Portal / Nodes / Cloudflare / ssl/listCerts
ssl/listCerts
List all SSL certificates associated with a Cloudflare zone.
When to Use
- Certificate inventory audit: Enumerate all certificates for a zone to understand what is deployed, who issued it, and when it expires.
- Expiry monitoring: Find certificates expiring within 30 days and feed them into a renewal workflow or alert pipeline.
- Hostname coverage verification: Verify that issued certificates cover all expected hostnames before setting SSL mode to strict.
- Compliance reporting: Produce a certificate inventory report for security audits, listing issuers, status, and expiry dates.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with SSL and Certificates.Read permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
Sample Configuration
{
"resource": "ssl",
"operation": "listCerts",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_ssl_read }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353"
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty | Set the ApiToken credential with SSL and Certificates.Read permission |
MISSING_ZONE_ID | ZoneId is empty | Provide the Zone ID |
UNKNOWN_ERROR | Cloudflare API error | Verify Zone ID and token permissions |
Output
Success Port
| Field | Type | Description |
certificates | array | Array of certificate objects for the zone |
certificates[].id | string | Certificate ID — used in ssl/getCert and ssl/deleteCert |
certificates[].hosts | array | Hostnames covered by the certificate |
certificates[].issuer | string | Certificate issuer (e.g., Cloudflare, Let's Encrypt) |
certificates[].signature | string | Signature algorithm (e.g., SHA256WithRSA) |
certificates[].status | string | Certificate status: active, expired, pending, revoked |
certificates[].expiresOn | string | ISO 8601 expiry timestamp |
certificates[].uploadedOn | string | ISO 8601 upload timestamp |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"certificates": [
{
"id": "7b163b7107b945958b4f7c9028872741",
"hosts": ["example.com", "*.example.com"],
"issuer": "Cloudflare",
"signature": "SHA256WithRSA",
"status": "active",
"expiresOn": "2027-01-15T00:00:00Z",
"uploadedOn": "2024-01-15T10:00:00Z"
}
]
}
Expression Reference
| Expression | Returns |
{{ $node.ListCerts.output.certificates }} | Full array of certificate objects |
{{ $node.ListCerts.output.certificates[0].id }} | Certificate ID of the first cert |
{{ $node.ListCerts.output.certificates[0].expiresOn }} | Expiry timestamp of the first cert |
{{ $node.ListCerts.output.certificates[0].status }} | Status of the first cert |
Node Policies & GuardRails
| Policy | Detail |
| Use read-only token | SSL and Certificates.Read is sufficient — do not over-scope |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
| Alert on expiring certificates | Add a Filter node downstream to find certs where expiresOn is within 30 days; route to an alert node |
| Check coverage before strict mode | Verify the active certificate hosts include all subdomains before calling ssl/setMode with strict |
| Do not delete active certs | Before calling ssl/deleteCert, confirm the cert has status !== "active" or a replacement is already active |
Examples
Example 1: 30-Day Certificate Expiry Alert
Scheduled weekly workflow: (1) Call ssl/listCerts for each production zone. (2) In a Function node, filter certs where expiresOn is within 30 days. (3) For each expiring cert, create a Jira ticket assigned to the platform team. (4) Send a Slack summary of all upcoming expirations.
Example 2: Pre-Strict-Mode Hostname Verification
Before calling ssl/setMode with Mode: "strict": (1) Call ssl/listCerts. (2) Find the active cert with the longest validity. (3) Check that hosts includes all required subdomains. (4) Only proceed with strict mode if all expected hostnames are covered.
Example 3: Certificate Inventory Report
Monthly workflow: loop all zones, call ssl/listCerts for each, and build a consolidated inventory with zone name, cert ID, issuer, expiry, and status. Write the result to a Google Sheet or email it to the security team for compliance records.