Portal Community

ssl/deleteCert

Delete an SSL certificate from a Cloudflare zone by its certificate ID.

HTTPS disruption risk: Deleting an active certificate removes HTTPS for all hostnames covered by that certificate. Always verify a replacement certificate is active before deleting the current one. This action is immediate and irreversible.

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with SSL and Certificates.Edit permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.
CertIdstringrequiredCertificate ID to delete. Resolve via ssl/listCerts — never guess.

Sample Configuration

{
  "resource": "ssl",
  "operation": "deleteCert",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_ssl_edit }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "CertId": "7b163b7107b945958b4f7c9028872741"
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is emptySet the ApiToken credential with SSL and Certificates.Edit permission
MISSING_ZONE_IDZoneId is emptyProvide the Zone ID
UNKNOWN_ERRORCertificate not found or access deniedVerify both Zone ID and Cert ID; confirm token has SSL.Edit scope

Output

Success Port

FieldTypeDescription
statusstringdeleted on successful deletion

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "status": "deleted"
}

Expression Reference

ExpressionReturns
{{ $node.DeleteCert.output.status }}"deleted" on success

Node Policies & GuardRails

PolicyDetail
Verify replacement is active before deletingCall ssl/getCert on the replacement certificate and confirm status === "active" before deleting the old one
Always call ssl/getCert before deletionConfirm the cert status and hosts of the target certificate to avoid deleting the wrong cert
Use SSL and Certificates.Edit tokenDeletion requires write permission — a read-only token will fail
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON
Log deletion for auditRecord the deleted CertId, zone, timestamp, and initiating workflow to the audit log before calling deleteCert

Examples

Example 1: Renewal Cleanup After New Cert is Active

After ssl/orderCert returns a new certificate and polling confirms it is active: (1) Log the old CertId. (2) Call ssl/deleteCert with the old certificate ID. (3) Update the certificate registry with the new CertId and the deletion timestamp.

Example 2: Expired Certificate Cleanup

Scheduled monthly workflow: (1) Call ssl/listCerts for each zone. (2) Filter certificates with status === "expired". (3) For each expired cert, confirm it is not the only certificate for the zone by checking that at least one active cert covers the same hosts. (4) Call ssl/deleteCert. (5) Log the cleanup.

Example 3: Test Environment Certificate Cleanup

After a test environment is decommissioned: retrieve all certificate IDs stored in the test environment's metadata. For each, confirm status !== "active" (or that no live traffic depends on it). Call ssl/deleteCert and log the result to the environment teardown audit trail.