--- title: User-side certificates description: Set up User-side certificates for Zero Trust. image: https://developers.cloudflare.com/zt-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ TLS ](https://developers.cloudflare.com/search/?tags=TLS) # User-side certificates Advanced security features such as [HTTPS traffic inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/), [Data Loss Prevention](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/), [anti-virus scanning](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/antivirus-scanning/), [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/), and [Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/) require users to install and trust a root certificate on their device. You can either install the certificate provided by Cloudflare (default option), or generate your own custom certificate and upload it to Cloudflare. Zero Trust [generates a unique root CA](#generate-a-cloudflare-root-certificate) for each account and deploys it across the Cloudflare global network. Alternatively, Enterprise users can upload and deploy their own [custom certificate](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). Default certificate expired on 2025-02-02 The default Cloudflare certificate expired on 2025-02-02 at 16:05 UTC. Review how this change impacts certificate propagation to your end-user devices and how to address browser issues in [Troubleshooting](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/troubleshooting/common-issues/#browser-and-certificate-issues). ## Certificate status Zero Trust will indicate if a certificate is ready for use in inspection based on its deployment status: | Deployment status | Description | | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Inactive | The certificate has been generated by or uploaded to Cloudflare but is not deployed across the global network. | | Pending | The certificate is being activated or deactivated for use. | | Available | The certificate is deployed across the Cloudflare global network and ready to be turned on. The Cloudflare One Client will install the certificate on your users' devices. | | Available and In-Use | The certificate is turned on. Gateway will use the certificate for inspection. | ## Generate a Cloudflare root certificate To generate a new Cloudflare root certificate for your Zero Trust organization: * [ Dashboard ](#tab-panel-5258) * [ API ](#tab-panel-5259) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Select **Certificates**. 3. Select **Generate certificate**. 4. Choose a duration of time before the certificate expires. Cloudflare recommends expiration after five years. Alternatively, choose _Custom_ and enter a custom amount in days. 5. Select **Generate certificate**. Send a `POST` request to the [Create Zero Trust certificate](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/certificates/methods/create/) endpoint. Create Zero Trust certificate ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The API will respond with the ID and contents of the new certificate. The certificate will appear in your list of certificates as **Inactive**. To download a generated certificate, select it, then choose **Download .pem** and/or **Download .crt**. To deploy your certificate and turn it on for inspection, you need to [activate the certificate](#activate-a-root-certificate). Each Zero Trust account can generate a new root certificate a maximum of three times per day. ## Activate a root certificate Note Zero Trust accounts using the default Cloudflare certificate prior to 2024-10-17 will need to redeploy and activate the newly generated certificate. Zero Trust accounts created during or after 2024-10-17 will use an available certificate by default. Once a certificate is generated in or uploaded to Zero Trust, you need to activate it. Activating a certificate deploys it across the Cloudflare network and sets its status to **Available**. You can have up to 10 available certificates at once. To activate your root certificate: * [ Dashboard ](#tab-panel-5260) * [ API ](#tab-panel-5261) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Select **Certificates**. 3. Select the certificate you want to activate. 4. Select **Activate**. Send a `POST` request to the [Activate a Zero Trust certificate](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/certificates/methods/activate/) endpoint. Activate a Zero Trust certificate ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` The status of the certificate will change to **Pending** while it deploys. Once the status of your certificate is **Available**, you can install it on your user's devices either [with the Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/automated-deployment/) or [manually](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/manual-deployment/). Once you deploy and install your certificate, you can turn it on for use in inspection: * [ Dashboard ](#tab-panel-5262) * [ API ](#tab-panel-5263) 1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Traffic policies** \> **Traffic settings**. 2. Select **Certificates**. 3. Select the certificate you want to turn on. 4. In **Basic information**, select **Confirm and turn on certificate**. Send a `PUT` request to the [Update Zero Trust account configuration](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/gateway/subresources/configurations/methods/update/) endpoint. For example: Update Zero Trust account configuration ``` curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "settings": { "certificate": { "id": "{certificate_id}", "in_use": true } } }' ``` You can set multiple certificates to **Available**, but you can only turn on one certificate for use in inspection at a time. Setting a certificate as **In-Use** will set any other in-use certificates as **Available** only and prevent them from being used for inspection until turned on again. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/team-and-resources/","name":"Team and resources"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/team-and-resources/devices/","name":"Devices"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/team-and-resources/devices/user-side-certificates/","name":"User-side certificates"}}]} ```