diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/index.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/index.mdx index cf916b9211c587..eee83d5cc1e432 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/index.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/index.mdx @@ -28,6 +28,4 @@ Cloudflare also only accepts publicly trusted certificates of these types: * `SHA1WithRSA` * `ECDSAWithSHA256` -You can only use one of the different supported types. For example, you cannot upload an `SHA256WithRSA` + `ECDSAWithSHA256` certificate. - If you attempt to upload another type of certificate or a certificate that has been self-signed, it will be rejected. diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/uploading-certificates.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/uploading-certificates.mdx index 47c6174f7ef44e..4855eb89234ddb 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/uploading-certificates.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/uploading-certificates.mdx @@ -1,38 +1,40 @@ --- title: Manage custom certificates pcx_content_type: how-to +description: Learn how to manage custom certificates for your Cloudflare for SaaS custom hostnames. sidebar: order: 6 head: - tag: title - content: Manage custom certificates — Cloudflare for SaaS + content: Manage custom certificates --- -import { Render } from "~/components" +import { Render, TabItem, Tabs } from "~/components" -For use cases and limitations, refer to [custom certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/). +Learn how to manage custom certificates for your Cloudflare for SaaS custom hostnames. For use cases and limitations, refer to [custom certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/). -:::caution +## Upload certificates -You can only use one of the different [supported types](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/#limitations). For example, you cannot upload an `SHA256WithRSA` + `ECDSAWithSHA256` certificate. -::: +This section describes the general process for uploading a custom certificate corresponding to one of the [supported types](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/#limitations). -## Upload certificates +:::note +If you must support both RSA and ECDSA refer to [certificate packs](#use-certificate-packs-rsa-and-ecdsa) below. +::: -### With the dashboard + -To upload a custom certificate in the dashboard, follow the steps for [issuing new certificates](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/issue-certificates/), but change the **Certificate type** to **Custom certificate**. +To upload a custom certificate in the dashboard, select **Custom certificate** while [creating your custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/create-custom-hostnames/). -For more details on bundle method, refer to [Bundle Methodologies](/ssl/edge-certificates/custom-certificates/bundling-methodologies/) +For information about the **bundle method** options, refer to the [Cloudflare SSL/TLS documentation](/ssl/edge-certificates/custom-certificates/bundling-methodologies/). -### With the API + The call below will upload a certificate for use with `app.example.com`. Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the `-----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS-----` section of the file. -#### 1. Update the file and build the payload +1. Update the file and build the payload @@ -52,11 +54,33 @@ EOF )) ``` -#### 2. Upload your certificate and key - -Use a [POST request](/api/resources/custom_hostnames/methods/create/) to upload your certificate and key. +2. Use a [`POST` request](/api/resources/custom_hostnames/methods/create/) to upload your certificate and key. +:::note The serial number returned is unique to the issuer, but not globally unique. Additionally, it is returned as a string, not an integer. +::: + + + +## Use certificate packs: RSA and ECDSA + +A certificate pack allows you to upload up to one RSA and one ECDSA custom certificates to a custom hostname. This process is currently only supported via API. + +To upload an RSA and ECDSA certificate to a custom hostname, set the `bundle_method` to `force` and define the `custom_cert_bundle` property when [creating a custom hostname via API](/api/resources/custom_hostnames/methods/create/). + +You can also use `"bundle_method": "force"` and `custom_cert_bundle` with a `PATCH` request to the [Edit Custom Hostname](/api/resources/custom_hostnames/methods/edit/) endpoint. + +### Delete a custom certificate and private key + +Use the [Delete Single Certificate And Key For Custom Hostname](/api/resources/custom_hostnames/subresources/certificate_pack/subresources/certificates/methods/delete/) endpoint to remove one of the custom certificates and corresponding key from a certificate pack. + +You cannot delete a certificate if it is the only remaining certificate in the pack. + +### Replace a custom certificate and private key + +To replace a single custom certificate within a certificate pack that contains two bundled certificates, use the [Replace Custom Certificate And Custom Key In Custom Hostname](/api/resources/custom_hostnames/subresources/certificate_pack/subresources/certificates/methods/update/) endpoint. + +You can only replace an RSA certificate with another RSA certificate, or an ECDSA certificate with another ECDSA certificate. *** @@ -64,4 +88,4 @@ The serial number returned is unique to the issuer, but not globally unique. Add If you want to switch from maintaining a custom certificate to using one issued by Cloudflare, you can migrate that certificate with zero downtime. -Send a [PATCH request](/api/resources/custom_hostnames/methods/edit/) to your custom hostname with a value for the DCV `method`. As soon as the [certificate is validated](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) and the [hostname is validated](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/), Cloudflare will remove the old custom certificate and begin serving the new one. +Send a [`PATCH` request](/api/resources/custom_hostnames/methods/edit/) to your custom hostname with a value for the DCV `method`. As soon as the [certificate is validated](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) and the [hostname is validated](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/), Cloudflare will remove the old custom certificate and begin serving the new one.