AutoSSL

Overview

AutoSSL can automatically upload SSL certificate files to a Cloudflare R2 bucket. Each certificate is archived under a versioned archive path and also updated under a latest/ path for easy discovery by downstream consumers (e.g., Nginx, Caddy, or custom scripts that pull certificates from R2).

Cloudflare R2 is S3-compatible and charges no egress fees, making it an ideal low-cost alternative for storing and distributing certificates.

For instructions on how to manage and run this deployment, please refer to the Deployment Management section.

Configuration Parameters

When you add or edit this deployment target in the AutoSSL console, you will need to configure the following parameters:

Parameter	Description	Example
Account ID	Your Cloudflare Account ID. Found in the Cloudflare dashboard URL or on the Workers & Pages overview page.	`a1b2c3d4e5f6...`
Bucket Name	The name of the R2 bucket to upload certificate files to.	`my-ssl-certs`
Object Key Prefix	(Optional) A prefix for organizing certificate files in the bucket. If set, files will be uploaded under this prefix. Trailing slash is optional.	`certs/example.com/`

How it Works

When AutoSSL deploys a certificate to a Cloudflare R2 bucket (e.g., my-ssl-certs with prefix certs/example.com/), it performs the following steps:

Certificate Preparation:
- Splits the full certificate chain into individual PEM files: cert.pem (leaf certificate), privkey.pem (private key, PKCS#8 encoded), chain.pem (intermediate chain), and fullchain.pem (full chain).
- Generates a README.md file with certificate metadata and a link to https://autossl.dev for traceability.
- Parses the certificate notBefore date and SHA1 fingerprint to generate an archive directory name (format: YYYY-MM-DD_<first 8 chars of SHA1>).
File Upload:
- Uploads certificate files (four PEM files and README.md) to two paths in the bucket:
  - Archive path — certs/example.com/2026-05-30_e5f6a7b8/cert.pem (and privkey.pem, chain.pem, fullchain.pem, README.md). This path is unique per certificate issuance and is never overwritten.
  - Latest path — certs/example.com/latest/cert.pem (and privkey.pem, chain.pem, fullchain.pem, README.md). This path always reflects the most recently uploaded certificate.

The latest/ path allows downstream services to always fetch the current certificate from a fixed R2 key. Historical certificates remain accessible under their versioned archive directories.

Example Bucket Structure

After multiple certificate renewals, your bucket structure will look like this:

certs/example.com/
├── 2026-03-01_a1b2c3d4/
│   ├── cert.pem
│   ├── privkey.pem
│   ├── chain.pem
│   ├── fullchain.pem
│   └── README.md
├── 2026-05-30_e5f6a7b8/
│   ├── cert.pem
│   ├── privkey.pem
│   ├── chain.pem
│   ├── fullchain.pem
│   └── README.md
└── latest/
    ├── cert.pem
    ├── privkey.pem
    ├── chain.pem
    ├── fullchain.pem
    └── README.md

Private Key Format

privkey.pem is encoded in PKCS#8 format (-----BEGIN PRIVATE KEY-----). This format is widely supported by modern web servers and tools (Nginx, Caddy, Traefik, OpenSSL 1.1+, etc.).

If your environment requires PKCS#1 format (e.g. -----BEGIN RSA PRIVATE KEY----- for RSA keys), convert it locally before use:

openssl rsa -in privkey.pem -out privkey-pkcs1.pem

Access Key Requirement

To interact with the Cloudflare R2 API, this provider requires a Cloudflare R2 Access Key.

Required Permissions

The R2 API Token must have the Object Read & Write permission on the target bucket.

To create an R2-specific API Token with the correct permissions:

Go to Cloudflare Dashboard → R2 Object Storage → Manage R2 API Tokens.
Click Create API token.
Set Permissions to Object Read & Write.
(Optional) Restrict the token to a specific bucket by setting Specify bucket(s) to your target bucket name.
Click Create API Token and copy the Access Key ID and Secret Access Key.

For more information, refer to the Cloudflare R2 API Token documentation.

Cloudflare R2