Custom certificates

Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates.

Use custom certificates when you need control over the certificate authority (CA) or require Organization Validated (OV) or Extended Validation (EV) certificates that Cloudflare-managed options do not support.

Unlike Universal SSL or advanced certificates, Cloudflare does not manage issuance and renewal for custom certificates. You are responsible for the following:

• Upload the certificate.
• Update the certificate before it expires.
• Monitor the certificate expiration date to avoid downtime.

Note

If your custom certificate does not cover all of your first-level hostnames, you can enable Universal SSL certificate to cover them.

If your custom certificate is from a certificate authority that Cloudflare partners with, consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal.

Certificate packs

Before deploying custom certificates to Cloudflare's global network, Cloudflare automatically groups the certificates into certificate packs.

A certificate pack is a group of certificates that share the same set of hostnames — for example, example.com and *.example.com — but use different signature algorithms.

Each pack can include up to three certificates, one from each of the following signature algorithms:

• SHA-2/RSA
• SHA-2/ECDSA
• SHA-1/RSA

Each pack only counts as one SSL certificate against your custom certificate quota.

Note

You cannot delete the primary certificate if secondary certificates are present in the pack.

Availability

	Free	Pro	Business	Enterprise
Availability	No	No	Yes	Yes
Certificates included	0	0	1 Modern and 1 Legacy	1 Modern (can purchase more) and 1 Legacy (can purchase more)

Related features

Certificate Signing Requests (CSRs)

You can use Cloudflare to generate a Certificate Signing Request (CSR) for your custom certificate. When you do, Cloudflare generates and securely stores the private key associated with the CSR.

Geo Key Manager (private key restriction)

By default, Cloudflare encrypts and securely distributes private keys to all Cloudflare data centers, where they can be used for local SSL/TLS termination. If you want to restrict where your private keys may be used, use Geo Key Manager.

Keyless SSL

If you want to upload a custom certificate but retain your private key on your own infrastructure, consider using Keyless SSL.

Certificate pinning

Custom certificates are the only certificate type where certificate pinning can work on Cloudflare. For guidance on pinning and its risks, refer to Certificate pinning.