Custom certificates
Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates.
Unlike Universal SSL or advanced certificates, Cloudflare does not manage issuance and renewal for custom certificates. When you use custom certificates, the following actions should be considered and accomplished by you:
- Upload the certificate.
- Update the certificate.
- Observe the certificate expiration date to avoid downtime.
Before deploying custom certificates to Cloudflare's global network, Cloudflare automatically groups the certificates into certificate packs.
A certificate pack is a group of certificates that share the same set of hostnames — for example, example.com
and *.example.com
— but use different signature algorithms.
Each pack can include up to three certificates, one from each of the following signature algorithms:
SHA-2/RSA
SHA-2/ECDSA
SHA-1/RSA
Each pack only counts as one SSL certificate against your custom certificate quota.
Free | Pro | Business | Enterprise | |
---|---|---|---|---|
Availability | No | No | Yes | Yes |
Certificates included | 0 | 0 | 1 (Modern) 1 (Legacy) | 1 (Modern) (can purchase more) 1 (Legacy) (can purchase more) |
As part of the custom certificate process, you can leverage Cloudflare to generate your Certificate Signing Request (CSR). This additional option means that Cloudflare will safely generate and store the private key associated with the CSR.
By default, Cloudflare encrypts and securely distributes private keys to all Cloudflare data centers, where they can be used for local SSL/TLS termination. If you want to restrict where your private keys may be used, use Geo Key Manager.
If you want to upload a custom certificate but retain your private key on your own infrastructure, consider using Keyless SSL.