Cloudflare Docs
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Set up Authenticated Origin Pulls

To set up Authenticated Origin Pulls - which help ensure requests to your origin server come from the Cloudflare network - choose whether to enable them on all hostnames in your zone or on a per-hostname basis.

​​ Other situations

​​ Use specialized certificates

To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.

First set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames.

​​ Delete a certificate

Client certificates are not deleted from Cloudflare upon expiration unless a delete or replace request is sent to the Cloudflare API.

However, requests are dropped at your origin if your origin only accepts a valid client certificate.

​​ Replace a client cert (without downtime)

For hostname:

  1. Upload the new certificate.

  2. Enable Authenticated Origin Pulls for that specific hostname.

For global:

  1. Upload the new certificate.

  2. Check whether new certificate is Active.

  3. Once certificate is active, delete the previous certificate.