Rotate ACM certificate packs

Advanced Certificate Manager (ACM) certificate packs cannot be updated in place. To replace an existing pack - for example, to change the certificate authority, add hostnames, or change validation method - you create a new pack, wait for it to reach Active status, and then delete the old one.

The key principle is to ensure the new certificate pack reaches Active before removing the old one. This avoids any gap in coverage and means there is no downtime for your users.

---

Recommended rotation process

1. Create the new certificate pack

Dashboard

1. In the Cloudflare dashboard, go to the Edge Certificates page.

   Go to Edge Certificates

2. Select Order Advanced Certificate.

3. Configure the new certificate pack with the desired hostnames, certificate authority, and validation method.

4. Select Save.

API

Use the Order Certificate Pack endpoint to create the new pack.

Terraform

Add a new cloudflare_certificate_pack resource to your Terraform configuration and apply it. Refer to the Terraform-specific notes below before proceeding.

2. Wait for Active status

After ordering, the new certificate pack moves through several intermediate states before it is ready to serve traffic:

1. Initializing
2. Pending Validation
3. Pending Issuance
4. Pending Deployment
5. Active

Do not delete the old certificate pack until the new one reaches Active. Refer to Certificate statuses for a description of each stage.

Monitor progress on the Edge Certificates ↗ page in the dashboard, or poll the Get Certificate Pack API endpoint.

For zones using Cloudflare as authoritative DNS (full setup), most validations complete within minutes. For partial (CNAME) setups, you will need to place DCV tokens manually - refer to DCV methods for details. DCV tokens expire if not satisfied within their validity window (7 days for Let's Encrypt, 14 days for Google Trust Services and SSL.com).

3. Delete the old certificate pack

Once the new pack is Active, it is safe to delete the old one.

Dashboard

1. In the Cloudflare dashboard, go to the Edge Certificates page.

   Go to Edge Certificates

2. Select the old certificate pack.

3. Select Delete Certificate.

API

Use the Delete Certificate Pack endpoint.

Terraform

Remove the old cloudflare_certificate_pack resource from your Terraform configuration and apply. Refer to the Terraform-specific notes below.

4. Expect a brief Pending Deployment state

After the old pack is deleted, the remaining certificate may briefly show Pending Deployment before returning to Active. This reflects a normal edge re-evaluation cycle as the global network reconciles the change, and typically resolves within a few minutes with no traffic impact.

If the certificate remains in Pending Deployment for longer than expected, refer to Certificate statuses and contact Cloudflare Support.

---

Terraform

Certificate packs cannot be updated in place - every attribute of the cloudflare_certificate_pack resource forces a new resource on change. Plan your rotation around this constraint.

Warning

Importing existing certificate packs into Terraform state is supported but not recommended. If Cloudflare reissues the certificate (for example, on renewal), the resource ID changes and your Terraform state goes out of sync. The recommended pattern is to manage the full lifecycle through Terraform - create, wait for active, then delete - rather than importing existing packs.

Wait for Active automatically

Set wait_for_active_status = true on the new resource to have Terraform block the apply until the certificate pack reaches Active. This removes the need to manually poll the dashboard or API between steps 1 and 3.

Recommended pattern

1. Add the new cloudflare_certificate_pack resource with wait_for_active_status = true and run terraform apply. The apply will not complete until the pack is Active.
2. Remove the old resource from your configuration and run terraform apply to delete it.

For zero-downtime rotation of a single resource (where you cannot have both old and new in state simultaneously), use Terraform's create_before_destroy ↗ lifecycle meta-argument.

Refer to the cloudflare_certificate_pack provider documentation ↗ for the full resource schema.

---

Common rotation issues

Let's Encrypt rate limit

Let's Encrypt limits new certificates to five per seven-day window for the same exact set of hostnames. Repeated rotations (for example, during testing or automation loops) can exhaust this limit and block further issuance for up to a week.

If you hit this limit, switch the certificate authority to Google Trust Services or SSL.com or wait for the rate limit window to expire. Refer to Let's Encrypt rate limits ↗ for details.

Pack stuck in Pending Validation

If a new pack remains in Pending Validation for more than 15 minutes, check that your DCV method is set up correctly. Refer to Domain Control Validation and Troubleshoot domain control validation.

---

Distinction from custom certificate replacement

This page covers ACM certificate packs (Cloudflare-managed Domain Validated certificates ordered via Advanced Certificate Manager).

If you are using a custom certificate (a certificate you supplied), Cloudflare provides an in-place Replace SSL certificate and key flow that handles the rotation without requiring you to manage two packs. Refer to Manage custom certificates.