Create custom hostnames
There are several required steps before a custom hostname can become active. For more details, refer to our Get started guide.
To create a custom hostname:
- Log in to the Cloudflare dashboard ↗ and select your account.
- Select your Cloudflare for SaaS application.
- Navigate to SSL/TLS > Custom Hostnames.
- Click Add Custom Hostname.
- Add your customer's hostname
app.customer.comand set the relevant options, including:- Choosing the Validation method.
- Whether you want to Enable wildcard, which adds a
*.<custom-hostname>SAN to the custom hostname certificate. For more details, refer to Hostname priority. - Choosing a value for Custom origin server.
- Click Add Custom Hostname.
Default behavior
When you create a custom hostname:
- If you issue a custom hostname certificate with wildcards enabled, you cannot customize TLS settings for these wildcard hostnames.
- If you do not specify the Minimum TLS Version, it defaults to 1.0, not the zone's Minimum TLS Version. You can still edit this setting after creation.
-
To create a custom hostname using the API, use the Create Custom Hostname endpoint.
- You can leave the
certificate_authorityparameter empty to set it to "default CA". With this option, Cloudflare checks the CAA records before requesting the certificates, which helps ensure the certificates can be issued from the CA.
- You can leave the
-
For the newly created custom hostname, the
POSTresponse may not return the DCV validation tokenvalidation_records. It is recommended to make a secondGETcommand (with a delay) to retrieve these details.
The response contains the complete definition of the new custom hostname.
Default behavior
When you create a custom hostname:
- If you issue a custom hostname certificate with wildcards enabled, you cannot customize TLS settings for these wildcard hostnames.
- If you do not specify the Minimum TLS Version, it defaults to 1.0, not the zone's Minimum TLS Version. You can still edit this setting after creation.
For each custom hostname, Cloudflare issues two certificates bundled in chains that maximize browser compatibility (unless you upload custom certificates).
The primary certificate uses a P-256 key, is SHA-2/ECDSA signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit key, is SHA-2/RSA signed, and will be presented to browsers that do not support ECC.
The Common Name (CN) restriction establishes a limit of 64 characters (RFC 5280 ↗). If you have a hostname that exceeds this length, you can set cloudflare_branding to true when creating your custom hostnames via API.
"ssl": { "cloudflare_branding": true }Cloudflare branding means that sni.cloudflaressl.com will be added as the certificate Common Name (CN) and the long hostname will be included as a part of the Subject Alternative Name (SAN).
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark