Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Manage custom certificates

This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API.

​​ Certificate requirements

Before accepting custom certificates, Cloudflare parses them and checks for validity according to a list of requirements.

Full list of requirements

Each custom certificate you upload must:

  • Be encoded in PEM format (PEM, PKCS#7, or PKCS#12). See Converting Using OpenSSL for conversion examples.

  • Not have a key file password.

  • Not be expiring in less than 14 days from time of upload.

  • Have a subject alternative name (SAN) matching at least one hostname in the zone where it is being uploaded.

  • Use a private key greater than or equal to a minimum length. Currently, 2048 bit for RSA and 225 bit for ECDSA.

  • Be publicly trusted by a major browser. This does not apply for certificates that specify User Defined as their bundling methodology.

  • Be one of the following certificate types:

    • Unified Communications Certificates (UCC)
    • Extended Validation (EV)
    • Domain Validated (DV)
    • Organization Validated (OV)

​​ Upload a custom certificate

To upload a custom SSL certificate in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.

  2. Select your application.

  3. Go to SSL/TLS.

  4. In Edge Certificates, select Upload Custom SSL Certificate.

  5. Copy and paste relevant values into SSL Certificate and Private key text areas (or select Paste from file).

  1. Choose the appropriate Bundle Method.

  2. Select a value for Private Key Restriction.

  3. Select a value for Legacy Client Support, which specifies Server Name Indication (SNI) support:

    • Modern (recommended): SNI only
    • Legacy: Supports non-SNI
  1. Select Upload Custom Certificate. If you see an error for The key you provided does not match the certificate, contact your Certificate Authority to ensure the private key matches the certificate.

  2. (optional) Add a CAA DNS record.

The following call will upload a certificate for use with app.example.com. Cloudflare will automatically bundle the certificate with a certificate chain optimized for maximum compatibility with browsers.

  1. Update the file and build the payload
$ cat app_example_com.pem
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIQD0ifmj/Yi5NP/2gdUySbfzANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
...
SzSHfXp5lnu/3V08I72q1QNzOCgY1XeL4GKVcj4or6cT6tX6oJH7ePPmfrBfqI/O
OeH8gMJ+FuwtXYEPa4hBf38M5eU5xWG7
-----END CERTIFICATE-----
$ MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')"
$ MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')"

With the certificate and key saved to environment variables (using escaped newlines), build the payload:

request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method": "ubiquitous"
}
EOF
))

You can optionally add geographic restrictions that specify where your private key can physically be decrypted:

request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method": "ubiquitous",
"geo_restrictions": {"label": "us"}'
}
EOF
))

You can also enable support for legacy clients which do not include SNI in the TLS handshake.

request_body=$(< <(cat <<EOF
{
"certificate": "$MYCERT",
"private_key": "$MYKEY",
"bundle_method": "ubiquitous",
"geo_restrictions": {"label": "us"}',
"type":"sni_custom"
}
EOF
))

sni_custom is recommended by Cloudflare. Use legacy_custom when a specific client requires non-SNI support. The Cloudflare API treats all Custom SSL certificates as Legacy by default.

  1. Upload your certificate and key

Use the POST endpoint to upload your certificate and key.

curl https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data "$request_body"
  1. (Optional) Add a CAA record.

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

For more guidance, refer to Create a CAA record.


​​ Update an existing custom certificate

Before you update an existing custom certificate, you might want to consider having active universal or advanced certificates as fallback options. Go to SSL/TLS > Edge Certificates to check a list of hostnames and status of the edge certificates in your zone.

If you are on an Enterprise plan and want to update a custom (modern) certificate, also consider requesting access to Staging environment (Beta).

Replacing a custom certificate following these steps does not lead to any downtime. No connections will be terminated and new connections will use the new certificate. The old certificate will only actually be deleted when the new certificate is uploaded and active.

To update a certificate in the dashboard:

  1. Log in to the Cloudflare dashboard and select your account.
  2. Select your application.
  3. Go to SSL/TLS.
  4. In Edge Certificates, locate a custom certificate.
  5. Select the wrench icon and select Replace SSL certificate and key.
  6. Follow the same steps as upload a new certificate.
To update a certificate using the API, send a PATCH command.