Skip to content

OriginTlsClientAuthHostnameCertificate

Source: src/Cloudflare/OriginTlsClientAuth/HostnameCertificate.ts

A per-hostname Authenticated Origin Pulls (AOP) client certificate (/zones/{zone_id}/origin_tls_client_auth/hostnames/certificates).

Uploads a client certificate that Cloudflare presents to your origin for specific hostnames. Hostnames opt in by referencing the certificate from an {@link OriginTlsClientAuthHostnameAssociation}, which pins the certificate and enables hostname-level AOP.

Certificates are immutable: there is no update API, so changing any property triggers a replacement. Deployment is asynchronous — the certificate starts in pending_deployment and becomes active within a few minutes; deletion likewise passes through pending_deletion.

Uploading a hostname certificate

Section titled “Uploading a hostname certificate”
const cert = yield* Cloudflare.OriginTlsClientAuthHostnameCertificate("AopHostCert", {
  zoneId: zone.zoneId,
  certificate: clientCertPem,
  privateKey: alchemy.secret.env.AOP_CLIENT_KEY,
});

Enabling AOP for a hostname

Section titled “Enabling AOP for a hostname”
const cert = yield* Cloudflare.OriginTlsClientAuthHostnameCertificate("AopHostCert", {
  zoneId: zone.zoneId,
  certificate: clientCertPem,
  privateKey: alchemy.secret.env.AOP_CLIENT_KEY,
});


yield* Cloudflare.OriginTlsClientAuthHostnameAssociation("AopHost", {
  zoneId: zone.zoneId,
  hostname: "api.example.com",
  certId: cert.certificateId,
  enabled: true,
});