Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)

SSL / TLS

  2 min read

Cloudflare offers a range of SSL/TLS options. By default, Cloudflare offers Universal SSL to all domains, but there are many other options available. Cloudflare offers SSL/TLS for free because we believe it is the right thing to do. Encryption is foundational to the Internet because it prevents data from being manipulated.

  1. Universal SSL: This option covers basic encryption requirements and certificate management needs.

  2. Foundation DNS: Foundation DNS is an Enterprise option that provides strategically distributed IPs to enhance resiliency, reduced exposure to incidents or software regression and more consistent nameserver assignment.

  3. Total TLS: Automatically issues certificates for all subdomain levels, extending the protection offered by Universal SSL.

  4. Advanced Certificates: Offers customizable certificate issuance and management, including options like choosing the certificate authority, certificate validity period, and removing Cloudflare branding from certificates.

  5. Custom Certificates: For eligible plans, customers can upload their own certificates, with the user managing issuance and renewal.

  6. mTLS Client Certificates: Cloudflare offers a PKI system, used to create client certificates, which can enforce mutual Transport Layer Security (mTLS) encryption.

  7. Cloudflare for SaaS Custom Hostnames: This feature enables SaaS providers to offer their clients the ability to use their own domains while benefiting from Cloudflare’s network.

  8. Keyless SSL Certificates: Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys.

  9. Origin Certificates: Origin CA certificates from Cloudflare are used to encrypt traffic between Cloudflare and your origin web server. These certificates are created through the Cloudflare dashboard and can be configured with a choice of RSA or ECC private keys and support for various server types.