Manage certificates

Refer to the following sections to learn how to manage certificates used with the different Authenticated Origin Pulls setups.

Use specialized certificates

To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.

First set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames.

Note

Since per-hostname certificates are more specific, they take precedence over zone certificates.

Delete a certificate

Client certificates are not deleted from Cloudflare upon expiration unless a delete or replace request is sent to the Cloudflare API.

However, requests are dropped at your origin if your origin only accepts a valid client certificate.

Replace a client cert (without downtime)

For hostname:

1. Upload the new certificate.

2. Enable Authenticated Origin Pulls for that specific hostname.

For global:

1. Upload the new certificate.

2. Check whether new certificate is Active.

3. Once certificate is active, delete the previous certificate.