Manage certificates
Refer to the following sections to learn how to manage certificates used with the different Authenticated Origin Pulls setups.
Client certificates are not deleted from Cloudflare upon expiration unless a delete request is sent to the Cloudflare API. However, requests are dropped at your origin if your origin only accepts a valid client certificate.
Make sure you have notifications set up to get alerts 30 days and 14 days before an AOP certificate expires.
To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.
First, set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames. Since per-hostname certificates are more specific, they take precedence over zone certificates.
- Upload the new certificate.
- List your certificates and note the ID for the certificate you uploaded.
- Enable Authenticated Origin Pulls for the specific hostname, using the ID obtained in step 2 to specify the certificate you want to use:
Required API token permissions
At least one of the following token permissions
is required:
SSL and Certificates Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames" \ --request PUT \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "config": [ { "enabled": true, "hostname": "<HOSTNAME>", "cert_id": "<CERT_ID>" } ] }'- Upload the new certificate.
- Check whether new certificate is Active.
- Once certificate is active, delete the previous certificate.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
