Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Gateway

Certificates

List Zero Trust certificates
GET/accounts/{account_id}/gateway/certificates
Get Zero Trust certificate details
GET/accounts/{account_id}/gateway/certificates/{certificate_id}
Create Zero Trust certificate
POST/accounts/{account_id}/gateway/certificates
Delete Zero Trust certificate
DELETE/accounts/{account_id}/gateway/certificates/{certificate_id}
Activate a Zero Trust certificate
POST/accounts/{account_id}/gateway/certificates/{certificate_id}/activate
Deactivate a Zero Trust certificate
POST/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate
ModelsExpand Collapse
CertificateListResponse { id, binding_status, certificate, 9 more }
id: optional string

Identify the certificate with a UUID.

maxLength36
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"

Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.

One of the following:
"pending_deployment"
"available"
"pending_deletion"
"inactive"
certificate: optional string

Provide the CA certificate (read-only).

created_at: optional string
formatdate-time
expires_on: optional string
formatdate-time
fingerprint: optional string

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: optional boolean

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: optional string

Indicate the organization that issued the certificate (read-only).

issuer_raw: optional string

Provide the entire issuer field of the certificate (read-only).

type: optional "custom" or "gateway_managed"

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:
"custom"
"gateway_managed"
updated_at: optional string
formatdate-time
uploaded_on: optional string
formatdate-time
CertificateGetResponse { id, binding_status, certificate, 9 more }
id: optional string

Identify the certificate with a UUID.

maxLength36
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"

Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.

One of the following:
"pending_deployment"
"available"
"pending_deletion"
"inactive"
certificate: optional string

Provide the CA certificate (read-only).

created_at: optional string
formatdate-time
expires_on: optional string
formatdate-time
fingerprint: optional string

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: optional boolean

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: optional string

Indicate the organization that issued the certificate (read-only).

issuer_raw: optional string

Provide the entire issuer field of the certificate (read-only).

type: optional "custom" or "gateway_managed"

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:
"custom"
"gateway_managed"
updated_at: optional string
formatdate-time
uploaded_on: optional string
formatdate-time
CertificateCreateResponse { id, binding_status, certificate, 9 more }
id: optional string

Identify the certificate with a UUID.

maxLength36
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"

Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.

One of the following:
"pending_deployment"
"available"
"pending_deletion"
"inactive"
certificate: optional string

Provide the CA certificate (read-only).

created_at: optional string
formatdate-time
expires_on: optional string
formatdate-time
fingerprint: optional string

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: optional boolean

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: optional string

Indicate the organization that issued the certificate (read-only).

issuer_raw: optional string

Provide the entire issuer field of the certificate (read-only).

type: optional "custom" or "gateway_managed"

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:
"custom"
"gateway_managed"
updated_at: optional string
formatdate-time
uploaded_on: optional string
formatdate-time
CertificateDeleteResponse { id, binding_status, certificate, 9 more }
id: optional string

Identify the certificate with a UUID.

maxLength36
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"

Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.

One of the following:
"pending_deployment"
"available"
"pending_deletion"
"inactive"
certificate: optional string

Provide the CA certificate (read-only).

created_at: optional string
formatdate-time
expires_on: optional string
formatdate-time
fingerprint: optional string

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: optional boolean

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: optional string

Indicate the organization that issued the certificate (read-only).

issuer_raw: optional string

Provide the entire issuer field of the certificate (read-only).

type: optional "custom" or "gateway_managed"

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:
"custom"
"gateway_managed"
updated_at: optional string
formatdate-time
uploaded_on: optional string
formatdate-time
CertificateActivateResponse { id, binding_status, certificate, 9 more }
id: optional string

Identify the certificate with a UUID.

maxLength36
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"

Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.

One of the following:
"pending_deployment"
"available"
"pending_deletion"
"inactive"
certificate: optional string

Provide the CA certificate (read-only).

created_at: optional string
formatdate-time
expires_on: optional string
formatdate-time
fingerprint: optional string

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: optional boolean

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: optional string

Indicate the organization that issued the certificate (read-only).

issuer_raw: optional string

Provide the entire issuer field of the certificate (read-only).

type: optional "custom" or "gateway_managed"

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:
"custom"
"gateway_managed"
updated_at: optional string
formatdate-time
uploaded_on: optional string
formatdate-time
CertificateDeactivateResponse { id, binding_status, certificate, 9 more }
id: optional string

Identify the certificate with a UUID.

maxLength36
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"

Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.

One of the following:
"pending_deployment"
"available"
"pending_deletion"
"inactive"
certificate: optional string

Provide the CA certificate (read-only).

created_at: optional string
formatdate-time
expires_on: optional string
formatdate-time
fingerprint: optional string

Provide the SHA256 fingerprint of the certificate (read-only).

in_use: optional boolean

Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).

issuer_org: optional string

Indicate the organization that issued the certificate (read-only).

issuer_raw: optional string

Provide the entire issuer field of the certificate (read-only).

type: optional "custom" or "gateway_managed"

Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed.

One of the following:
"custom"
"gateway_managed"
updated_at: optional string
formatdate-time
uploaded_on: optional string
formatdate-time