---
title: TLS Certificates
summary: A TLS certificate is used to terminate TLS traffic for one or more of your <a href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/domains/">TLS domains</a>.
url: https://www.fastly.com/documentation/reference/api/tls/custom-certs/certificates
---

A TLS certificate is used to terminate TLS traffic for one or more of your <a href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/domains/">TLS domains</a>.

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `allow_untrusted_root` | boolean | Indicates that the supplied certificate was not signed by a trusted CA. |
| `cert_blob` | string | The PEM-formatted certificate blob. Required. |
| `name` | string | A customizable name for your certificate. Defaults to the certificate's Common Name or first Subject Alternative Names (SAN) entry. Optional. |
| `relationships.tls_domains.id` | string | The domain name. |
| `type` | string | Resource type. |
| `created_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `deleted_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `id` | string | Alphanumeric string identifying a TLS certificate. (Read-only) |
| `issued_to` | string | The hostname for which a certificate was issued. (Read-only) |
| `issuer` | string | The certificate authority that issued the certificate. (Read-only) |
| `not_after` | string | Time-stamp (GMT) when the certificate will expire. Must be in the future to be used to terminate TLS traffic. (Read-only) |
| `not_before` | string | Time-stamp (GMT) when the certificate will become valid. Must be in the past to be used to terminate TLS traffic. (Read-only) |
| `replace` | boolean | A recommendation from Fastly indicating the key associated with this certificate is in need of rotation. (Read-only) |
| `serial_number` | string | A value assigned by the issuer that is unique to a certificate. (Read-only) |
| `signature_algorithm` | string | The algorithm used to sign the certificate. (Read-only) |
| `updated_at` | string | Date and time in ISO 8601 format. (Read-only) |

## API endpoints

### List TLS certificates

**GET** `/tls/certificates`

List all TLS certificates.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `filter[in_use]` | string | query | No | Optional. Limit the returned certificates to those currently using Fastly to terminate TLS (that is, certificates associated with an activation). Permitted values: true, false. |
| `filter[not_after]` | string | query | No | Limit the returned certificates to those that expire prior to the specified date in UTC. Accepts parameters: lte (e.g., filter[not_after][lte]=2020-05-05). |
| `filter[tls_domains.id]` | string | query | No | Limit the returned certificates to those that include the specific domain. |
| `include` | string | query | No | Include related objects. Optional, comma-separated values. Permitted values: <code>tls_activations</code>. |
| `page[number]` | integer | query | No | Current page. |
| `page[size]` | integer | query | No | Number of records per page. |
| `sort` | string | query | No | The order in which to list the results. |

### Create a TLS certificate

**POST** `/tls/certificates`

Create a TLS certificate.

### Get a TLS certificate

**GET** `/tls/certificates/{tls_certificate_id}`

Show a TLS certificate.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `tls_certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS certificate. |

### Delete a TLS certificate

**DELETE** `/tls/certificates/{tls_certificate_id}`

Destroy a TLS certificate. TLS certificates already enabled for a domain cannot be destroyed.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `tls_certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS certificate. |

### Update a TLS certificate

**PATCH** `/tls/certificates/{tls_certificate_id}`

Replace a TLS certificate with a newly reissued TLS certificate, or update a TLS certificate's name. If replacing a TLS certificate, the new TLS certificate must contain all SAN entries as the current TLS certificate. It must either have an exact matching list or contain a superset.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `tls_certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS certificate. |

### Get a TLS certificate blob (Limited Availability)

**GET** `/tls/certificates/{tls_certificate_id}/blob`

Retrieve a TLS certificate blob. This feature is part of a <a href="https://docs.fastly.com/products/fastly-product-lifecycle#limited-availability">limited availability</a> release.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `tls_certificate_id` | string | path | Yes | Alphanumeric string identifying a TLS certificate. |