Portal Community

ssl/listCerts

List all SSL certificates associated with a Cloudflare zone.

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with SSL and Certificates.Read permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.

Sample Configuration

{
  "resource": "ssl",
  "operation": "listCerts",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_ssl_read }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353"
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is emptySet the ApiToken credential with SSL and Certificates.Read permission
MISSING_ZONE_IDZoneId is emptyProvide the Zone ID
UNKNOWN_ERRORCloudflare API errorVerify Zone ID and token permissions

Output

Success Port

FieldTypeDescription
certificatesarrayArray of certificate objects for the zone
certificates[].idstringCertificate ID — used in ssl/getCert and ssl/deleteCert
certificates[].hostsarrayHostnames covered by the certificate
certificates[].issuerstringCertificate issuer (e.g., Cloudflare, Let's Encrypt)
certificates[].signaturestringSignature algorithm (e.g., SHA256WithRSA)
certificates[].statusstringCertificate status: active, expired, pending, revoked
certificates[].expiresOnstringISO 8601 expiry timestamp
certificates[].uploadedOnstringISO 8601 upload timestamp

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "certificates": [
    {
      "id": "7b163b7107b945958b4f7c9028872741",
      "hosts": ["example.com", "*.example.com"],
      "issuer": "Cloudflare",
      "signature": "SHA256WithRSA",
      "status": "active",
      "expiresOn": "2027-01-15T00:00:00Z",
      "uploadedOn": "2024-01-15T10:00:00Z"
    }
  ]
}

Expression Reference

ExpressionReturns
{{ $node.ListCerts.output.certificates }}Full array of certificate objects
{{ $node.ListCerts.output.certificates[0].id }}Certificate ID of the first cert
{{ $node.ListCerts.output.certificates[0].expiresOn }}Expiry timestamp of the first cert
{{ $node.ListCerts.output.certificates[0].status }}Status of the first cert

Node Policies & GuardRails

PolicyDetail
Use read-only tokenSSL and Certificates.Read is sufficient — do not over-scope
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON
Alert on expiring certificatesAdd a Filter node downstream to find certs where expiresOn is within 30 days; route to an alert node
Check coverage before strict modeVerify the active certificate hosts include all subdomains before calling ssl/setMode with strict
Do not delete active certsBefore calling ssl/deleteCert, confirm the cert has status !== "active" or a replacement is already active

Examples

Example 1: 30-Day Certificate Expiry Alert

Scheduled weekly workflow: (1) Call ssl/listCerts for each production zone. (2) In a Function node, filter certs where expiresOn is within 30 days. (3) For each expiring cert, create a Jira ticket assigned to the platform team. (4) Send a Slack summary of all upcoming expirations.

Example 2: Pre-Strict-Mode Hostname Verification

Before calling ssl/setMode with Mode: "strict": (1) Call ssl/listCerts. (2) Find the active cert with the longest validity. (3) Check that hosts includes all required subdomains. (4) Only proceed with strict mode if all expected hostnames are covered.

Example 3: Certificate Inventory Report

Monthly workflow: loop all zones, call ssl/listCerts for each, and build a consolidated inventory with zone name, cert ID, issuer, expiry, and status. Write the result to a Google Sheet or email it to the security team for compliance records.