Hanzo
PlatformHanzo KMSPlatformPKICertificate Syncs

Cloudflare Custom Certificate

Learn how to configure a Cloudflare Custom Certificate Sync for KMS PKI.

Prerequisites:

Custom Certificate Quota: Cloudflare has a default quota of one custom certificate per zone on most plans. Enterprise plans may have higher quotas. If you attempt to sync more certificates than your quota allows, only one certificate will be successfully uploaded. Check your Cloudflare plan's certificate quota before configuring the sync, or contact Cloudflare to increase your quota.

  1. Navigate to Project > Integrations > Certificate Syncs and press Add Sync. Certificate Syncs Tab

  2. Select the Cloudflare Custom Certificate option. Select Cloudflare

  3. Configure the Destination to where certificates should be deployed, then click Next. Configure Destination

  • Cloudflare Connection: The Cloudflare Connection to authenticate with.
  • Zone: The Cloudflare zone (domain) where certificates should be uploaded.
  1. Configure the Sync Options to specify how certificates should be synced, then click Next. Configure Options
  • Enable Removal of Expired/Revoked Certificates: If enabled, Hanzo KMS will remove certificates from the destination if they are no longer active in Hanzo KMS.
  • Certificate Name Schema (Optional): Customize how certificate names are generated. Must include {{certificateId}} as a placeholder. If not specified, defaults to Hanzo KMS-{{certificateId}}.
  • Auto-Sync Enabled: If enabled, certificates will automatically be synced when changes occur. Disable to enforce manual syncing only.

  1. Configure the Details of your Cloudflare Custom Certificate Sync, then click Next. Configure Details

    • Name: The name of your sync. Must be slug-friendly.
    • Description: An optional description for your sync.

  2. Select which certificates should be synced to Cloudflare. Select Certificates

  3. Review your Cloudflare Custom Certificate Sync configuration, then click Create Sync. Confirm Configuration

  4. If enabled, your Cloudflare Custom Certificate Sync will begin syncing your certificates to the destination endpoint. Sync Certificates

To create a Cloudflare Custom Certificate Sync, make an API request to the Create Cloudflare Custom Certificate Sync API endpoint.

Sample request

You can optionally specify certificateIds during sync creation to immediately add certificates to the sync. If not provided, you can add certificates later using the certificate management endpoints.

curl --request POST \
--url https://app.kms.hanzo.ai/api/v1/cert-manager/syncs/cloudflare-custom-certificate \
--header 'Authorization: Bearer <access-token>' \
--header 'Content-Type: application/json' \
--data '{
    "name": "my-cloudflare-cert-sync",
    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "description": "an example certificate sync",
    "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "destination": "cloudflare-custom-certificate",
    "isAutoSyncEnabled": true,
    "certificateIds": [
        "550e8400-e29b-41d4-a716-446655440000",
        "660f1234-e29b-41d4-a716-446655440001"
    ],
    "syncOptions": {
        "canRemoveCertificates": true,
        "certificateNameSchema": "myapp-{{certificateId}}"
    },
    "destinationConfig": {
        "zoneId": "023e105f4ecef8ad9ca31a8372d0c353"
    }
}'

Sample response

{
    "pkiSync": {
        "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "name": "my-cloudflare-cert-sync",
        "description": "an example certificate sync",
        "destination": "cloudflare-custom-certificate",
        "isAutoSyncEnabled": true,
        "destinationConfig": {
            "zoneId": "023e105f4ecef8ad9ca31a8372d0c353"
        },
        "syncOptions": {
            "canRemoveCertificates": true,
            "certificateNameSchema": "myapp-{{certificateId}}"
        },
        "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "connectionId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
        "createdAt": "2023-01-01T00:00:00.000Z",
        "updatedAt": "2023-01-01T00:00:00.000Z"
    }
}

Certificate Management

The Cloudflare Custom Certificate Sync provides:

  • Automatic Deployment: Deploy certificates in Hanzo KMS to Cloudflare as Custom certificates.
  • Certificate Updates: Update certificates in Cloudflare when renewals occur.
  • Expiration Handling: Optionally remove expired certificates from Cloudflare (if enabled).
  • Chain Management: Properly bundle certificate chains for optimal browser compatibility.

Cloudflare Custom Certificate Syncs support both automatic and manual synchronization modes. When auto-sync is enabled, certificates are automatically deployed as they are issued or renewed.

Manual Certificate Sync

You can manually trigger certificate synchronization to Cloudflare using the sync certificates functionality. This is useful for:

  • Initial setup when you have existing certificates to deploy
  • One-time sync of specific certificates
  • Testing certificate sync configurations
  • Force sync after making changes

To manually sync certificates, use the Sync Certificates API endpoint or the manual sync option in the Hanzo KMS UI.

FAQ

Cloudflare does not support importing certificates back into Hanzo KMS due to security limitations where private keys cannot be extracted from Cloudflare.

How is this guide?

Last updated on

Chef

Learn how to configure a Chef Certificate Sync for KMS PKI.

Alerting

Learn how to set up alerting for expiring certificates with Hanzo KMS

On this page

Sample request
Sample response
Certificate Management
Manual Certificate Sync
FAQ