Portal / Nodes / Cloudflare / ssl/deleteCert
ssl/deleteCert
Delete an SSL certificate from a Cloudflare zone by its certificate ID.
HTTPS disruption risk: Deleting an active certificate removes HTTPS for all hostnames covered by that certificate. Always verify a replacement certificate is active before deleting the current one. This action is immediate and irreversible.
When to Use
- Post-renewal cleanup: After a new certificate has been ordered and confirmed active via ssl/getCert, delete the old (expired or superseded) certificate.
- Expired certificate removal: Remove certificates with
status: "expired" from zones where expired certs are causing confusion or audit issues.
- Test certificate cleanup: Delete certificates ordered during testing or development that are no longer needed.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with SSL and Certificates.Edit permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
CertId | string | required | Certificate ID to delete. Resolve via ssl/listCerts — never guess. |
Sample Configuration
{
"resource": "ssl",
"operation": "deleteCert",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_ssl_edit }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"CertId": "7b163b7107b945958b4f7c9028872741"
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty | Set the ApiToken credential with SSL and Certificates.Edit permission |
MISSING_ZONE_ID | ZoneId is empty | Provide the Zone ID |
UNKNOWN_ERROR | Certificate not found or access denied | Verify both Zone ID and Cert ID; confirm token has SSL.Edit scope |
Output
Success Port
| Field | Type | Description |
status | string | deleted on successful deletion |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"status": "deleted"
}
Expression Reference
| Expression | Returns |
{{ $node.DeleteCert.output.status }} | "deleted" on success |
Node Policies & GuardRails
| Policy | Detail |
| Verify replacement is active before deleting | Call ssl/getCert on the replacement certificate and confirm status === "active" before deleting the old one |
| Always call ssl/getCert before deletion | Confirm the cert status and hosts of the target certificate to avoid deleting the wrong cert |
| Use SSL and Certificates.Edit token | Deletion requires write permission — a read-only token will fail |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
| Log deletion for audit | Record the deleted CertId, zone, timestamp, and initiating workflow to the audit log before calling deleteCert |
Examples
Example 1: Renewal Cleanup After New Cert is Active
After ssl/orderCert returns a new certificate and polling confirms it is active: (1) Log the old CertId. (2) Call ssl/deleteCert with the old certificate ID. (3) Update the certificate registry with the new CertId and the deletion timestamp.
Example 2: Expired Certificate Cleanup
Scheduled monthly workflow: (1) Call ssl/listCerts for each zone. (2) Filter certificates with status === "expired". (3) For each expired cert, confirm it is not the only certificate for the zone by checking that at least one active cert covers the same hosts. (4) Call ssl/deleteCert. (5) Log the cleanup.
Example 3: Test Environment Certificate Cleanup
After a test environment is decommissioned: retrieve all certificate IDs stored in the test environment's metadata. For each, confirm status !== "active" (or that no live traffic depends on it). Call ssl/deleteCert and log the result to the environment teardown audit trail.