Portal / Nodes / Cloudflare / ssl/getCert
ssl/getCert
Retrieve full details for a specific SSL certificate by its certificate ID.
When to Use
- Status polling after ordering: After ssl/orderCert, poll ssl/getCert to check when status changes from
pending to active before proceeding.
- Expiry check for a known cert: Retrieve a specific certificate to confirm its
expiresOn date as part of a renewal workflow.
- Audit report detail: Retrieve a certificate to include full issuer, hostname, and CSR data in an infrastructure audit report.
- Pre-delete verification: Confirm a certificate's status and hosts before calling ssl/deleteCert to ensure you are deleting the correct cert.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with SSL and Certificates.Read permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
CertId | string | required | Certificate ID. Obtain from ssl/listCerts or ssl/orderCert output. |
Sample Configuration
{
"resource": "ssl",
"operation": "getCert",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_ssl_read }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"CertId": "7b163b7107b945958b4f7c9028872741"
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty | Set the ApiToken credential with SSL and Certificates.Read permission |
MISSING_ZONE_ID | ZoneId is empty | Provide the Zone ID |
UNKNOWN_ERROR | Certificate not found or access denied | Verify both Zone ID and Cert ID are correct |
Output
Success Port
| Field | Type | Description |
id | string | Certificate ID |
hosts | array | Hostnames covered by the certificate |
issuer | string | Certificate issuer |
signature | string | Signature algorithm |
status | string | active, expired, pending, or revoked |
expiresOn | string | ISO 8601 expiry timestamp |
uploadedOn | string | ISO 8601 upload timestamp |
csr | string | Certificate Signing Request (PEM format) if available |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"id": "7b163b7107b945958b4f7c9028872741",
"hosts": ["example.com", "*.example.com"],
"issuer": "Cloudflare",
"signature": "SHA256WithRSA",
"status": "active",
"expiresOn": "2027-01-15T00:00:00Z",
"uploadedOn": "2024-01-15T10:00:00Z",
"csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----"
}
Expression Reference
| Expression | Returns |
{{ $node.GetCert.output.status }} | Certificate status string |
{{ $node.GetCert.output.expiresOn }} | Expiry timestamp |
{{ $node.GetCert.output.hosts }} | Array of covered hostnames |
{{ $node.GetCert.output.issuer }} | Certificate issuer string |
Node Policies & GuardRails
| Policy | Detail |
| Use read-only token | SSL and Certificates.Read is sufficient for this operation |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
| Resolve Cert ID from ssl/listCerts | Never hard-code a certificate ID — always resolve it dynamically from ssl/listCerts |
| Poll with backoff during ordering | If polling after ssl/orderCert, use a Delay node between retries to avoid hammering the API |
| Verify before deletion | Always call ssl/getCert before ssl/deleteCert to confirm the correct certificate is targeted |
Examples
Example 1: Post-Order Status Polling
After ssl/orderCert, store the returned CertId in a variable. In a Loop node, call ssl/getCert every 30 seconds (using a Delay node). When status === "active", exit the loop and proceed to ssl/setMode with Mode: "strict".
Example 2: Expiry Check for Specific Certificate
Retrieve a specific certificate from the database record (where CertId is stored). Call ssl/getCert and calculate days until expiry from expiresOn. If less than 30 days, trigger a renewal workflow and send a PagerDuty alert.
Example 3: Audit Detail Extraction
Monthly compliance workflow: for each active certificate returned by ssl/listCerts, call ssl/getCert to retrieve the full CSR and issuer details. Compile the results into a JSON structure and upload to the compliance document store in S3.