Skip to content
Alchemy
GitHubXDiscord

CertificatePack

Certificate Pack

Section titled “Certificate Pack”

The Certificate Pack resource lets you create and manage Cloudflare Advanced Certificate Packs for flexible SSL/TLS certificates with multiple Certificate Authority options.

Important Requirements:

  • Advanced Certificate Manager (ACM) must be activated: Before using Certificate Packs, you must activate ACM in your Cloudflare dashboard. Navigate to your domain > SSL/TLS > Edge Certificates and click Activate for Advanced Certificate Manager. This requires a $10/month subscription per domain.
  • Requires a paid Cloudflare plan (not available on Free plans)
  • Certificate provisioning can take up to 10 minutes
  • Most properties are immutable after creation (only cloudflareBranding can be updated)

Basic Example

Section titled “Basic Example”

Create a basic certificate pack with Let’s Encrypt for your domain.

import { Zone, CertificatePack } from "alchemy/cloudflare";


const zone = await Zone("my-zone", {
  name: "example.com",
});


const basicCert = await CertificatePack("my-cert", {
  zone: zone,
  certificateAuthority: "lets_encrypt",
  hosts: ["example.com", "www.example.com"],
  validationMethod: "txt",
  validityDays: 90,
});

Enterprise Certificate with Google Trust Services

Section titled “Enterprise Certificate with Google Trust Services”

Create an enterprise-grade certificate with Google Trust Services and Cloudflare branding.

const enterpriseCert = await CertificatePack("enterprise-cert", {
  zone: "example.com", // Can use zone ID string or Zone resource
  certificateAuthority: "google",
  hosts: ["example.com", "*.example.com", "api.example.com"],
  validationMethod: "txt",
  validityDays: 365,
  cloudflareBranding: true,
});

Wildcard Certificate with SSL.com

Section titled “Wildcard Certificate with SSL.com”

Create a wildcard certificate using SSL.com with email validation.

const wildcardCert = await CertificatePack("wildcard-cert", {
  zone: myZone,
  certificateAuthority: "ssl_com",
  hosts: ["example.com", "*.example.com"],
  validationMethod: "email",
  validityDays: 365,
});

Multi-Domain Certificate

Section titled “Multi-Domain Certificate”

Create a certificate covering multiple subdomains with Let’s Encrypt.

const multiDomainCert = await CertificatePack("multi-cert", {
  zone: "example.com",
  certificateAuthority: "lets_encrypt",
  hosts: [
    "example.com",
    "www.example.com",
    "api.example.com",
    "admin.example.com",
    "blog.example.com"
  ],
  validationMethod: "http",
  validityDays: 90,
});

Properties

Section titled “Properties”
PropertyTypeRequiredDescription
zonestring | ZoneYesZone resource or zone ID where the certificate will be created
certificateAuthority"google" | "lets_encrypt" | "ssl_com"YesCertificate Authority to use for issuing the certificate
hostsstring[]YesList of hostnames (max 50, must include zone apex)
validationMethod"txt" | "http" | "email"YesDomain ownership validation method
validityDays14 | 30 | 90 | 365YesCertificate validity period in days
cloudflareBrandingbooleanNoAdd Cloudflare branding subdomain as Common Name (default: false)
type"advanced"NoCertificate type (only “advanced” supported, default: “advanced”)
deletebooleanNoWhether to delete the certificate pack on destroy (default: true)

Certificate Authorities

Section titled “Certificate Authorities”

Let’s Encrypt (lets_encrypt)

Section titled “Let’s Encrypt (lets_encrypt)”
  • Cost: Free
  • Best for: Basic SSL needs, development environments
  • Validity: Shorter periods (14, 30, 90 days)
  • Features: Standard domain validation

Google Trust Services (google)

Section titled “Google Trust Services (google)”
  • Cost: Paid
  • Best for: Enterprise applications, production environments
  • Validity: Up to 365 days
  • Features: Enhanced validation, enterprise support

SSL.com (ssl_com)

Section titled “SSL.com (ssl_com)”
  • Cost: Commercial
  • Best for: Commercial applications requiring extended validation
  • Validity: Up to 365 days
  • Features: Extended validation options, commercial support

Validation Methods

Section titled “Validation Methods”

TXT Record (txt)

Section titled “TXT Record (txt)”
  • Add DNS TXT record to prove domain ownership
  • Most reliable method for automation
  • Works with all domain configurations

HTTP File (http)

Section titled “HTTP File (http)”
  • Upload verification file to domain’s web server
  • Requires web server access
  • Good for domains with existing websites

Email (email)

Section titled “Email (email)”
  • Receive validation email at admin addresses
  • Requires access to domain admin email
  • Manual validation process

Important Notes

Section titled “Important Notes”

Immutable Properties

Section titled “Immutable Properties”

Most certificate pack properties cannot be changed after creation. To modify these properties, you must delete and recreate the certificate pack:

  • Certificate Authority (certificateAuthority)
  • Hostnames (hosts)
  • Validation Method (validationMethod)
  • Validity Period (validityDays)
  • Type (type)

Updateable Properties

Section titled “Updateable Properties”

Only cloudflareBranding can be updated after creation:

// Update to enable Cloudflare branding
const updatedCert = await CertificatePack("my-cert", {
  zone: zone,
  certificateAuthority: "lets_encrypt", // Must match original
  hosts: ["example.com", "www.example.com"], // Must match original
  validationMethod: "txt", // Must match original
  validityDays: 90, // Must match original
  cloudflareBranding: true, // Only this can change
});

Host Requirements

Section titled “Host Requirements”
  • Maximum 50 hostnames per certificate pack
  • Must include the zone apex (root domain)
  • Supports wildcards (e.g., *.example.com)
  • Cannot be empty

Provisioning Time

Section titled “Provisioning Time”
  • Certificate packs take time to provision and become active
  • Full deployment can take up to 10 minutes
  • Monitor the status property to track progress

Subscription Requirements

Section titled “Subscription Requirements”

Advanced Certificate Packs require a paid Cloudflare plan. Free plans cannot create certificate packs and will receive subscription-related errors.

Status Values

Section titled “Status Values”

Certificate packs progress through various status values during their lifecycle:

  • initializing - Certificate pack creation in progress
  • pending_validation - Waiting for domain validation
  • pending_issuance - Certificate being issued by CA
  • pending_deployment - Certificate being deployed to edge
  • active - Certificate is live and serving traffic
  • expired - Certificate has expired
  • deleted - Certificate pack has been deleted

Error states include *_timed_out variants when operations exceed time limits.

Helper Functions

Section titled “Helper Functions”

Wait for Certificate to Become Active

Section titled “Wait for Certificate to Become Active”
import { waitForCertificatePackActive } from "alchemy/cloudflare/certificate-pack";


// Wait for certificate to become active (up to 10 minutes)
const finalStatus = await waitForCertificatePackActive(
  api,
  zone.id,
  certificatePack.id,
  10 * 60 * 1000 // 10 minutes timeout
);


console.log(`Certificate pack is now: ${finalStatus}`);