Setup
Geo Key Manager v2
Geo Key Manager v2 gives customers flexibility when choosing the geographical boundaries of where their keys are stored.
Using the policy
field, customers can define policies containing allow and block lists of countries or regions where the private key should be stored.
To use Geo Key Manager v2 with the API, generally, follow the steps to upload a custom certificate.
When sending the
POST
request, include the policy
parameter to define policies containing allow and block lists of countries or regions where the private key should be stored.
Examples
Store private keys in the E.U. and the U.S.curl -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/custom_certificates" \ -H "X-Auth-Email: <EMAIL>" \ -H "X-Auth-Key: <AUTH_KEY>" \ -H "Content-Type: application/json" \ --data ' { "certificate":"certificate", "private_key":"<PRIVATE_KEY>", "policy":"(country: US) and (region: EU)", "type": "sni_custom" }'
Store private keys in the E.U., but not in Francecurl -X POST "https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/custom_certificates" \ -H "X-Auth-Email: <EMAIL>" \ -H "X-Auth-Key: <AUTH_KEY>" \ -H "Content-Type: application/json" \ --data ' { "certificate":"certificate", "private_key":"<PRIVATE_KEY>", "policy":"(region: EU) and (not country: FR)", "type": "sni_custom" }'
Geo Key Manager v1
The first version of Geo Key Manager supports 3 regions: U.S., E.U., and a set of High Security Data Centers. If you would like to restrict your private key to another country or region, apply for the closed beta of the new version.
To use Geo Key Manager in the dashboard:
- Follow the steps to upload a custom certificate.
- For Private Key Restriction, choose one of the following options:
- Distribute to all Cloudflare data centers (optimal performance)
- Distribute only to U.S. data centers
- Distribute only to E.U. data centers
- Distribute only to highest security data centers (more details)
- Select Upload Custom Certificate.
To use Geo Key Manager with the API, generally, follow the steps to upload a custom certificate.
When sending the
POST
request, include the geo_restrictions
parameter set to one of the following options:
us
eu
highest_security
(more details)