Advanced Certificate Manager

Advanced Certificate Manager is a flexible and customizable way to issue and manage certificates in Cloudflare. Advanced Certificate Manager defines several certificate options:

  • Add up to 100 edge certificates per zone.
  • Include the zone apex and less than 50 hosts as covered hostnames.
  • Select the preferred validation method (HTTP, TXT or Email).
  • Choose the certificate validity period (14, 30, 90, or 365 days).
  • Choose the Certificate Authority to issue the certificate (Let’s Encrypt or Digicert).
  • Select a custom trust store for origin authentication.
  • Control cipher suites used for TLS.

Use the Advanced Certificate Manager when the Universal certificate does not meet your business requirements but you still want Cloudflare to manage the SSL certificate issuance and renewal. For example, use the Advanced Certificate Manager to cover more than one level of subdomain, remove Cloudflare branding from the Universal certificate, or adjust the shortest certificate lifespan.

Selecting Let's Encrypt as a CA limits a certificate to txt validation_method, 90 validity_days, omission of cloudflare_branding, and 2 host entries (one for the zone name and one for the subdomain wildcard of the zone name, e.g. example.com, *.example.com).

Order an Advanced Certificate Manager certificate pack

Order an Advanced Certificate via API:

curl -X POST "https://api.cloudflare.com/client/v4/zones/:zoneid/ssl/certificate_packs/order" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json" \
--data'{"Type":"advanced","hosts":["example.com","*.example.com","www.example.com"],"Validation_method":"txt","Validity_days":365,"Certificate_authority":"digicert","Cloudflare_branding":false}'

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "3822ff90-ea29-44df-9e55-21300bb9419b",
    "type": "advanced",
    "hosts": [
      "example.com",
      "*.example.com",
      "www.example.com"
    ],
    "status": "initializing",
    "validation_method": "txt",
    "validity_days": 365,
    "certificate_authority": "digicert",
    "cloudflare_branding": false
  }
}

Restart validation for an Advanced Certificate Manager certificate pack

Restart the validation period of an Advanced certificate via API:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/:zoneid/ssl/certificate_packs/3822ff90-ea29-44df-9e55-21300bb9419b" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json"

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "3822ff90-ea29-44df-9e55-21300bb9419b",
    "type": "advanced",
    "hosts": [
      "example.com",
      "*.example.com",
      "www.example.com"
    ],
    "status": "initializing",
    "validation_method": "txt",
    "validity_days": 365,
    "certificate_authority": "digicert",
    "cloudflare_branding": false
  }
}

Delete Advanced Certificate Manager Certificate Pack

Delete an Advanced Certificate via the API:

curl -X DELETE "https://api.cloudflare.com/client/v4/zones/:zoneid/ssl/certificate_packs/3822ff90-ea29-44df-9e55-21300bb9419b" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json"

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "3822ff90-ea29-44df-9e55-21300bb9419b"
  }
}

List Advanced Certificate Manager Certificate Pack

This API call returns all certificate packs for the zone including Universal, Custom, and Advanced certificates.

To list all Advanced Certificates on the zone via API:

curl -X GET "https://api.cloudflare.com/client/v4/zones/:zoneid/ssl/certificate_packs?status=all" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
-H "Content-Type: application/json"

Change Ciphers Suite settings

To change the Cipher Suite Settings on the zone via the API:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/:zoneid/settings/ciphers" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}"\
-H "Content-Type: application/json" \
--data '{"value":["ECDHE-RSA-AES128-GCM-SHA256","AES128-SHA"]}'

List Ciphers Suite settings

To list the Cipher Suite Settings on the zone via the API:

curl -X GET "https://api.cloudflare.com/client/v4/zones/:zoneid/settings/ciphers" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json"

Restore Default Ciphers Suite settings

To change the Cipher Suite Settings on the zone via the API:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/:zoneid/settings/ciphers" \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json" \
--data '{"value":[]}'