| pcx_content_type | title | weight | meta | ||
|---|---|---|---|---|---|
reference |
Renewal and expiration |
3 |
|
Since Cloudflare cannot renew uploaded certificates, you should ensure that you replace or update an expiring custom certificate before it expires, otherwise your visitors may not be able to connect.
Cloudflare automatically sends email notifications 30 and 14 days before your custom certificate expires. The email is sent to users who have the SSL/TLS, Administrator, or Super Administrator roles.
{{
}} When renewing a custom certificate, you can reuse a previously generated CSR.If you are on an Enterprise plan and want to renew a custom (modern) certificate, consider requesting access to Staging environment (Beta). {{
}}If a valid replacement - covering some or all of the {{}}SANs{{}} in the expiring custom certificate - is already available, Cloudflare will remove the expiring custom certificate in the 24 hours before expiration. There is no expected downtime due to certificate transition.
If no valid replacement is available, Cloudflare will remove the custom certificate after it expires.
Affected domains and subdomains will fall back to any other active certificate covering the hostnames on the expiring certificate.
{{
}} All certificates in a certificate pack are treated as one object. The expiration date of a certificate pack is equivalent to the soonestNot After date among the certificates in the pack.
For example if you have a custom certificate made of an ECSDA and a RSA certificate, if one of them expires the whole pack will be removed. {{
}}If you no longer want to use your custom certificate but still want your website or application to be covered with SSL/TLS, you can do the following:
- Go to SSL/TLS > Edge Certificates.
- Make sure there is already an active universal or advanced certificate covering the same hostnames.
- Delete your custom certificate.