Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Certificate Signing Requests (CSRs)

Generate a Certificate Signing Request (CSR) to get a custom certificate from the Certificate Authority (CA) of your choice while maintaining control of the private key on Cloudflare. The private key associated with the CSR will be generated by Cloudflare and will never leave our network.

A CSR contains information about your domain: your organization name and address, the common name (domain name), and Subject Alternative Names (SANs).

​​ Availability

FreeProBusinessEnterprise

Availability

NoNoNoIncluded with Advanced Certificate Manager

​​ Types of CSRs

You can create two types of CSRs:

  • Zone-level: Meant only for sign certificates associated with the current zone.
  • Account-level: Meant for organizations that issue certificates across multiple domains.

​​ Create and use a CSR

To create a CSR:

  1. Log in to the Cloudflare dashboard and select your account and an application.
  2. Go to SSL/TLS > Edge Certificates.
  3. On Certificate Signing Request (CSR), select Generate.
  4. Choose a Scope (only certain customers can choose Account).
  5. Enter relevant information on the form and select Create.

To use a CSR:

  1. Go to SSL/TLS > Edge Certificates.

  2. On Certificate Signing Request (CSR), select the record you just created.

  3. Copy (or select Click to copy) the value for Certificate Signing Request.

  4. Obtain a certificate from the Certificate Authority (CA) of your choice using your CSR.

  5. When you upload the custom certificate to Cloudflare, select an Encoding mode of Certificate Signing Request (CSR) and enter the associated value.

​​ Renew a certificate

When you renew a custom certificate, you can reuse a previously generated CSR.