| pcx_content_type | title | weight |
|---|---|---|
concept |
Custom certificates |
3 |
{{}}
Unlike Universal SSL or advanced certificates, Cloudflare does not manage issuance and renewal for custom certificates. When you use custom certificates, the following actions should be considered and accomplished by you:
- Upload the certificate.
- Update the certificate.
- Observe the certificate expiration date to avoid downtime.
{{
}} If your custom certificate does not cover all of your first-level hostnames, you can enable Universal SSL certificate to cover them. {{}}{{}}
Each pack only counts as one SSL certificate against your custom certificate quota.
{{
}}You cannot delete the primary certificate if secondary certificates are present in the pack.
{{
}}{{}}
As part of the custom certificate process, you can leverage Cloudflare to generate your Certificate Signing Request (CSR). This additional option means that Cloudflare will safely generate and store the private key associated with the CSR.
By default, Cloudflare encrypts and securely distributes private keys to all Cloudflare data centers, where they can be used for local SSL/TLS termination. If you want to restrict where your private keys may be used, use Geo Key Manager.
If you want to upload a custom certificate but retain your private key on your own infrastructure, consider using Keyless SSL.