Set up authenticated origin pulls
To set up authenticated origin pulls - which help ensure requests to your origin server come from the Cloudflare network - choose whether to enable them on all hostnames in your zone or on a per-hostname basis.
Other situations
Use specialized certificates
To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates.
First set up zone-level pulls using a certificate. Then, upload multiple, specialized certificates for individual hostnames.
Delete a certificate
Client certificates are not deleted from Cloudflare upon expiration unless a delete or replace request is sent to the Cloudflare API.
However, requests are dropped at your origin if your origin only accepts a valid client certificate.
Replace a client cert (without downtime)
For hostname:
For global:
Once certificate is active, delete the previous certificate.