Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Custom origin trust store

By default, Cloudflare’s edge network maintains a list of publicly trusted certificate authorities. This means that when using Full (strict) encryption mode, Cloudflare will only trust origin server certificates issued by a CA in this trust store.

Custom Origin Trust Store allows you to upload certificate authorities (CAs) that Cloudflare will use to authenticate connections to your origin server. Use this feature to override the default trust store with your preferred CA or CAs.

When a CA has been uploaded to Custom Origin Server Trust Store, Cloudflare will ignore all default publicly trusted CAs and exclusively use the CA or CAs that have been uploaded to authenticate the origin server.

​​ Availability

To get access to custom origin trust store, you need to have Advanced Certificate Manager enabled on your zone.

​​ How to

To manage custom origin trust stores in the dashboard, go to SSL/TLS > Origin Server and use the Custom Origin Trust Store card.

To manage using the API, refer to the API commands.

​​ Limitations

If your uploaded CA expires and no alternative CAs are valid within the trust store, Cloudflare will not be able to properly authenticate connections to the origin server with Full (strict) encryption mode enabled.

​​ API commands

CommandMethodEndpoint
Create custom origin trust storePOST/zones/<ZONE_ID>/acm/custom_trust_store
List custom origin trust storesGET/zones/<ZONE_ID>/acm/custom_trust_store
Get custom origin trust storeGET/zones/<ZONE_ID>/acm/custom_trust_store/<ID>
Delete custom origin trust storeDELETE/zones/<ZONE_ID>/acm/custom_trust_store/<ID>