Skip to content

CustomTrustStore

Source: src/Cloudflare/Acm/CustomTrustStore.ts

A root CA certificate in a zone’s custom origin trust store (/zones/{zone_id}/acm/custom_trust_store). Cloudflare uses the trust store to validate your origin server’s certificate when connecting to the origin (e.g. with Full (strict) SSL and a private CA at the origin).

Requires the Advanced Certificate Manager entitlement on the zone — without it every call fails with the typed AdvancedCertificateManagerRequired (code 1450) error.

The certificate is immutable: there is no update API, so changing the PEM (or the zone) replaces the resource. Trust store certificates carry no ownership markers, so a cold read scans the zone for a certificate with the same PEM body and reports it as Unowned — the engine refuses to take it over unless --adopt (or adopt(true)) is set.

Uploading a root CA

Section titled “Uploading a root CA”

Trust a private root CA for origin pulls

const trustStore = yield* Cloudflare.CustomTrustStore("OriginRootCa", {
  zoneId: zone.zoneId,
  certificate: rootCaPem, // "-----BEGIN CERTIFICATE-----\n..."
});

Load the PEM from a file

const fs = yield* FileSystem.FileSystem;
const pem = yield* fs.readFileString("./certs/root-ca.pem");
yield* Cloudflare.CustomTrustStore("OriginRootCa", {
  zoneId: zone.zoneId,
  certificate: pem,
});