Learn to add and edit Custom SSL certificates as well as remove passwords on private key files
Custom SSL certificates let you serve valid, existing origin SSL certificates from Cloudflare's network.
Domains on Business and Enterprise plans are allowed Custom SSL certificates once the domains are active on Cloudflare. Only one Custom SSL certificate is allowed per Business domain. By default, Enterprise customers are allowed one Custom SSL certificate per Enterprise domain but can request additional Custom SSL certificates from their Cloudflare Account Team. Any first-level hostnames not covered by your Custom SSL certificate are covered by Cloudflare's Universal SSL certificate, if enabled.
Cloudflare allows uploading several SSL certificate types:
- Unified Communications Certificates (UCC)
- Extended Validation (EV)
- Domain Validated (DV)
- Organization Validated (OV)
There are two prerequisites before uploading your Custom SSL certificate to Cloudflare:
- Remove the key file password
- Convert the private key and certificate to PEM format
Remove the key file password
If an uploaded key file is password protected, the Cloudflare SSL/TLS app generates the following error:
The key is password protected. Please strip the password and re-submit.
To remove a key file password, the solution depends on the Operating System used. For example, if mydomain.com.key is the private key file, the password protection can be removed via one of the following methods:
- Open a command console.
- Navigate to the directory containing the mydomain.com.key file.
- Copy the original key:
4. Run the following command:
openssl rsa -in temp.key -out mydomain.com.key
5. When prompted in the console window, enter the original key password.
6. Upload the contents of the mydomain.com.key file to Cloudflare.
- Browse to http://indy.fulgan.com/SSL/.
- Download the latest version of OpenSSL for your x86 or x86_64 Operating System.
- Open the .zip file and extract it.
- Click openssl.exe.
- In the command window that appears, run:
rsa -in C:\Path\To\mydomain.com.key -out key.pem
7. Upload the contents of the key.pem file, not the mydomain.com.key to Cloudflare.
Convert the private key and certificate to PEM format
Ensure the private key and certificate are converted to a standard PEM format like PFX. Cloudflare accepts the following formats:
- PEM encoded keys and certificates are contained in a plain text file, usually ending with .pem file extension, that contains the unencrypted certificate and/or private key.
- PKCS#7 files usually end with an .p7b or .p7c file extension and are encoded in "signedData" format (data, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData are not supported).
- PKCS#12 files usually end in .pfx or .p12 and are encrypted with a blank password.
See documentation on Converting Using OpenSSL for conversion examples. Ignoring this prerequisite causes an error upon SSL certificate upload: The key could not be parsed.
Upload a Custom SSL certificate
Perform the following steps to upload a Custom SSL certificate:
1. Log in to the Cloudflare dashboard.
2. Click the appropriate Cloudflare account and select the appropriate domain.
3. Click the SSL/TLS app.
4. Click Upload Custom SSL Certificate within the Edge Certificates section. The Upload custom SSL certificate and key window appears.5. Open the SSL certificate file.
6. Copy and paste the SSL certificate file contents into the SSL Certificate text area.7. Choose the appropriate Bundle Method (see instructions below).
8. Open the SSL certificate private key file.
9. Copy and paste the private key file contents into the Private key text area.
10. Choose the Private Key Restriction (see instructions below).
11. Choose Legacy Client Support (see instructions below).
The instructions to update a Custom SSL certificate are very similar to the process for originally uploading the certificate.
Choose the Bundle Method
Bundle Method determines how the SSL certificate is bundled with intermediary certificates to complete the certificate chain. The Bundle Method allows customers to choose their preferred SSL certificate chain:
- Compatible allows the greatest compatibility with older browsers and clients.
- Modern optimizes the certificate chain for efficiency by using newer and fewer intermediary certificates that neglect some older browsers.
- User Defined allows customers to provide their own certificate chain.
Choose the Private Key Restriction
Private Key Restriction limits which Cloudflare data centers store the SSL private key. Geographic distance between the data center region that holds the private keys and the location of a visitor's HTTPS request can cause latency for initial requests. Visit the Cloudflare blog post introducing the Geo Key Manager to learn more.
Enable Legacy Client Support
Legacy Client Support toggles Server Name Indication (SNI) support. The options are:
- Modern: SNI only
- Legacy: supports non-SNI
Modern is the default behavior and is recommended by Cloudflare. Use Legacy when a specific client requires non-SNI support. Currently, the Cloudflare API treats all Custom SSL certificates as Legacy.
Update a Custom SSL certificate
Every SSL certificate has an expiration date. Custom SSL certificates are not automatically renewed by Cloudflare. Therefore, you should monitor your Custom SSL expiration dates and acquire updated SSL certificates from the certificate vendor.Update a previously uploaded Custom SSL certificate via the following steps:
- Log in to the Cloudflare dashboard.
- Click the appropriate Cloudflare account for the domain and select the proper domain.
- Click the SSL/TLS app.
- Under Edge Certificates, click Manage for the Custom SSL certificate where Type is Uploaded.
- Click on the wrench icon and the Replace SSL certificate and key window appears.
- Follow the original instructions starting in step 5 within the Upload a Custom SSL certificate section of this guide.