[CF4SaaS] Add RSA and ECDSA cert bundling on custom hostnames (#19796)

mia303 · RebeccaTamachiro · web-flow · commit c03904074df4 · 2025-02-07T17:10:08.000Z
* Updated to reflect RSA and ECDSA cert bundling on custom hostnames

* Update uploading-certificates.mdx

* Remove remaining warning at the top of uploading-certificates

* Updated to clarify POST/PATCH calls, "custom key" versus "private key", and certificate packs rather than "bundling"

* Text and formatting adjustments

* Take the chance to review previous content

* Make headings shorter and add specific text to API hyperlinks

* Add missing monospace and call out API-only

* Add page description and mention bundle_method should be force

---------

Co-authored-by: Rebecca Tamachiro &lt;rtamachiro@cloudflare.com&gt;
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/index.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/index.mdx
@@ -28,6 +28,4 @@ Cloudflare also only accepts publicly trusted certificates of these types:
 * `SHA1WithRSA`
 * `ECDSAWithSHA256`
 
-You can only use one of the different supported types. For example, you cannot upload an `SHA256WithRSA` + `ECDSAWithSHA256` certificate.
-
 If you attempt to upload another type of certificate or a certificate that has been self-signed, it will be rejected.
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/uploading-certificates.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/uploading-certificates.mdx
@@ -1,38 +1,40 @@
 ---
 title: Manage custom certificates
 pcx_content_type: how-to
+description: Learn how to manage custom certificates for your Cloudflare for SaaS custom hostnames.
 sidebar:
   order: 6
 head:
   - tag: title
-    content: Manage custom certificates — Cloudflare for SaaS
+    content: Manage custom certificates
 
 ---
 
-import { Render } from "~/components"
+import { Render, TabItem, Tabs } from "~/components"
 
-For use cases and limitations, refer to [custom certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/).
+Learn how to manage custom certificates for your Cloudflare for SaaS custom hostnames. For use cases and limitations, refer to [custom certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/).
 
-:::caution
+## Upload certificates
 
-You can only use one of the different [supported types](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/#limitations). For example, you cannot upload an `SHA256WithRSA` + `ECDSAWithSHA256` certificate.
-:::
+This section describes the general process for uploading a custom certificate corresponding to one of the [supported types](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/#limitations).
 
-## Upload certificates
+:::note
+If you must support both RSA and ECDSA refer to [certificate packs](#use-certificate-packs-rsa-and-ecdsa) below.
+:::
 
-### With the dashboard
+<Tabs syncKey="dashPlusAPI"> <TabItem label="Dashboard">
 
-To upload a custom certificate in the dashboard, follow the steps for [issuing new certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/issue-certificates/), but change the **Certificate type** to **Custom certificate**.
+To upload a custom certificate in the dashboard, select **Custom certificate** while [creating your custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/create-custom-hostnames/).
 
-For more details on bundle method, refer to [Bundle Methodologies](/ssl/edge-certificates/custom-certificates/bundling-methodologies/)
+For information about the **bundle method** options, refer to the [Cloudflare SSL/TLS documentation](/ssl/edge-certificates/custom-certificates/bundling-methodologies/).
 
-### With the API
+</TabItem> <TabItem label="API">
 
 The call below will upload a certificate for use with `app.example.com`.
 
 Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the `-----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS-----` section of the file.
 
-#### 1. Update the file and build the payload
+1. Update the file and build the payload
 
 <Render file="custom-cert-file-example" product="ssl" />
 
@@ -52,16 +54,38 @@ EOF
 ))
 ```
 
-#### 2. Upload your certificate and key
-
-Use a [POST request](/api/resources/custom_hostnames/methods/create/) to upload your certificate and key.
+2. Use a [`POST` request](/api/resources/custom_hostnames/methods/create/) to upload your certificate and key.
 
+:::note
 The serial number returned is unique to the issuer, but not globally unique. Additionally, it is returned as a string, not an integer.
+:::
+
+</TabItem> </Tabs>
+
+## Use certificate packs: RSA and ECDSA
+
+A certificate pack allows you to upload up to one RSA and one ECDSA custom certificates to a custom hostname. This process is currently only supported via API.
+
+To upload an RSA and ECDSA certificate to a custom hostname, set the `bundle_method` to `force` and define the `custom_cert_bundle` property when [creating a custom hostname via API](/api/resources/custom_hostnames/methods/create/).
+
+You can also use `"bundle_method": "force"` and `custom_cert_bundle` with a `PATCH` request to the [Edit Custom Hostname](/api/resources/custom_hostnames/methods/edit/) endpoint.
+
+### Delete a custom certificate and private key
+
+Use the [Delete Single Certificate And Key For Custom Hostname](/api/resources/custom_hostnames/subresources/certificate_pack/subresources/certificates/methods/delete/) endpoint to remove one of the custom certificates and corresponding key from a certificate pack.
+
+You cannot delete a certificate if it is the only remaining certificate in the pack.
+
+### Replace a custom certificate and private key
+
+To replace a single custom certificate within a certificate pack that contains two bundled certificates, use the [Replace Custom Certificate And Custom Key In Custom Hostname](/api/resources/custom_hostnames/subresources/certificate_pack/subresources/certificates/methods/update/) endpoint.
+
+You can only replace an RSA certificate with another RSA certificate, or an ECDSA certificate with another ECDSA certificate.
 
 ***
 
 ## Move to a Cloudflare certificate
 
 If you want to switch from maintaining a custom certificate to using one issued by Cloudflare, you can migrate that certificate with zero downtime.
 
-Send a [PATCH request](/api/resources/custom_hostnames/methods/edit/) to your custom hostname with a value for the DCV `method`. As soon as the [certificate is validated](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) and the [hostname is validated](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/), Cloudflare will remove the old custom certificate and begin serving the new one.
+Send a [`PATCH` request](/api/resources/custom_hostnames/methods/edit/) to your custom hostname with a value for the DCV `method`. As soon as the [certificate is validated](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) and the [hostname is validated](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/), Cloudflare will remove the old custom certificate and begin serving the new one.
