English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

Managing Custom SSL certificates

  • Updated

Learn to add and edit Custom SSL certificates as well as remove passwords on private key files

Overview

Custom SSL certificates provide several benefits:

  • They are not shared by multiple customer domains.
  • Customers can serve valid, existing origin SSL certificates from Cloudflare's network.

Domains on Business and Enterprise plans are allowed Custom SSL certificates once the domains are active on Cloudflare. Only one Custom SSL certificate is allowed per Business domain.  By default, Enterprise customers are allowed one Custom SSL certificate per Enterprise domain but can request additional Custom SSL certificates from their Cloudflare Account Team.  Any first-level hostnames not covered by your Custom SSL certificate are covered by Cloudflare's Universal SSL certificate, if enabled.

Cloudflare allows uploading several SSL certificate types:

  • Unified Communications Certificates (UCC)
  • Extended Validation (EV)
  • Domain Validated (DV)
  • Organization Validated (OV)

Cloudflare does not permit certificates that expire within 14 days.
Before uploading a Custom SSL certificate to Cloudflare, ensure the private key file is not password protected.

Prerequisites

There are two prerequisites before uploading your Custom SSL certificate to Cloudflare:

  • Remove the key file password
  • Convert the private key and certificate to PEM format

Remove the key file password

If an uploaded key file is password protected, the Cloudflare SSL/TLS app generates the following error:

The key is password protected. Please strip the password and re-submit.

To remove a key file password, the solution depends on the Operating System used. For example, if mydomain.com.key is the private key file, the password protection can be removed via one of the following methods:

  1. Open a command console.
  2. Navigate to the directory containing the mydomain.com.key file.
  3. Copy the original key:

cpmydomain.com.key temp.key

4. Run the following command:

openssl rsa -in temp.key -out mydomain.com.key

If using an ECDSA certificate, use the ec option with openssl instead of the rsa option in the previous example.

5. When prompted in the console window, enter the original key password.

6. Upload the contents of the mydomain.com.key file to Cloudflare.

  1.  Browse to http://indy.fulgan.com/SSL/.
  2. Download the latest version of OpenSSL for your x86 or x86_64 Operating System.
  3. Open the .zip file and extract it.
  4. Click openssl.exe.
  5. In the command window that appears, run:

rsa -in C:\Path\To\mydomain.com.key -out key.pem

6. Enter the original key password when prompted by the openssl.exe command window.

7. Upload the contents of the key.pem file, not the mydomain.com.key to Cloudflare.

Convert the private key and certificate to PEM format

Ensure the private key and certificate are converted to a standard PEM format like PFX. Cloudflare accepts the following formats:

  • PEM encoded keys and certificates are contained in a plain text file, usually ending with .pem file extension, that contains the unencrypted certificate and/or private key.
  • PKCS#7 files usually end with an .p7b or .p7c file extension and are encoded in "signedData" format (data, envelopedData, signedAndEnvelopedData, digestedData, and encryptedData are not supported).
  • PKCS#12 files usually end in .pfx or .p12 and are encrypted with a blank password.

See documentation on Converting Using OpenSSL for conversion examples.  Ignoring this prerequisite causes an error upon SSL certificate upload: The key could not be parsed.

Upload a Custom SSL certificate

Perform the following steps to upload a Custom SSL certificate:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account and select the appropriate domain.

3. Click the SSL/TLS app.

4. Click Upload Custom SSL Certificate within the Edge Certificates section. The Upload custom SSL certificate and key window appears.

Cloudflare requires separate, pem-encoded files for the SSL private key and certificate. Contact your Certificate Authority (CA) to confirm whether your current certificate meets this requirement or request your CA to assist with certificate format conversion.
5. Open the SSL certificate file.
Alternatively, click the Paste from file link at the top right of the SSL Certificate and Private key text areas to browse to the appropriate SSL files.

6. Copy and paste the SSL certificate file contents into the SSL Certificate text area.

Include the BEGIN CERTIFICATE and END CERTIFICATE lines surrounding the SSL certificate and private key data as demonstrated in the example content of the SSL Certificate and Private key text areas.
7. Choose the appropriate Bundle Method (see instructions below).

8. Open the SSL certificate private key file.

9. Copy and paste the private key file contents into the Private key text area.

10. Choose the Private Key Restriction (see instructions below).

11. Choose Legacy Client Support (see instructions below).

An error message appears when adding a key value that does not match the Custom SSL certificate: *The key you provided does not match the certificate. *Contact your Certificate Authority to ensure the private key matches the certificate.
You are also able to use the Cloudflare v4 API to upload certificates.

The instructions to update a Custom SSL certificate are very similar to the process for originally uploading the certificate.

Choose the Bundle Method

Bundle Method determines how the SSL certificate is bundled with intermediary certificates to complete the certificate chain. The Bundle Method allows customers to choose their preferred SSL certificate chain:

  • Compatible allows the greatest compatibility with older browsers and clients.
  • Modern optimizes the certificate chain for efficiency by using newer and fewer intermediary certificates that neglect some older browsers.
  • User Defined allows customers to provide their own certificate chain.

Choose the Private Key Restriction

Private Key Restriction limits which Cloudflare data centers store the SSL private key.  Geographic distance between the data center region that holds the private keys and the location of a visitor's HTTPS request can cause latency for initial requests.  Visit the Cloudflare blog post introducing the Geo Key Manager to learn more.

Delete and re-add a Custom SSL certificate in order to update the Private Key Restriction setting.

Enable Legacy Client Support

Legacy Client Support toggles Server Name Indication (SNI) support.  The options are: 

  • Modern: SNI only
  • Legacy: supports non-SNI

Modern is the default behavior and is recommended by Cloudflare.  Use Legacy when a specific client requires non-SNI support.  Currently, the Cloudflare API treats all Custom SSL certificates as Legacy.  

Update a Custom SSL certificate

Every SSL certificate has an expiration date. Custom SSL certificates are not automatically renewed by Cloudflare. Therefore, you should monitor your Custom SSL expiration dates and acquire updated SSL certificates from the certificate vendor.

For Modern Custom certificates, we remove expired certificates at expiration and will fallback to the Universal SSL certificate if enabled.
For the Legacy Custom certificates, we remove expired certificates every day at 0245UTC and then fallback to Universal SSL if enabled.
Update a previously uploaded Custom SSL certificate via the following steps:

  1. Log in to the Cloudflare dashboard.
  2. Click the appropriate Cloudflare account for the domain and select the proper domain.
  3. Click the SSL/TLS app.
  4. Under Edge Certificates, click Manage for the Custom SSL certificate where Type is Uploaded.
  5. Click on the wrench icon and the Replace SSL certificate and key window appears.
  6. Follow the original instructions starting in step 5 within the Upload a Custom SSL certificate section of this guide.

Cloudflare automatically checks the validity of the certificate and private key to prevent overwriting an existing valid certificate.

Related resources

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request

Related articles

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request