Skip to content
Visit SSL on GitHub
Set theme to dark (⇧+D)

Issue new certificates

Once you have set up your SSL for SaaS application, you can start issuing new certificates for your customers.

For each custom hostname certificate you request, Cloudflare issues two certificates that are bundled in chains that maximize browser compatibility (unless you upload custom certificates). The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.

Once issued, certificates are valid for 1 year and renew automatically 30 days before expiration. Renewals require no action from you or your customer.

Via the dashboard

  1. Log into the Cloudflare dashboard and select your account.
  2. Select your SSL for SaaS application.
  3. Navigate to SSL/TLS > Custom Hostnames.
  4. Click Add Custom Hostname.
  5. Add your customer's hostname and set the relevant options, including:
  6. Click Add Custom Hostname.

Via the API

To create a custom hostname using the API, use a POST command on the /zone/:zone_id/custom_hostnames endpoint.

The response contains the complete definition of the new custom hostname.

Monitor certificates

Certificates move through the following stages as they progress to Cloudflare’s edge:

  1. Initializing
  2. Pending Validation
  3. Pending Issuance
  4. Pending Deployment
  5. Active

Once you issue a certificate, it should be in Pending Validation, but change to Active within five minutes. If you see any errors, you or your customer may need to take additional actions to validate the certificate.

You can monitor a certificate's status in the dashboard (at SSL/TLS > Custom Hostnames) or by using the API.