Managing Custom Hostnames (SSL for SaaS)

Learn how the Custom Hostnames feature extends the security and performance benefits of Cloudflare to your customers. Understand how to manage Custom Hostnames.


Overview

Custom Hostnames (also known as SSL for SaaS) allow you to extend the security and performance benefits of Cloudflare to your customers. Cloudflare manages the entire SSL certificate lifecycle including initial issuance and automated renewal.

Custom Hostnames are available for Enterprise customers. If you are not an Enterprise customer, fill out the Enterprise contact form to request the Custom Hostnames feature. If you are an Enterprise customer, contact your Cloudflare Account Team to enable Custom Hostnames.

Custom Hostnames extend several benefits to the end customers of SaaS companies:

  • Branded visitor experience
  • Improved trust and SEO rankings
  • Improved speed via HTTP/2
  • Efficient management of the entire SSL lifecycle

If your end customers already use Cloudflare, they cannot control their own custom settings for certain Cloudflare features for any hostnames managed by your Custom Hostnames configuration; for example:

  • Page Rules
  • Firewall Settings
  • Web Application Firewall (WAF)
  • SSL settings

To understand how to control Page Rules, Rate Limiting, SSL, or other features for your end customers, review the Cloudflare developers documentation on customizing hostname specific behavior.

Once your Cloudflare Account Team has entitled your Enterprise domain to the Custom Hostname feature, you are ready add a Custom Hostname.

Your account team establishes an initial quota of Custom Hostname certificates. You cannot issue additional certificates if you exceed your Custom Hostname quota. Contact your Cloudflare Account Team to increase the quota.

If clients require SNI support:

  • Use Cloudflare’s generated Custom Hostname certificate (SSL for SaaS), or
  • Upload your site’s Custom Hostname (SSL for SaaS) SNI certificate through the Cloudflare API.

If your clients do not require SNI support:


Add a Custom Hostname

Perform the following steps to add a custom Hostname via the UI. Alternatively, refer to our Custom Hostnames API documentation.

  1. Log in to the Cloudflare dashboard.
  2. Click the appropriate Cloudflare account for the domain that manages Custom Hostnames.
  3. Select the domain.
  4. Click the SSL/TLS app.
  5. Click the Custom Hostnames tab.
  6. Within Custom Hostnames, click Add Custom Hostname. The Add a Custom Hostname window appears.
  7. Enter the hostname to add (i.e., the one that has a CNAME to your domain) for Custom Hostname.
  8. Select a validation method (HTTP validation recommended).
  9. Click Add Custom Hostname.

After adding the Custom Hostname, view the provisioning status under Certificate Status in the Custom Hostnames section of the Custom Hostnames tab within the SSL/TLS app. To request an immediate revalidation of the Custom Hostname Certificate Status, click the circular arrow icon under Actions. To learn more about Certificate Status, visit the Cloudflare developer documentation.

For guidance on issues with SSL certificate issuance or understanding the Custom Hostnames API rate limits, visit the troubleshooting section of the Cloudflare developer documentation.

Once issued, certificates are valid for one (1) year, and renew automatically 30 days before expiration. Renewals require no action from you or your customer.


Understand Custom Hostname validation methods

Validation is required to provision an SSL certificate for your end customer’s domain.  The validation and deployment process completes in approximately 90 seconds.  There are three validation methods:

  • HTTP (Recommended) Requires proxying your end customer’s HTTP traffic through Cloudflare (via a CNAME record) before the SSL certificate is issued. Point the customer’s DNS CNAME record to your domain that manages the Custom Hostnames.
  • Email Cloudflare emails the WHOIS contacts on file at the registrar for the domain as well as the following addresses at the domain: admin, administrator, hostmaster, postmaster, and webmaster.
  • CNAMERequires the end customer to set an additional DNS CNAME record at their authoritative DNS provider for the Certificate Authority to approve provisioning of an SSL certificate.

Email and CNAME validation are useful if your end customer’s hostname previously had HTTPS support (to avoid a few minutes of downtime during certificate issuance).

Cloudflare defaults to automatically renew the SSL certificate via HTTP even if you select the CNAME or Email validation methods. If there are issues with automated renewal over HTTP, Cloudflare emails the CNAME validation records to all administratorssuper administrators, and members with SSL/TLS privileges for the account of the domain that manages Custom Hostnames. Configure the CNAME validation records at your customer’s authoritative DNS in order to renew the Custom Hostname SSL certificate.

Instead of Email and CNAME validation, your end customer can also manually serve the HTTP validation records from their origin web server before being migrated to the Custom Hostname configuration. See manual HTTP-Based validation instructions for further details.


Manage customized Custom Hostname certificates

The Custom Hostnames feature supports uploading a custom SSL certificate. The typical use case for a custom SSL certificate is for serving Extended Validation (EV) certificates or if your customer’s information security policy dictates that third-parties are not permitted to generate private keys on your customer’s behalf. The challenge with providing your own certificates include manual renewal and re-uploaded prior to expiration. Refer to the developer documentation on uploading a custom certificate.

Uploading custom certificates is only allowed via the API.

For customers that prefer to acquire their own SSL certificate from a Certificate Authority (CA), Cloudflare can generate the Certificate Signing Request (CSR) with the customer’s organization name, location, etc.  The associated private key is generated by Cloudflare and never leaves our network, avoiding the risk of unsafe handling. Refer to the Cloudflare developer documentation on certificate signing requests.


Configure custom behaviors per Customer Hostname

There are two ways to set custom behaviors for your end customer:

  • Page Rules
  • Custom Metadata

Page Rules

Use the Page Rules app to set custom behavior per customer hostname or per URL path using a wildcard for customer requests. For examples of modifying Rate Limiting, purging cache, or setting Page Rules to alter cache behavior and security settings for customer hostnames, visit the Cloudflare developer documentation.

Page Rules are limited to 100 rules. If you must set additional customer behaviors beyond this limitation, use the Custom Metadata option.

Rate Limiting is also limited to 100 rules.

Custom Metadata

To set custom behavior per customer hostname beyond the maximum 100 allowed Page Rules or Rate Limits, reach out to your Cloudflare Account Team to enable the Cloudflare Workers and Custom Metadata features. See our developer documentation for examples and to understand the limitations of using Custom Metadata. Reach out to your Cloudflare Account Team for further assistance using these features.


Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk