Portal Community

ssl/getCert

Retrieve full details for a specific SSL certificate by its certificate ID.

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with SSL and Certificates.Read permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.
CertIdstringrequiredCertificate ID. Obtain from ssl/listCerts or ssl/orderCert output.

Sample Configuration

{
  "resource": "ssl",
  "operation": "getCert",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_ssl_read }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "CertId": "7b163b7107b945958b4f7c9028872741"
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is emptySet the ApiToken credential with SSL and Certificates.Read permission
MISSING_ZONE_IDZoneId is emptyProvide the Zone ID
UNKNOWN_ERRORCertificate not found or access deniedVerify both Zone ID and Cert ID are correct

Output

Success Port

FieldTypeDescription
idstringCertificate ID
hostsarrayHostnames covered by the certificate
issuerstringCertificate issuer
signaturestringSignature algorithm
statusstringactive, expired, pending, or revoked
expiresOnstringISO 8601 expiry timestamp
uploadedOnstringISO 8601 upload timestamp
csrstringCertificate Signing Request (PEM format) if available

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "id": "7b163b7107b945958b4f7c9028872741",
  "hosts": ["example.com", "*.example.com"],
  "issuer": "Cloudflare",
  "signature": "SHA256WithRSA",
  "status": "active",
  "expiresOn": "2027-01-15T00:00:00Z",
  "uploadedOn": "2024-01-15T10:00:00Z",
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----"
}

Expression Reference

ExpressionReturns
{{ $node.GetCert.output.status }}Certificate status string
{{ $node.GetCert.output.expiresOn }}Expiry timestamp
{{ $node.GetCert.output.hosts }}Array of covered hostnames
{{ $node.GetCert.output.issuer }}Certificate issuer string

Node Policies & GuardRails

PolicyDetail
Use read-only tokenSSL and Certificates.Read is sufficient for this operation
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON
Resolve Cert ID from ssl/listCertsNever hard-code a certificate ID — always resolve it dynamically from ssl/listCerts
Poll with backoff during orderingIf polling after ssl/orderCert, use a Delay node between retries to avoid hammering the API
Verify before deletionAlways call ssl/getCert before ssl/deleteCert to confirm the correct certificate is targeted

Examples

Example 1: Post-Order Status Polling

After ssl/orderCert, store the returned CertId in a variable. In a Loop node, call ssl/getCert every 30 seconds (using a Delay node). When status === "active", exit the loop and proceed to ssl/setMode with Mode: "strict".

Example 2: Expiry Check for Specific Certificate

Retrieve a specific certificate from the database record (where CertId is stored). Call ssl/getCert and calculate days until expiry from expiresOn. If less than 30 days, trigger a renewal workflow and send a PagerDuty alert.

Example 3: Audit Detail Extraction

Monthly compliance workflow: for each active certificate returned by ssl/listCerts, call ssl/getCert to retrieve the full CSR and issuer details. Compile the results into a JSON structure and upload to the compliance document store in S3.