Managing Custom SSL certificates

Learn to add and edit Custom SSL certificates as well as remove passwords on private key files.


Custom SSL certificates provide several benefits:

  • They are not shared by multiple customer domains.
  • Customers can serve valid, existing origin SSL certificates from Cloudflare's network.

Domains on Business and Enterprise plans are allowed Custom SSL certificates once the domains are active on Cloudflare. Only one Custom SSL certificate is allowed per Business domain.  By default, Enterprise customers are allowed one Custom SSL certificate per Enterprise domain but can request additional Custom SSL certificates from their Cloudflare Account Team.  Any first-level hostnames not covered by your Custom SSL certificate are covered by Cloudflare's Universal SSL certificate, if enabled.

Cloudflare allows uploading several SSL certificate types:

  • Unified Communications Certificates (UCC)
  • Extended Validation (EV)
  • Domain Validated (DV)
  • Organization Validated (OV)
Cloudflare does not permit uploading self-signed SSL certificates or certificates that expire within 14 days.

Before uploading a Custom SSL certificate to Cloudflare, ensure the private key file is not password protected.


There are two prerequisites before uploading your Custom SSL certificate to Cloudflare:

Remove the key file password

If an uploaded key file is password protected, the Cloudflare SSL/TLS app generates the following error:

The key is password protected. Please strip the password and re-submit.

To remove a key file password, the solution depends on the Operating System used. For example, if is the private key file, the password protection can be removed via one of the following methods:

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk