Renewal and expiration
Since Cloudflare cannot renew uploaded certificates, you should ensure that you replace or update an expiring custom certificate before it expires, otherwise your visitors may not be able to connect.
Cloudflare automatically sends email notifications 30 and 14 days before your custom certificate expires. The email is sent to users who have the SSL/TLS, Administrator, or Super Administrator roles.
If a valid replacement - covering some or all of the SANs in the expiring custom certificate - is already available, Cloudflare will remove the expiring custom certificate in the 24 hours before expiration. There is no expected downtime due to certificate transition.
If no valid replacement is available, Cloudflare will remove the custom certificate after it expires.
Affected domains and subdomains will fall back to any other active certificate covering the hostnames on the expiring certificate.
If you no longer want to use your custom certificate but still want your website or application to be covered with SSL/TLS, you can do the following:
- Go to SSL/TLS > Edge Certificates.
- Make sure there is already an active universal or advanced certificate covering the same hostnames.
- Delete your custom certificate.