Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Certificate Signing Requests (CSRs)

Generate a Certificate Signing Request (CSR) to get a custom certificate from the Certificate Authority (CA) of your choice while maintaining control of the private key on Cloudflare. The private key associated with the CSR will be generated by Cloudflare and will never leave our network.

A CSR contains information about your domain: your organization name and address, the common name (domain name), and Subject Alternative Names (SANs).

​​ Availability



NoNoNoIncluded with Advanced Certificate Manager

​​ Types of CSRs

You can create two types of CSRs:

  • Zone-level: Meant only for sign certificates associated with the current zone.
  • Account-level: Meant for organizations that issue certificates across multiple domains.

​​ Create and use a CSR

To create a CSR:

  1. Log in to the Cloudflare dashboard and select your account and an application.
  2. Navigate to SSL/TLS > Edge Certificates.
  3. On Certificate Signing Request (CSR), click Generate.
  4. Choose a Scope (only certain customers can choose Account.
  5. Enter relevant information on the form and click Create.

To use a CSR:

  1. Navigate to SSL/TLS > Edge Certificates.

  2. On Certificate Signing Request (CSR), select the record you just created.

  3. Copy (or click Click to copy) the value for Certificate Signing Request.

  4. Obtain a certificate from the Certificate Authority (CA) of your choice using your CSR.

  5. When you upload the custom certificate to Cloudflare, select an Encoding mode of Certificate Signing Request (CSR) and enter the associated value.

​​ Renew a certificate

When you renew a custom certificate, you can reuse a previously generated CSR.