Cloudflare’s SSL for SaaS allows you to extend the security and performance benefits of Cloudflare’s network to your customers—on their own custom or “vanity” domains. Issuing certificates requires no interaction on your customer’s part, other than them initially adding the CNAME from their custom hostname to your domain.cus
As soon as the custom hostname is pointed, a single API call to the endpoint documented below will initiate i) the validation of the domain with one of Cloudflare’s certificate authority (CA) partners and ii) the issuance of two SSL certificates, SHA-2/ECDSA signed version that’s presented to modern browsers and a SHA-2/RSA that’s served to legacy browsers to maximize compatibility.
The certificate lifecycle is managed entirely by Cloudflare including initial issuance, automated renewal, and other reissuance as needed. Additionally, support for uploading certificates acquired elsewhere is provided. This document details the initial setup process and then walks through the API calls for issuing certificates, using alternative validation methods, optionally uploading custom certificates, and customizing behavior on a customer-by-customer basis.