Skip to content
The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors.

Deploy custom certificate

Enterprise customers who do not wish to install a Cloudflare certificate have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the block page.

You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team.

Generate a custom root CA

Before you generate a custom root CA, make sure you have OpenSSL installed.

  1. Open a terminal.

  2. Create a directory for the root CA and change into it.

    Terminal window
    mkdir -p /root/customca
    cd /root/customca
  3. Generate a private key for the root CA.

    Terminal window
    openssl genrsa -out <CUSTOM-ROOT-PRIVATE-KEY>.pem 2048
  4. Generate a self-signed root certificate.

    Terminal window
    openssl req -x509 -sha256 -new -nodes -key <CUSTOM-ROOT-PRIVATE-KEY>.pem -days 365 -out <CUSTOM-ROOT-CERT>.pem

When preparing your certificate and private key for upload, be sure to remove any unwanted characters, such as mismatching subdomains in the certificate's common name. To review the private key, run the following command:

Terminal window
openssl rsa -in <CUSTOM-ROOT-PRIVATE-KEY>.pem -text

To review the certificate, run the following command:

Terminal window
openssl x509 -in <CUSTOM-ROOT-CERT>.pem -text

Deploy a custom root certificate

  1. In Zero Trust, go to Settings > Resources.
  2. In Certificates, select Manage.
  3. Select Upload certificate.
  4. Enter the private key and SSL certificate you generated or select Paste certificate from file to upload them from a file.
  5. Select Generate certificate.

You can now use the generated custom root certificate for inspection.

Use a custom root certificate

To use a custom root certificate you generated and uploaded to Cloudflare, refer to Activate a root certificate.

Troubleshoot HTTP errors

If Gateway returns an HTTP Response Code: 526 after deploying a custom certificate, you can troubleshoot errors with our FAQ.