Learn how the Custom Hostnames feature extends the security and performance benefits of Cloudflare to your customers. Understand how to manage Custom Hostnames.
Custom Hostnames (also known as SSL for SaaS) allow you to extend the security and performance benefits of Cloudflare to your customers. Cloudflare manages the entire SSL certificate lifecycle including initial issuance and automated renewal.
Custom Hostnames extend several benefits to the end customers of SaaS companies:
- Branded visitor experience
- Improved trust and SEO rankings
- Improved speed via HTTP/2
- Efficient management of the entire SSL lifecycle
If your end customers already use Cloudflare, they cannot control their own custom settings for certain Cloudflare features for any hostnames managed by your Custom Hostnames configuration; for example:
- Page Rules
- Firewall Settings
- Web Application Firewall (WAF)
- SSL settings
To understand how to control Page Rules, Rate Limiting, SSL, or other features for your end customers, review the Cloudflare developers documentation on customizing hostname specific behavior.
Once your Cloudflare Account Team has entitled your Enterprise domain to the Custom Hostname feature, you are ready add a Custom Hostname.
Add a Custom Hostname
Perform the following steps to add a custom Hostname via the UI. Alternatively, refer to our Custom Hostnames API documentation.
- Log in to the Cloudflare dashboard.
- Click the appropriate Cloudflare account for the domain that manages Custom Hostnames.
- Select the domain.
- Click the SSL/TLS app.
- Within Custom Hostnames, click Add Custom Hostname. The Add a Custom Hostname window appears.
- Enter the hostname to add (i.e., the one that has a CNAME to your domain) for Custom Hostname.
- Select a validation method (HTTP validation recommended).
- Click Add Custom Hostname.
After adding the Custom Hostname, view the provisioning status under Certificate Status in the Custom Hostnames section of the SSL/TLS app. To request an immediate revalidation of the Custom Hostname Certificate Status, click the circular arrow icon under Actions. To learn more about Certificate Status, visit the Cloudflare developer documentation.
Once issued, certificates are valid for one (1) year, and renew automatically 30 days before expiration. Renewals require no action from you or your customer.
Understand Custom Hostname validation methods
Validation is required to provision an SSL certificate for your end customer’s domain. The validation and deployment process completes in approximately 90 seconds. There are three validation methods:
(Recommended) Requires proxying your end customer’s HTTP traffic through Cloudflare (via a CNAME record) before the SSL certificate is issued. Point the customer’s DNS CNAME record to your domain that manages the Custom Hostnames.
Cloudflare emails the WHOIS contacts on file at the registrar for the domain as well as the following addresses at the domain: admin, administrator, hostmaster, postmaster, and webmaster.
Requires the end customer to set an additional DNS CNAME record at their authoritative DNS provider for the Certificate Authority to approve provisioning of an SSL certificate.
Cloudflare defaults to automatically renew the SSL certificate via HTTP even if you select the CNAME or Email validation methods. If there are issues with automated renewal over HTTP, Cloudflare emails the CNAME validation records to all administrators, super administrators, and members with SSL/TLS privileges for the account of the domain that manages Custom Hostnames. Configure the CNAME validation records at your customer’s authoritative DNS in order to renew the Custom Hostname SSL certificate.
Manage customized Custom Hostname certificates
The Custom Hostnames feature supports uploading a custom SSL certificate. The typical use case for a custom SSL certificate is for serving Extended Validation (EV) certificates or if your customer’s information security policy dictates that third-parties are not permitted to generate private keys on your customer’s behalf. The challenge with providing your own certificates include manual renewal and re-uploaded prior to expiration. Refer to the developer documentation on uploading a custom certificate.
For customers that prefer to acquire their own SSL certificate from a Certificate Authority (CA), Cloudflare can generate the Certificate Signing Request (CSR) with the customer’s organization name, location, etc. The associated private key is generated by Cloudflare and never leaves our network, avoiding the risk of unsafe handling. Refer to the Cloudflare developer documentation on certificate signing requests.
Configure custom behaviors per Customer Hostname
There are two ways to set custom behaviors for your end customer:
- Page Rules
- Custom Metadata
Use the Page Rules app to set custom behavior per customer hostname or per URL path using a wildcard for customer requests. For examples of modifying Rate Limiting, purging cache, or setting Page Rules to alter cache behavior and security settings for customer hostnames, visit the Cloudflare developer documentation.
Page Rules are limited to 100 rules. If you must set additional customer behaviors beyond this limitation, use the Custom Metadata option.
To set custom behavior per customer hostname beyond the maximum 100 allowed Page Rules or Rate Limits, reach out to your Cloudflare Account Team to enable the Cloudflare Workers and Custom Metadata features. See our developer documentation for examples and to understand the limitations of using Custom Metadata. Reach out to your Cloudflare Account Team for further assistance using these features.