Skip to content
Cloudflare API
Start here
API Reference

Custom Certificates

resource cloudflare_custom_ssl

required Expand Collapse
zone_id: String

Identifier.

certificate: String

The zone's SSL certificate or certificate and the intermediate(s).

private_key: String

The zone's private key.

optional Expand Collapse
type?: String

The type 'legacy_custom' enables support for legacy clients which do not include SNI in the TLS handshake.

custom_csr_id?: String

The identifier for the Custom CSR that was used.

policy?: String

Specify the policy that determines the region where your private key will be held locally. HTTPS connections to any excluded data center will still be fully encrypted, but will incur some latency while Keyless SSL is used to complete the handshake with the nearest allowed data center. Any combination of countries, specified by their two letter country code (https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements) can be chosen, such as 'country: IN', as well as 'region: EU' which refers to the EU region. If there are too few data centers satisfying the policy, it will be rejected. Note: The API accepts this field as either "policy" or "policy_restrictions" in requests. Responses return this field as "policy_restrictions".

geo_restrictions?: Attributes

Specify the region where your private key can be held locally for optimal TLS performance. HTTPS connections to any excluded data center will still be fully encrypted, but will incur some latency while Keyless SSL is used to complete the handshake with the nearest allowed data center. Options allow distribution to only to U.S. data centers, only to E.U. data centers, or only to highest security data centers. Default distribution is to all Cloudflare datacenters, for optimal performance.

label?: String
bundle_method?: String

A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it.

deploy?: String

The environment to deploy the certificate to, defaults to production

computed Expand Collapse
id: String

Identifier.

expires_on: Time

When the certificate from the authority expires.

issuer: String

The certificate authority that issued the certificate.

modified_on: Time

When the certificate was last modified.

policy_restrictions: String

The policy restrictions returned by the API. This field is returned in responses when a policy has been set. The API accepts the "policy" field in requests but returns this field as "policy_restrictions" in responses.

Specifies the region(s) where your private key can be held locally for optimal TLS performance. Format is a boolean expression, for example: "(country: US) or (region: EU)"

priority: Float64

The order/priority in which the certificate will be used in a request. The higher priority will break ties across overlapping 'legacy_custom' certificates, but 'legacy_custom' certificates will always supercede 'sni_custom' certificates.

signature: String

The type of hash used for the certificate.

status: String

Status of the zone's custom SSL.

uploaded_on: Time

When the certificate was uploaded to Cloudflare.

hosts: List[String]
keyless_server: Attributes
id: String

Keyless certificate identifier tag.

created_on: Time

When the Keyless SSL was created.

enabled: Bool

Whether or not the Keyless SSL is on or off.

host: String

The keyless SSL name.

modified_on: Time

When the Keyless SSL was last modified.

name: String

The keyless SSL name.

permissions: List[String]

Available permissions for the Keyless SSL for the current user requesting the item.

port: Float64

The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server.

status: String

Status of the Keyless SSL.

tunnel: Attributes

Configuration for using Keyless SSL through a Cloudflare Tunnel

private_ip: String

Private IP of the Key Server Host

vnet_id: String

Cloudflare Tunnel Virtual Network ID

cloudflare_custom_ssl

resource "cloudflare_custom_ssl" "example_custom_ssl" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  certificate = <<EOT
  -----BEGIN CERTIFICATE-----
  MIIDtTCCAp2gAwIBAgIJAMHAwfXZ5/PWMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
  BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
  aWRnaXRzIFB0eSBMdGQwHhcNMTYwODI0MTY0MzAxWhcNMTYxMTIyMTY0MzAxWjBF
  MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50
  ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
  CgKCAQEAwQHoetcl9+5ikGzV6cMzWtWPJHqXT3wpbEkRU9Yz7lgvddmGdtcGbg/1
  CGZu0jJGkMoppoUo4c3dts3iwqRYmBikUP77wwY2QGmDZw2FvkJCJlKnabIRuGvB
  KwzESIXgKk2016aTP6/dAjEHyo6SeoK8lkIySUvK0fyOVlsiEsCmOpidtnKX/a+5
  0GjB79CJH4ER2lLVZnhePFR/zUOyPxZQQ4naHf7yu/b5jhO0f8fwt+pyFxIXjbEI
  dZliWRkRMtzrHOJIhrmJ2A1J7iOrirbbwillwjjNVUWPf3IJ3M12S9pEewooaeO2
  izNTERcG9HzAacbVRn2Y2SWIyT/18QIDAQABo4GnMIGkMB0GA1UdDgQWBBT/LbE4
  9rWf288N6sJA5BRb6FJIGDB1BgNVHSMEbjBsgBT/LbE49rWf288N6sJA5BRb6FJI
  GKFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNV
  BAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJAMHAwfXZ5/PWMAwGA1UdEwQF
  MAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHHFwl0tH0quUYZYO0dZYt4R7SJ0pCm2
  2satiyzHl4OnXcHDpekAo7/a09c6Lz6AU83cKy/+x3/djYHXWba7HpEu0dR3ugQP
  Mlr4zrhd9xKZ0KZKiYmtJH+ak4OM4L3FbT0owUZPyjLSlhMtJVcoRp5CJsjAMBUG
  SvD8RX+T01wzox/Qb+lnnNnOlaWpqu8eoOenybxKp1a9ULzIVvN/LAcc+14vioFq
  2swRWtmocBAs8QR9n4uvbpiYvS8eYueDCWMM4fvFfBhaDZ3N9IbtySh3SpFdQDhw
  YbjM2rxXiyLGxB4Bol7QTv4zHif7Zt89FReT/NBy4rzaskDJY5L6xmY=
  -----END CERTIFICATE-----

  EOT
  private_key = <<EOT
  -----BEGIN RSA PRIVATE KEY-----
  MIIEowIBAAKCAQEAwQHoetcl9+5ikGzV6cMzWtWPJHqXT3wpbEkRU9Yz7lgvddmG
  dtcGbg/1CGZu0jJGkMoppoUo4c3dts3iwqRYmBikUP77wwY2QGmDZw2FvkJCJlKn
  abIRuGvBKwzESIXgKk2016aTP6/dAjEHyo6SeoK8lkIySUvK0fyOVlsiEsCmOpid
  tnKX/a+50GjB79CJH4ER2lLVZnhePFR/zUOyPxZQQ4naHf7yu/b5jhO0f8fwt+py
  FxIXjbEIdZliWRkRMtzrHOJIhrmJ2A1J7iOrirbbwillwjjNVUWPf3IJ3M12S9pE
  ewooaeO2izNTERcG9HzAacbVRn2Y2SWIyT/18QIDAQABAoIBACbhTYXBZYKmYPCb
  HBR1IBlCQA2nLGf0qRuJNJZg5iEzXows/6tc8YymZkQE7nolapWsQ+upk2y5Xdp/
  axiuprIs9JzkYK8Ox0r+dlwCG1kSW+UAbX0bQ/qUqlsTvU6muVuMP8vZYHxJ3wmb
  +ufRBKztPTQ/rYWaYQcgC0RWI20HTFBMxlTAyNxYNWzX7RKFkGVVyB9RsAtmcc8g
  +j4OdosbfNoJPS0HeIfNpAznDfHKdxDk2Yc1tV6RHBrC1ynyLE9+TaflIAdo2MVv
  KLMLq51GqYKtgJFIlBRPQqKoyXdz3fGvXrTkf/WY9QNq0J1Vk5ERePZ54mN8iZB7
  9lwy/AkCgYEA6FXzosxswaJ2wQLeoYc7ceaweX/SwTvxHgXzRyJIIT0eJWgx13Wo
  /WA3Iziimsjf6qE+SI/8laxPp2A86VMaIt3Z3mJN/CqSVGw8LK2AQst+OwdPyDMu
  iacE8lj/IFGC8mwNUAb9CzGU3JpU4PxxGFjS/eMtGeRXCWkK4NE+G08CgYEA1Kp9
  N2JrVlqUz+gAX+LPmE9OEMAS9WQSQsfCHGogIFDGGcNf7+uwBM7GAaSJIP01zcoe
  VAgWdzXCv3FLhsaZoJ6RyLOLay5phbu1iaTr4UNYm5WtYTzMzqh8l1+MFFDl9xDB
  vULuCIIrglM5MeS/qnSg1uMoH2oVPj9TVst/ir8CgYEAxrI7Ws9Zc4Bt70N1As+U
  lySjaEVZCMkqvHJ6TCuVZFfQoE0r0whdLdRLU2PsLFP+q7qaeZQqgBaNSKeVcDYR
  9B+nY/jOmQoPewPVsp/vQTCnE/R81spu0mp0YI6cIheT1Z9zAy322svcc43JaWB7
  mEbeqyLOP4Z4qSOcmghZBSECgYACvR9Xs0DGn+wCsW4vze/2ei77MD4OQvepPIFX
  dFZtlBy5ADcgE9z0cuVB6CiL8DbdK5kwY9pGNr8HUCI03iHkW6Zs+0L0YmihfEVe
  PG19PSzK9CaDdhD9KFZSbLyVFmWfxOt50H7YRTTiPMgjyFpfi5j2q348yVT0tEQS
  fhRqaQKBgAcWPokmJ7EbYQGeMbS7HC8eWO/RyamlnSffdCdSc7ue3zdVJxpAkQ8W
  qu80pEIF6raIQfAf8MXiiZ7auFOSnHQTXUbhCpvDLKi0Mwq3G8Pl07l+2s6dQG6T
  lv6XTQaMyf6n1yjzL+fzDrH3qXMxHMO/b13EePXpDMpY7HQpoLDi
  -----END RSA PRIVATE KEY-----

  EOT
  bundle_method = "ubiquitous"
  custom_csr_id = "7b163417-1d2b-4c84-a38a-2fb7a0cd7752"
  deploy = "staging"
  geo_restrictions = {
    label = "us"
  }
  policy = "(country: US) or (region: EU)"
  type = "sni_custom"
}

data cloudflare_custom_ssl

required Expand Collapse
zone_id: String

Identifier.

optional Expand Collapse
custom_certificate_id?: String

Identifier.

filter?: Attributes
match?: String

Whether to match all search requirements or at least one (any).

status?: String

Status of the zone's custom SSL.

computed Expand Collapse
id: String

Identifier.

bundle_method: String

A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it.

custom_csr_id: String

The identifier for the Custom CSR that was used.

expires_on: Time

When the certificate from the authority expires.

issuer: String

The certificate authority that issued the certificate.

modified_on: Time

When the certificate was last modified.

policy_restrictions: String

The policy restrictions returned by the API. This field is returned in responses when a policy has been set. The API accepts the "policy" field in requests but returns this field as "policy_restrictions" in responses.

Specifies the region(s) where your private key can be held locally for optimal TLS performance. Format is a boolean expression, for example: "(country: US) or (region: EU)"

priority: Float64

The order/priority in which the certificate will be used in a request. The higher priority will break ties across overlapping 'legacy_custom' certificates, but 'legacy_custom' certificates will always supercede 'sni_custom' certificates.

signature: String

The type of hash used for the certificate.

status: String

Status of the zone's custom SSL.

uploaded_on: Time

When the certificate was uploaded to Cloudflare.

hosts: List[String]
geo_restrictions: Attributes

Specify the region where your private key can be held locally for optimal TLS performance. HTTPS connections to any excluded data center will still be fully encrypted, but will incur some latency while Keyless SSL is used to complete the handshake with the nearest allowed data center. Options allow distribution to only to U.S. data centers, only to E.U. data centers, or only to highest security data centers. Default distribution is to all Cloudflare datacenters, for optimal performance.

label: String
keyless_server: Attributes
id: String

Keyless certificate identifier tag.

created_on: Time

When the Keyless SSL was created.

enabled: Bool

Whether or not the Keyless SSL is on or off.

host: String

The keyless SSL name.

modified_on: Time

When the Keyless SSL was last modified.

name: String

The keyless SSL name.

permissions: List[String]

Available permissions for the Keyless SSL for the current user requesting the item.

port: Float64

The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server.

status: String

Status of the Keyless SSL.

tunnel: Attributes

Configuration for using Keyless SSL through a Cloudflare Tunnel

private_ip: String

Private IP of the Key Server Host

vnet_id: String

Cloudflare Tunnel Virtual Network ID

cloudflare_custom_ssl

data "cloudflare_custom_ssl" "example_custom_ssl" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  custom_certificate_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

data cloudflare_custom_ssls

required Expand Collapse
zone_id: String

Identifier.

optional Expand Collapse
status?: String

Status of the zone's custom SSL.

match?: String

Whether to match all search requirements or at least one (any).

max_items?: Int64

Max items to fetch, default: 1000

computed Expand Collapse
result: List[Attributes]

The items returned by the data source

id: String

Identifier.

zone_id: String

Identifier.

bundle_method: String

A ubiquitous bundle has the highest probability of being verified everywhere, even by clients using outdated or unusual trust stores. An optimal bundle uses the shortest chain and newest intermediates. And the force bundle verifies the chain, but does not otherwise modify it.

custom_csr_id: String

The identifier for the Custom CSR that was used.

expires_on: Time

When the certificate from the authority expires.

geo_restrictions: Attributes

Specify the region where your private key can be held locally for optimal TLS performance. HTTPS connections to any excluded data center will still be fully encrypted, but will incur some latency while Keyless SSL is used to complete the handshake with the nearest allowed data center. Options allow distribution to only to U.S. data centers, only to E.U. data centers, or only to highest security data centers. Default distribution is to all Cloudflare datacenters, for optimal performance.

label: String
hosts: List[String]
issuer: String

The certificate authority that issued the certificate.

keyless_server: Attributes
id: String

Keyless certificate identifier tag.

created_on: Time

When the Keyless SSL was created.

enabled: Bool

Whether or not the Keyless SSL is on or off.

host: String

The keyless SSL name.

modified_on: Time

When the Keyless SSL was last modified.

name: String

The keyless SSL name.

permissions: List[String]

Available permissions for the Keyless SSL for the current user requesting the item.

port: Float64

The keyless SSL port used to communicate between Cloudflare and the client's Keyless SSL server.

status: String

Status of the Keyless SSL.

tunnel: Attributes

Configuration for using Keyless SSL through a Cloudflare Tunnel

private_ip: String

Private IP of the Key Server Host

vnet_id: String

Cloudflare Tunnel Virtual Network ID

modified_on: Time

When the certificate was last modified.

policy_restrictions: String

The policy restrictions returned by the API. This field is returned in responses when a policy has been set. The API accepts the "policy" field in requests but returns this field as "policy_restrictions" in responses.

Specifies the region(s) where your private key can be held locally for optimal TLS performance. Format is a boolean expression, for example: "(country: US) or (region: EU)"

priority: Float64

The order/priority in which the certificate will be used in a request. The higher priority will break ties across overlapping 'legacy_custom' certificates, but 'legacy_custom' certificates will always supercede 'sni_custom' certificates.

signature: String

The type of hash used for the certificate.

status: String

Status of the zone's custom SSL.

uploaded_on: Time

When the certificate was uploaded to Cloudflare.

cloudflare_custom_ssls

data "cloudflare_custom_ssls" "example_custom_ssls" {
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
  status = "active"
}