Create custom hostnames
There are several required steps before a custom hostname can become active. For more details, refer to our Get started guide.
To create a custom hostname:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Select your Cloudflare for SaaS application.
- Navigate to SSL/TLS > Custom Hostnames.
- Click Add Custom Hostname.
- Add your customer’s hostname
app.customer.com
and set the relevant options, including:- Choosing the Validation method.
- Whether you want to Enable wildcard, which adds a
*.<custom-hostname>
SAN to the custom hostname certificate. For more details, refer to Hostname priority. - Choosing a value for Custom origin server.
- Click Add Custom Hostname.
-
To create a custom hostname using the API, use the Create Custom Hostname endpoint.
- You can leave the
certificate_authority
parameter empty to set it to “default CA”. With this option, Cloudflare checks the CAA records before requesting the certificates, which helps ensure the certificates can be issued from the CA.
- You can leave the
-
For the newly created custom hostname, the
POST
response may not return the DCV validation tokenvalidation_records
. It is recommended to make a secondGET
command (with a delay) to retrieve these details.
The response contains the complete definition of the new custom hostname.
For each custom hostname, Cloudflare issues two certificates bundled in chains that maximize browser compatibility (unless you upload custom certificates).
The primary certificate uses a P-256
key, is SHA-2/ECDSA
signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit
key, is SHA-2/RSA
signed, and will be presented to browsers that do not support ECC.
The Common Name (CN) restriction establishes a limit of 64 characters (RFC 5280 ↗). If you have a hostname that exceeds this length, you can set cloudflare_branding
to true
when creating your custom hostnames via API.
Cloudflare branding means that sni.cloudflaressl.com
will be added as the certificate Common Name (CN) and the long hostname will be included as a part of the Subject Alternative Name (SAN).