Cloudflare Docs
Ssl
SSL
Visit SSL on GitHub
Set theme to dark (⇧+D)

Get started with SSL for SaaS


Prerequisites

Before you can start creating custom hostnames, you need to have access to SSL for SaaS .

If you have not used the Cloudflare API previously, review our API Quickstart .


Step 1 — Create fallback origin and CNAME target

The fallback origin is where Cloudflare will route traffic sent to your custom hostnames (must be proxied).

The CNAME target — optional, but highly encouraged — provides a friendly and more flexible place for customers to route their traffic .

  1. Create a new application and select the Free plan.

  2. Navigate to DNS.

  3. Create two DNS records:

  • A proxied A or AAAA record pointing to the IP address of your fallback origin (where Cloudflare will send custom hostname traffic).
  • A CNAME record that points your CNAME target to your fallback origin (can be a wildcard such as *.customers.saasprovider.com).
RecordTypeNameContent
Fallback originAproxy-fallback.saasprovider.com192.0.2.1
CNAME targetCNAME*.customers.saasprovider.comproxy-fallback.saasprovider.com
  1. Enable Custom Hostnames for your zone:

    • If you are an Enterprise customer, upgrade your zone to an Enterprise plan and contact your Customer Success Manager to enable SSL for SaaS Certificates.
    • If you are not an Enterprise customer, go to SSL/TLS > Custom Hostnames to enable Cloudflare for SaaS.
  2. Set the Fallback Origin via either the dashboard or API.


Step 2 — Review validation and verification options

Each Custom Hostname requires successful Certificate Validation and Hostname Verification.

Depending on which method you select for each of these options, additional steps might be required for you and your customers.


Step 3 — Issue certificate

Once your account has been provisioned, you are ready to issue certificates.

For each custom hostname certificate you request, Cloudflare issues two certificates that are bundled in chains that maximize browser compatibility (unless you upload custom certificates ). The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.

Once issued, certificates are valid for one year. Renewals depend on your chosen method for Domain Control Validation .

Using the dashboard
  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your SSL for SaaS application.
  3. Navigate to SSL/TLS > Custom Hostnames.
  4. Click Add Custom Hostname.
  5. Add your customer’s hostname app.customer.com and set the relevant options, including:
  6. Click Add Custom Hostname.
Using the API

To create a custom hostname using the API, use a POST command on the /zone/:zone_id/custom_hostnames endpoint.

The response contains the complete definition of the new custom hostname.


Step 4 — Monitor and view certificates

Once you issue certificates, Cloudflare will initiate the domain validation process using the method you specified.

With a CNAME in place, the entire process — from validation to issuance to edge deployment — completes in approximately 90 seconds.

Monitor certificate status

For help tracking a certificate’s status, refer to Monitor certificates .

View certificates

Once domain validation has been completed, the certificates will be issued and distributed to Cloudflare’s edge.

To view these certificates, use openssl or your browser. The command below can be used in advance of your customer pointing the app.example.com hostname to the edge ( provided validation was completed ).

$ openssl s_client -servername app.example.com -connect $CNAME_TARGET:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep app.example.com

Step 5 — Have customer create a CNAME record

Your customer needs to set up a CNAME record at their DNS provider that points to your CNAME target .

For example:

app CNAME john.customers.saasprovider.com

This routes traffic from app.customer.com to your origin.