Certificate statuses
Certificates statuses show which stage of the issuance process each certificate is in.
When you order a new certificate, either an edge certificate or a certificate used for a custom hostname, its status will move through various stages as it progresses to Cloudflare’s global network:
- Initializing
- Pending Validation
- Pending Issuance
- Pending Deployment
- Active
Once you issue a certificate, it should be in Pending Validation, but change to Active after the validation is completed. If you see any errors, you or your customer may need to take additional actions to validate the certificate.
If you deactivate a certificate, it will become a Deactivating and then an Inactive status.
If you are using a custom certificate and your zone status is Pending or Moved, your certificate may have a status of Holding Deployment.
When your zone becomes active, your custom certificate will deploy automatically (also moving to an Active status).
If your zone is already active when you upload a custom certificate, you will not see this status.
When you create certificates in your staging environment, those staging certificates have their own set of statuses:
- Staging deployment: Similar to Pending Deployment, but for staging certificates.
- Staging active: Similar to Active, but for staging certificates.
- Deactivating: Your staging certificate is in the process of becoming Inactive.
- Inactive: Your staging certificate is not at the edge, but you can deploy it if needed.
When you use client certificates, those client certificates have their own set of statuses:
- Active: The client certificate is active.
- Revoked: The client certificate is revoked.
- Pending Reactivation: The client certificate was revoked, but it is being restored.
- Pending Revocation: The client certificate was active, but it is being revoked.
Monitor a certificate's status in the dashboard at SSL/TLS > Edge Certificates or by using the Get Certificate Pack endpoint.
For more details on certificate validation, refer to Domain Control Validation.
Monitor a certificate's status in the dashboard at SSL/TLS > Custom Hostnames or by using the Custom Hostname Details endpoint.
For more details on certificate validation, refer to Issue and validate certificates.
To view certificates, use openssl or your browser. The command below can be used in advance of your customer pointing the app.example.com hostname to the edge (provided validation was completed).
openssl s_client -servername app.example.com -connect $CNAME_TARGET:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep app.example.com