Cloudflare Custom Certificate

Prerequisites:

Create a Cloudflare Connection

Custom Certificate Quota: Cloudflare has a default quota of one custom certificate per zone on most plans. Enterprise plans may have higher quotas. If you attempt to sync more certificates than your quota allows, only one certificate will be successfully uploaded. Check your Cloudflare plan’s certificate quota before configuring the sync, or contact Cloudflare to increase your quota.

Infisical UI
API

Navigate to Project > Integrations > Certificate Syncs and press Add Sync.
Select the Cloudflare Custom Certificate option.
Configure the Destination to where certificates should be deployed, then click Next.

Cloudflare Connection: The Cloudflare Connection to authenticate with.
Zone: The Cloudflare zone (domain) where certificates should be uploaded.

Configure the Sync Options to specify how certificates should be synced, then click Next.

Enable Removal of Expired/Revoked Certificates: If enabled, Infisical will remove certificates from the destination if they are no longer active in Infisical.
Certificate Name Schema (Optional): Customize how certificate names are generated. Must include {{certificateId}} as a placeholder. If not specified, defaults to Infisical-{{certificateId}}.
Auto-Sync Enabled: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.

Configure the Details of your Cloudflare Custom Certificate Sync, then click Next.
- Name: The name of your sync. Must be slug-friendly.
- Description: An optional description for your sync.
Select which certificates should be synced to Cloudflare.
Review your Cloudflare Custom Certificate Sync configuration, then click Create Sync.
If enabled, your Cloudflare Custom Certificate Sync will begin syncing your certificates to the destination endpoint.

To create a Cloudflare Custom Certificate Sync, make an API request to the Create Cloudflare Custom Certificate Sync API endpoint.

Sample request

You can optionally specify certificateIds during sync creation to immediately add certificates to the sync. If not provided, you can add certificates later using the certificate management endpoints.

Request

curl --request POST \
--url https://app.infisical.com/api/v1/cert-manager/syncs/cloudflare-custom-certificate \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-cloudflare-cert-sync",
    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "description": "an example certificate sync",
    "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "destination": "cloudflare-custom-certificate",
    "isAutoSyncEnabled": true,
    "certificateIds": [
        "550e8400-e29b-41d4-a716-446655440000",
        "660f1234-e29b-41d4-a716-446655440001"
    ],
    "syncOptions": {
        "canRemoveCertificates": true,
        "certificateNameSchema": "myapp-{{certificateId}}"
    },
    "destinationConfig": {
        "zoneId": "023e105f4ecef8ad9ca31a8372d0c353"
    }
}'

Sample response

Response

{
    "pkiSync": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-cloudflare-cert-sync",
        "description": "an example certificate sync",
        "destination": "cloudflare-custom-certificate",
        "isAutoSyncEnabled": true,
        "destinationConfig": {
            "zoneId": "023e105f4ecef8ad9ca31a8372d0c353"
        },
        "syncOptions": {
            "canRemoveCertificates": true,
            "certificateNameSchema": "myapp-{{certificateId}}"
        },
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "createdAt": "2023-01-01T00:00:00.000Z",
        "updatedAt": "2023-01-01T00:00:00.000Z"
    }
}

Certificate Management

The Cloudflare Custom Certificate Sync provides:

Automatic Deployment: Deploy certificates in Infisical to Cloudflare as Custom certificates.
Certificate Updates: Update certificates in Cloudflare when renewals occur.
Expiration Handling: Optionally remove expired certificates from Cloudflare (if enabled).
Chain Management: Properly bundle certificate chains for optimal browser compatibility.

Cloudflare Custom Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.

Manual Certificate Sync

You can manually trigger certificate synchronization to Cloudflare using the sync certificates functionality. This is useful for:

Initial setup when you have existing certificates to deploy
One-time sync of specific certificates
Testing certificate sync configurations
Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Infisical UI.

FAQ

Can I import certificates from Cloudflare back into Infisical?

Cloudflare does not support importing certificates back into Infisical due to security limitations where private keys cannot be extracted from Cloudflare.

Certificate Management

Product Reference

Infrastructure Integrations

Certificate Syncs

External CA Integrations

Cloudflare Custom Certificate

Sample request

Sample response

Certificate Management

Manual Certificate Sync

FAQ

Certificate Management

Product Reference

Infrastructure Integrations

Certificate Syncs

External CA Integrations

​Sample request

​Sample response

​Certificate Management

​Manual Certificate Sync

​FAQ

Sample request

Sample response

Certificate Management

Manual Certificate Sync

FAQ