification.

One of the following:
"cname"
"meta tag"
VerificationEditResponse { status, validation_method }
status?: string

Result status.

validation_method?: "http" | "cname" | "txt" | "email"

Desired validation method.

One of the following:
"http"
"cname"
"txt"
"email"