Setup

Geo Key Manager v2 Beta

Note

Geo Key Manager v2 is only available through the Cloudflare API.

Geo Key Manager v2 gives customers flexibility when choosing the geographical boundaries of where their keys are stored.

Using the policy field, customers can define policies containing allow and block lists of countries or regions where the private key should be stored.

To use Geo Key Manager v2 with the API, generally, follow the steps to upload a custom certificate.

When sending the POST request, include the policy parameter to define policies containing allow and block lists of countries or regions where the private key should be stored.

Note

You also have access to the geo_restrictions parameter, which is mutually exclusive with the policy parameter and is part of Geo Key Manager v1.

Examples

Store private keys in the E.U. and the U.S.

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
  "certificate":"certificate",
  "private_key":"<PRIVATE_KEY>",
  "policy":"(country: US) and (region: EU)",
  "type": "sni_custom"
}'

Store private keys in the E.U., but not in France

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_certificates" \
--header "X-Auth-Email: <EMAIL>" \
--header "X-Auth-Key: <API_KEY>" \
--header "Content-Type: application/json" \
--data '{
  "certificate":"certificate",
  "private_key":"<PRIVATE_KEY>",
  "policy":"(region: EU) and (not country: FR)",
  "type": "sni_custom"
}'

Note

For more information on the policy field, refer to Supported options.

Geo Key Manager v1

The first version of Geo Key Manager supports 3 regions: U.S., E.U., and a set of High Security Data Centers. If you would like to restrict your private key to another country or region, apply for the closed beta ↗ of the new version.

Dashboard

To use Geo Key Manager in the dashboard:

1. Follow the steps to upload a custom certificate.
2. For Private Key Restriction, choose one of the following options:
   • Distribute to all Cloudflare data centers (optimal performance)
   • Distribute only to U.S. data centers
   • Distribute only to E.U. data centers
   • Distribute only to highest security data centers (more details)
3. Select Upload Custom Certificate.

API

To use Geo Key Manager with the API, generally, follow the steps to upload a custom certificate.

When sending the POST request, include the geo_restrictions parameter set to one of the following options:

• us
• eu
• highest_security(more details)