Trust and Safety Write Trust and Safety Read Zero Trust: PII Read Zaraz Edit Zaraz Read Zaraz Admin Access: Apps and Policies Revoke Access: Apps and Policies Write Access: Apps and Policies Read Access: Apps and Policies Revoke Access: Mutual TLS Certificates Write Access: Organizations, Identity Providers, and Groups Write Zone Settings Write Zone Settings Read Zone Read DNS Read Workers Scripts Write Workers Scripts Read Zone Write Workers Routes Write Workers Routes Read Stream Write Stream Read SSL and Certificates Write SSL and Certificates Read Logs Write Logs Read Cache Purge Page Rules Write Page Rules Read Load Balancers Write Load Balancers Read Firewall Services Write Firewall Services Read DNS Write Apps Write Analytics Read Access: Apps and Policies Write Access: Apps and Policies Read

path Parameters

zone_id: string

(maxLength: 32)

Identifier.

keyless_certificate_id: string

(maxLength: 32)

Identifier.

Response fields

errors: Array<{ code, message, documentation_url, 1 more... }>

messages: Array<{ code, message, documentation_url, 1 more... }>

success: true

Whether the API call was successful.

result:

KeylessCertificate

Optional

Request example

curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/keyless_certificates/$KEYLESS_CERTIFICATE_ID \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

200Example

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "4d2844d2ce78891c34d0b6c0535a291e",
    "created_on": "2014-01-01T05:20:00Z",
    "enabled": false,
    "host": "example.com",
    "modified_on": "2014-01-01T05:20:00Z",
    "name": "example.com Keyless SSL",
    "permissions": [
      "#ssl:read",
      "#ssl:edit"
    ],
    "port": 24008,
    "status": "active",
    "tunnel": {
      "private_ip": "10.0.0.1",
      "vnet_id": "7365377a-85a4-4390-9480-531ef7dc7a3c"
    }
  }
}

Create Keyless SSL Configuration -> Envelope<

KeylessCertificate

post/zones/{zone_id}/keyless_certificates

Creates a Keyless SSL configuration that allows SSL/TLS termination without exposing private keys to Cloudflare. Keys remain on your infrastructure.

Edit Keyless SSL Configuration -> Envelope<

KeylessCertificate

patch/zones/{zone_id}/keyless_certificates/{keyless_certificate_id}

This will update attributes of a Keyless SSL. Consists of one or more of the following: host,name,port.

Delete Keyless SSL Configuration -> Envelope<{ id }>

delete/zones/{zone_id}/keyless_certificates/{keyless_certificate_id}

Removes a Keyless SSL configuration. SSL connections will no longer use the keyless server for cryptographic operations.

Domain types

KeylessCertificate = { id, created_on, enabled, 7 more... }

Tunnel = { private_ip, vnet_id }

Configuration for using Keyless SSL through a Cloudflare Tunnel