Portal Community

ssl/orderCert

Order a new Cloudflare-managed SSL certificate for a zone.

Async operation: Certificate ordering is asynchronous. The initial response returns a certificateId and status: "pending". Poll ssl/getCert until status === "active" before proceeding with ssl/setMode changes.

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with SSL and Certificates.Edit permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.
HostsarrayrequiredArray of hostnames the certificate should cover. Example: ["example.com", "*.example.com"].
RequestTypestringoptionalCertificate type: origin-rsa (default), origin-ecc, or keyless-certificate.

Sample Configuration

{
  "resource": "ssl",
  "operation": "orderCert",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_ssl_edit }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "Hosts": ["example.com", "*.example.com"],
  "RequestType": "origin-rsa"
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is emptySet the ApiToken credential with SSL and Certificates.Edit permission
MISSING_ZONE_IDZoneId is emptyProvide the Zone ID
UNKNOWN_ERRORInvalid hosts array, plan restriction, or API errorVerify hosts are valid FQDNs covered by the zone; check plan supports the cert type

Output

Success Port

FieldTypeDescription
certificateIdstringID of the ordered certificate — store this for polling via ssl/getCert
statusstringInitial status: pending (certificate is being issued)
csrstringCertificate Signing Request in PEM format
expiresOnstringExpected expiry timestamp (ISO 8601)

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "certificateId": "7b163b7107b945958b4f7c9028872741",
  "status": "pending",
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----",
  "expiresOn": "2029-05-26T00:00:00Z"
}

Expression Reference

ExpressionReturns
{{ $node.OrderCert.output.certificateId }}New certificate ID — persist for polling and future operations
{{ $node.OrderCert.output.status }}Initial status (always "pending" on creation)
{{ $node.OrderCert.output.expiresOn }}Expected expiry timestamp

Node Policies & GuardRails

PolicyDetail
Always poll for active status before using the certDo not set SSL mode to strict until ssl/getCert returns status === "active"
Persist the certificate IDStore the returned certificateId in a workflow variable or database for the full lifecycle of the certificate
Use SSL and Certificates.Edit tokenOrdering requires write permission — a read-only token will fail
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON
Do not delete the old cert until new is activeIn renewal workflows, keep the old certificate active until the new one is confirmed active

Examples

Example 1: Full Certificate Lifecycle for New Domain

(1) Call ssl/orderCert with the new domain hosts. (2) Store returned certificateId in a VariableAssignment node. (3) Loop with ssl/getCert (30s Delay between polls) until status is active. (4) Call ssl/setMode with Mode: "strict". (5) Send a Slack notification confirming HTTPS is active.

Example 2: Wildcard Certificate for Multi-Tenant Deployment

During tenant provisioning, check if a wildcard cert for *.tenants.example.com already exists via ssl/listCerts. If not, call ssl/orderCert with Hosts: ["*.tenants.example.com"]. Poll for activation and store the cert ID in the tenant configuration.

Example 3: Automated Certificate Renewal

Scheduled 30-day-before-expiry workflow: (1) Call ssl/orderCert for the same hosts as the expiring cert. (2) Poll until active. (3) Call ssl/deleteCert on the old cert. (4) Log the rotation event with old cert ID, new cert ID, and timestamp.