The default global Cloudflare root certificate will expire on 2025-02-02. If you installed the default Cloudflare certificate before 2024-10-17, you must generate a new certificate and activate it for your Zero Trust organization to avoid inspection errors.
Deploy custom certificate
Enterprise customers who do not wish to install a Cloudflare certificate have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the block page.
You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team.
Generate a custom root CA
Before you generate a custom root CA, make sure you have OpenSSL ↗ installed.
Open a terminal.
Create a directory for the root CA and change into it.
Generate a private key for the root CA.
Generate a self-signed root certificate.
When preparing your certificate and private key for upload, be sure to remove any unwanted characters, such as mismatching subdomains in the certificate’s common name. To review the private key, run the following command:
To review the certificate, run the following command:
Verify that the certificate is installed on your devices.
Use the Upload mTLS certificate endpoint to upload the certificate and private key to Cloudflare. The certificate must be a root CA, formatted as a single string with \n replacing the line breaks.
The response will return a UUID for the certificate. For example:
Deploy the certificate in Gateway using the certificate’s UUID with the Patch Zero Trust account configuration endpoint.
The response will return the pending status of the certificate. For example:
Activate the certificate for use in inspection with the Activate a Zero Trust certificate endpoint.
The response will return the certificate and its current deployment status. For example:
Once binding_status changes to active, Gateway will sign your traffic using the custom root certificate and private key. If you disable the custom certificate, Gateway will revert to the default Cloudflare certificate generated for your Zero Trust account.
Use a custom root certificate
To use a custom root certificate you generated and uploaded to Cloudflare, refer to Activate a root certificate.