Cloudflare DevelopersCD
Cloudflare Developers3mo ago
Rubenator

Create Origin Cert via API -- do I need a CSR? Seems like I shouldn't.

I've tried both using an API key and with an Origin CA service key...
But in both instances, it is coming back saying CSR parsed as empty, despite it being an optional field?
Is there not a way to do this without generating a CSR manually in my script?

https://developers.cloudflare.com/api/resources/origin_ca_certificates/

Here's one using Origin CA key
CF_API_BASE = "https://api.cloudflare.com/client/v4"

load_dotenv()
ORIGIN_CA_KEY = os.getenv("ORIGIN_CA_KEY")

def get_headers(origin_ca_key):
    return {
        "X-Auth-User-Service-Key": origin_ca_key,
        "Content-Type": "application/json",
    }

def issue_origin_ca_cert(origin_ca_key, domains):
    url = f"{CF_API_BASE}/certificates"
    payload = {
        "hostnames": domains,
        "requested_validity": 5475,
        "request_type": "origin-rsa"
    }
    resp = requests.post(url, json=payload, headers=get_headers(origin_ca_key))
    if resp.status_code != 200:
        print(f"[ERROR] Cloudflare API error (issue origin ca cert): {resp.text}")
        return None, None, None
    result = resp.json()["result"]
    return result["certificate"], result["private_key"], result.get("id", "new")


[INFO] Starting process for 1 domain(s).
[ACTION] Issuing new origin ca cert for redacated.com and *.redacated.com...
[ERROR] Cloudflare API error (issue origin ca cert): {"success":false,"messages":[],"errors":[{"code":1007,"message":"CSR parsed as empty"}],"result":{},"result_info":{"count":0,"total_count":0}}
[ERROR] Could not create or save new origin ca cert for redacated.com.
[INFO] Done.
Was this page helpful?