Skip to content

Custom certificates

Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates.


Unlike Universal SSL or advanced certificates, Cloudflare does not manage issuance and renewal for custom certificates. When you use custom certificates, the following actions should be considered and accomplished by you:

Certificate packs

Before deploying custom certificates to Cloudflare’s global network, Cloudflare automatically groups the certificates into certificate packs.

A certificate pack is a group of certificates that share the same set of hostnames — for example, example.com and *.example.com — but use different signature algorithms.

Each pack can include up to three certificates, one from each of the following signature algorithms:

  • SHA-2/RSA
  • SHA-2/ECDSA
  • SHA-1/RSA

Each pack only counts as one SSL certificate against your custom certificate quota.

Availability

Free Pro Business Enterprise

Availability

No

No

Yes

Yes

Certificates included

0 0

1 (Modern) 1 (Legacy)

1 (Modern) (can purchase more) 1 (Legacy) (can purchase more)

Certificate Signing Requests (CSRs)

As part of the custom certificate process, you can leverage Cloudflare to generate your Certificate Signing Request (CSR). This additional option means that Cloudflare will safely generate and store the private key associated with the CSR.

Geo Key Manager (private key restriction)

By default, Cloudflare encrypts and securely distributes private keys to all Cloudflare data centers, where they can be used for local SSL/TLS termination. If you want to restrict where your private keys may be used, use Geo Key Manager.

Keyless SSL

If you want to upload a custom certificate but retain your private key on your own infrastructure, consider using Keyless SSL.