Skip to content
SSL
Visit SSL on GitHub
Set theme to dark (⇧+D)

Manage custom certificates

Certificate requirements

Certificates are parsed and checked for validity before being accepted. Each certificate uploaded must:

  • Be encoded in PEM format (PEM, PKCS#7, or PKCS#12), see Converting Using OpenSSL for conversion examples.

  • Not have a key file password.

  • Not be expiring in less than 14 days from time of upload.

  • Have a subject alternative name (SAN) matching at least one hostname in the zone where it’s being uploaded.

  • Use a private key greater than or equal to a minimum length (currently 2048 bit for RSA and 225 bit for ECDSA).

  • Be publicly trusted by a major browser, unless the User Defined bundling method is used.

  • Be one of the following certificate types:

    • Unified Communications Certificates (UCC)
    • Extended Validation (EV)
    • Domain Validated (DV)
    • Organization Validated (OV)

Upload a custom certificate

Using the dashboard

To upload a custom SSL certificate in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.

  2. Select your application.

  3. Navigate to SSL/TLS.

  4. In Edge Certificates, click Upload Custom SSL Certificate.

  5. Copy and paste relevant values into SSL Certificate and Private key text areas (or click Paste from file).

  6. Choose the appropriate Bundle Method.

  7. Select a value for Private Key Restriction.

  8. Select a value for Legacy Client Support, which toggles Server Name Indication (SNI) support:

    • Modern (recommended): SNI only
    • Legacy: Supports non-SNI
  9. Click Upload Custom Certificate. If you see an error for The key you provided does not match the certificate, contact your Certificate Authority to ensure the private key matches the certificate.

  10. (optional) Add a CAA DNS record.


Using the API

The call below will upload a certificate for use with app.example.com. Cloudflare will automatically bundle the certificate with a certificate chain optimized for maximum compatibility with browsers.

Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the -----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS----- section of the file.

Step 1 — Update the file and build the payload

$ cat app_example_com.pem
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIQD0ifmj/Yi5NP/2gdUySbfzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
...
SzSHfXp5lnu/3V08I72q1QNzOCgY1XeL4GKVcj4or6cT6tX6oJH7ePPmfrBfqI/O
OeH8gMJ+FuwtXYEPa4hBf38M5eU5xWG7
-----END CERTIFICATE-----
$ MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')"
$ MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')"

With the certificate and key saved to environment variables (using escaped newlines), build the payload:

$ request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method":"ubiquitous"
}
EOF
))

You can optionally add geographic restrictions that specify where your private key can physically be decrypted:

$ request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method":"ubiquitous",
"geo_restrictions":{"label":"us"}'
}
))

You can also enable support for legacy clients which do not include SNI in the TLS handshake.

$ request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method":"ubiquitous",
"geo_restrictions":{"label":"us"}',
"type":"sni_custom"
}
))

sni_custom is recommended by Cloudflare. Use legacy_custom when a specific client requires non-SNI support. The Cloudflare API treats all Custom SSL certificates as Legacy by default.

Step 2 — Upload your certificate and key

Use the POST endpoint to upload your certificate and key.

$ curl -sX POST https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \
-H "X-Auth-Email: {email}" -H "X-Auth-Key: {key}" \
-H "Content-Type: application/json" -d "$request_body"

Step 3 (optional) — Add a CAA record

A Certificate Authority Authorization (CAA) DNS record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

For more guidance, refer to Create a CAA record.

Update a certificate

Using the dashboard

To update a certificate:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your application.
  3. Navigate to SSL/TLS.
  4. In Edge Certificates, locate a custom certificate.
  5. Click the wrench icon and click Replace SSL certificate and key.
  6. Follow the same steps as create a new certificate.

Using the API

Use a PATCH command.