Issue certificates

For each custom hostname certificate you request, Cloudflare issues two certificates that are bundled in chains that maximize browser compatibility (unless you upload custom certificates). The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.

Once issued, certificates are valid for one year. Renewals depend on your chosen method for Domain Control Validation.

​​ Via the dashboard

1. Log in to the Cloudflare dashboard Open external link and select your account.
2. Select your Cloudflare for SaaS application.
3. Navigate to SSL/TLS > Custom Hostnames.
4. Click Add Custom Hostname.
5. Add your customer’s hostname app.customer.com and set the relevant options, including:
   • Choosing the Validation method.
   • Whether you want to Enable wildcard, which adds a *.<custom-hostname> SAN to the custom hostname certificate. For more details, refer to Hostname priority.
   • Choosing a value for Custom origin server.
6. Click Add Custom Hostname.

​​ Via the API

To create a custom hostname using the API, use a POST command on the /zone/:zone_id/custom_hostnames endpoint.

The response contains the complete definition of the new custom hostname.