Deploy custom certificate

Enterprise customers who do not wish to install a Cloudflare certificate have the option to upload their own root certificate to Cloudflare. This feature is sometimes referred to as Bring Your Own Public Key Infrastructure (BYOPKI). Gateway will use your uploaded certificate to encrypt all sessions between the end user and Gateway, enabling all HTTPS inspection features that previously required a Cloudflare certificate. You can upload multiple certificates to your account, but only one can be active at any given time. You also need to upload a private key to intercept domains with JIT certificates and to enable the block page.

You can upload either a root certificate or a full certificate chain (root certificate plus intermediate certificates). Uploading a certificate chain allows end-user devices to only install the root certificate, which can simplify certificate management for larger enterprises.

You can upload up to five custom root certificates. If your organization requires more than five certificates, contact your account team.

Generate a custom root CA

Before you generate a custom root CA, make sure you have OpenSSL ↗ installed.

Open a terminal.
Create a directory for the root CA and change into it.
Terminal window
```
mkdir -p /root/customca
cd /root/customca
```

Generate a private key for the root CA.

openssl genrsa -out <CUSTOM-ROOT-PRIVATE-KEY>.pem 2048

Generate a self-signed root certificate.

openssl req -x509 -sha256 -new -nodes -key <CUSTOM-ROOT-PRIVATE-KEY>.pem -days 365 -out <CUSTOM-ROOT-CERT>.pem

When preparing your certificate and private key for upload, be sure to remove any unwanted characters, such as mismatching subdomains in the certificate's common name. To review the private key, run the following command:

openssl rsa -in <CUSTOM-ROOT-PRIVATE-KEY>.pem -text

To review the certificate, run the following command:

openssl x509 -in <CUSTOM-ROOT-CERT>.pem -text

Deploy a custom root certificate

You can upload a single root certificate or a full certificate chain. When uploading a certificate chain via the dashboard, API, or Terraform, concatenate the root certificate and any intermediate certificates in PEM format, with the root certificate first.

Dashboard
API

In Cloudflare One ↗, go to Traffic policies > Traffic settings > Certificates.
Select Upload certificate.
Enter the private key and SSL certificate you generated or select Paste certificate from file to upload them from a file. If uploading a certificate chain, paste all certificates (root and intermediates) in PEM format with the root certificate first.
Select Upload custom certificate.

You can now use the generated custom root certificate for inspection.

Use the Upload mTLS certificate endpoint to upload the certificate and private key to Cloudflare. The certificate must be a root CA or certificate chain, formatted as a single string with \n replacing the line breaks.

Required API token permissions

At least one of the following token permissions is required:

Account: SSL and Certificates Write

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/mtls_certificates" \
  --request POST \
  --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \
  --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \
  --json '{
    "name": "example_ca_cert",
    "certificates": "-----BEGIN CERTIFICATE-----\nXXXXX\n-----END CERTIFICATE-----",
    "private_key": "-----BEGIN PRIVATE KEY-----\nXXXXX\n-----END PRIVATE KEY-----",
    "ca": true
  }'

The response will return a UUID for the certificate. For example:

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "2458ce5a-0c35-4c7f-82c7-8e9487d3ff60",
    "name": "example_ca_cert",
    "issuer": "O=Example Inc.,L=California,ST=San Francisco,C=US",
    "signature": "SHA256WithRSA",
    ...
  }
}

When uploading a certificate chain, the certificates field should contain all certificates in PEM format. To format this field, order the root certificate first, then concatenate any intermediate certificates.

Set the certificate as available for use in inspection with the Activate a Zero Trust certificate endpoint. This will deploy the certificate across the Cloudflare global network.

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \
  --request POST \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

The response will return the certificate and a pending_deployment binding status. For example:

{
  "errors": [],
  "messages": [],
  "success": true,
  "result": {
    "in_use": false,
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "certificate": "-----BEGIN CERTIFICATE-----\\n ... \\n-----END CERTIFICATE-----\\n",
    "issuer_org": "Example Inc.",
    "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US",
    "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C",
    "binding_status": "pending_deployment",
    "type": "custom",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "uploaded_on": "2014-01-01T05:20:00.12345Z",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "expires_on": "2014-01-01T05:20:00.12345Z"
  }
}

Use the Get Zero Trust certificate details endpoint to verify the certificate's binding status is set to available.

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID" \
  --request GET \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "errors": [],
  "messages": [],
  "success": true,
  "result": {
    "in_use": false,
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "certificate": "-----BEGIN CERTIFICATE-----\\n ... \\n-----END CERTIFICATE-----\\n",
    "issuer_org": "Example Inc.",
    "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US",
    "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C",
    "binding_status": "available",
    "type": "custom",
    "updated_at": "2014-01-01T05:20:00.12345Z",
    "uploaded_on": "2014-01-01T05:20:00.12345Z",
    "created_at": "2014-01-01T05:20:00.12345Z",
    "expires_on": "2014-01-01T05:20:00.12345Z"
  }
}

(Optional) Verify the certificate is installed on your user's devices either with WARP or manually.
Use the Patch Zero Trust account configuration endpoint to turn on the certificate for use in inspection. For example:

curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \
  --request PATCH \
  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  --json '{
    "settings": {
        "certificate": {
            "id": "{certificate_id}",
            "in_use": true
        }
    }
  }'

Once in-use is set to true, Gateway will sign your traffic using the custom root certificate and private key. If you turn off or deactivate the custom certificate, Gateway will revert to the next available Cloudflare certificate generated for your Zero Trust account.

Use a custom root certificate

To use a custom root certificate you generated and uploaded to Cloudflare, refer to Activate a root certificate.

Troubleshoot HTTP errors

If Gateway returns an HTTP Response Code: 526 after deploying a custom certificate, you can troubleshoot errors with our FAQ.

Was this helpful?

Community
X
Discord
YouTube
GitHub