Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

Setup

​​ Geo Key Manager v2

Beta

Geo Key Manager v2 gives customers flexibility when choosing the geographical boundaries of where their keys are stored.

Using the policy field, customers can define policies containing allow and block lists of countries or regions where the private key should be stored.

To use Geo Key Manager v2 with the API, generally, follow the steps to upload a custom certificate.

When sending the POST request, include the policy parameter to define policies containing allow and block lists of countries or regions where the private key should be stored.

​​ Examples

Store private keys in the E.U. and the U.S.
curl -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/custom_certificates" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <AUTH_KEY>" \
-H "Content-Type: application/json" \
--data '
{
"certificate":"certificate",
"private_key":"<PRIVATE_KEY>",
"policy":"(country: US) and (region: EU)",
"type": "sni_custom"
}'
Store private keys in the E.U., but not in France
curl -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/custom_certificates" \
-H "X-Auth-Email: <EMAIL>" \
-H "X-Auth-Key: <AUTH_KEY>" \
-H "Content-Type: application/json" \
--data '
{
"certificate":"certificate",
"private_key":"<PRIVATE_KEY>",
"policy":"(region: EU) and (not country: FR)",
"type": "sni_custom"
}'

​​ Geo Key Manager v1

The first version of Geo Key Manager supports 3 regions: U.S., E.U., and a set of High Security Data Centers. If you would like to restrict your private key to another country or region, apply for the closed beta of the new version.

To use Geo Key Manager in the dashboard:

  1. Follow the steps to upload a custom certificate.
  2. For Private Key Restriction, choose one of the following options:
    • Distribute to all Cloudflare data centers (optimal performance)
    • Distribute only to U.S. data centers
    • Distribute only to E.U. data centers
    • Distribute only to highest security data centers (more details)
  3. Select Upload Custom Certificate.

To use Geo Key Manager with the API, generally, follow the steps to upload a custom certificate.

When sending the POST request, include the geo_restrictions parameter set to one of the following options: