Cloudflare Docs
Cloudflare for Platforms
Cloudflare for Platforms
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Manage custom certificates — Cloudflare for SaaS

For use cases and limitations, refer to custom certificates.

​​ Upload certificates

​​ With the dashboard

To upload a custom certificate in the dashboard, follow the steps for issuing new certificates, but change the Certificate type to Custom certificate.

For more details on bundle method, refer to Bundle Methodologies

​​ With the API

The call below will upload a certificate for use with

Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the -----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS----- section of the file.

​​ Step 1 — Update the file and build the payload

$ cat app_example_com.pem
$ MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')"
$ MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')"

With the certificate and key saved to environment variables (using escaped newlines), build the payload:

$ echo $MYCERT
$ request_body=$(< <(cat <<EOF
"hostname": "",
"ssl": {
"custom_certificate": "$MYCERT",
"custom_key": "$MYKEY"

​​ Step 2 — Upload your certificate and key

Use a POST request to upload your certificate and key.

The serial number returned is unique to the issuer, but not globally unique. Additionally, it is returned as a string, not an integer.

​​ Move to a Cloudflare certificate

If you want to switch from maintaining a custom certificate to using one issued by Cloudflare, you can migrate that certificate with zero downtime.

Send a PATCH request to your custom hostname with a value for the DCV method. As soon as the certificate is validated and the hostname is validated, Cloudflare will remove the old custom certificate and begin serving the new one.