Manage certificates
Refer to the following sections to learn how to manage certificates used with the different Authenticated Origin Pulls setups.
Cloudflare does not delete client certificates upon expiration unless you send a delete request to the Cloudflare API for the relevant certificate (Delete a zone-level certificate or Delete a hostname-level certificate). If your origin only accepts a valid client certificate, it will drop requests when the certificate expires.
Make sure you have notifications set up to get alerts 30 days and 14 days before an AOP certificate expires.
To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.
First, set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames. Since per-hostname certificates are more specific, they take precedence over zone certificates.
- Upload the new certificate.
- List your certificates and note the ID for the certificate you uploaded.
- Enable Authenticated Origin Pulls for the specific hostname, using the ID obtained in step 2 to specify the certificate you want to use:
Required API token permissions
At least one of the following token permissions
is required:
SSL and Certificates Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "config": [ { "enabled": true, "hostname": "<HOSTNAME>", "cert_id": "<CERT_ID>" } ] }'- Upload the new certificate.
- Check whether new certificate is Active.
- Once certificate is active, delete the previous certificate.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2026 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-
