Portal / Nodes / Cloudflare / ssl/orderCert
ssl/orderCert
Order a new Cloudflare-managed SSL certificate for a zone.
Async operation: Certificate ordering is asynchronous. The initial response returns a certificateId and status: "pending". Poll ssl/getCert until status === "active" before proceeding with ssl/setMode changes.
When to Use
- New subdomain certificate: When onboarding a new subdomain that requires its own certificate rather than relying on Universal SSL.
- Wildcard certificate provisioning: Order a wildcard certificate covering
*.example.com for a multi-tenant deployment where subdomains are created dynamically.
- Certificate renewal workflow: As part of an automated renewal pipeline, order a new certificate before the current one expires, then delete the old one after the new one is active.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with SSL and Certificates.Edit permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
Hosts | array | required | Array of hostnames the certificate should cover. Example: ["example.com", "*.example.com"]. |
RequestType | string | optional | Certificate type: origin-rsa (default), origin-ecc, or keyless-certificate. |
Sample Configuration
{
"resource": "ssl",
"operation": "orderCert",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_ssl_edit }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"Hosts": ["example.com", "*.example.com"],
"RequestType": "origin-rsa"
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty | Set the ApiToken credential with SSL and Certificates.Edit permission |
MISSING_ZONE_ID | ZoneId is empty | Provide the Zone ID |
UNKNOWN_ERROR | Invalid hosts array, plan restriction, or API error | Verify hosts are valid FQDNs covered by the zone; check plan supports the cert type |
Output
Success Port
| Field | Type | Description |
certificateId | string | ID of the ordered certificate — store this for polling via ssl/getCert |
status | string | Initial status: pending (certificate is being issued) |
csr | string | Certificate Signing Request in PEM format |
expiresOn | string | Expected expiry timestamp (ISO 8601) |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"certificateId": "7b163b7107b945958b4f7c9028872741",
"status": "pending",
"csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
"expiresOn": "2029-05-26T00:00:00Z"
}
Expression Reference
| Expression | Returns |
{{ $node.OrderCert.output.certificateId }} | New certificate ID — persist for polling and future operations |
{{ $node.OrderCert.output.status }} | Initial status (always "pending" on creation) |
{{ $node.OrderCert.output.expiresOn }} | Expected expiry timestamp |
Node Policies & GuardRails
| Policy | Detail |
| Always poll for active status before using the cert | Do not set SSL mode to strict until ssl/getCert returns status === "active" |
| Persist the certificate ID | Store the returned certificateId in a workflow variable or database for the full lifecycle of the certificate |
| Use SSL and Certificates.Edit token | Ordering requires write permission — a read-only token will fail |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
| Do not delete the old cert until new is active | In renewal workflows, keep the old certificate active until the new one is confirmed active |
Examples
Example 1: Full Certificate Lifecycle for New Domain
(1) Call ssl/orderCert with the new domain hosts. (2) Store returned certificateId in a VariableAssignment node. (3) Loop with ssl/getCert (30s Delay between polls) until status is active. (4) Call ssl/setMode with Mode: "strict". (5) Send a Slack notification confirming HTTPS is active.
Example 2: Wildcard Certificate for Multi-Tenant Deployment
During tenant provisioning, check if a wildcard cert for *.tenants.example.com already exists via ssl/listCerts. If not, call ssl/orderCert with Hosts: ["*.tenants.example.com"]. Poll for activation and store the cert ID in the tenant configuration.
Example 3: Automated Certificate Renewal
Scheduled 30-day-before-expiry workflow: (1) Call ssl/orderCert for the same hosts as the expiring cert. (2) Poll until active. (3) Call ssl/deleteCert on the old cert. (4) Log the rotation event with old cert ID, new cert ID, and timestamp.