Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Custom certificates

Custom certificates are meant for Business and Enterprise clients who want to utilize their own SSL certificates.

Custom certificates require that you upload the certificate, manually renew these certificates, and upload these certificates in advance of expiration (otherwise your visitors will be unable to browse your site).

If you have first-level hostnames not covered by your custom SSL certificate, they will be covered by your Universal SSL certificate, if enabled.

​​ Certificate Signing Requests (CSRs)

As part of this custom certificate process, you may also want to generate a Certificate Signing Request (CSR) so you can maintain control of your private key on Cloudflare.

​​ Keyless SSL

Typically, customers will upload both the SSL certificate and the private key. Those that wish to retain their private keys on their own infrastructure may wish to use Keyless SSL.

​​ Geo Key Manager (private key restriction)

By default, private keys will be encrypted and securely distributed to each data center, where they can be utilized for local SSL/TLS termination. Customers who wish to restrict where these keys may be used can elect to specify a Private Key Restriction during upload.

​​ Certificate packs

Custom certificates uploaded to Cloudflare will be automatically grouped together into a Certificate Pack before being deployed to the global edge.

A Certificate Pack is a group of certificates that share the same set of hostnames — for example, and * — but use different signature algorithms. Each pack can include up to three certificates, with one from each of the following signature algorithms: SHA-2/RSA, SHA-2/ECDSA, and SHA-1/RSA.

Each pack only counts as one SSL certificate against your custom certificate quota.

​​ Availability




Certificates included

0011 (can purchase more)