Total TLS allows Cloudflare to issue individual certificates for every proxied hostname. These certificates will protect proxied hostnames not covered by Universal certificates.
When issued, these certificates will have a type of Advanced - Total TLS.
Total TLS is available for domains that have purchased Advanced Certificate Manager and are currently using a full DNS setup.
Because Total TLS does not issue certificates for any subdomain used by Cloudflare Load Balancing, we recommend using other types of certificates to avoid any potential downtime.
Once you enable Total TLS, be careful deleting any certificates associated with proxied hostnames.
If you do, our system assumes you want to opt that hostname out of Total TLS certificate and will not order new certificates for the hostname in the future. This behavior applies even if you delete and re-create the hostname’s DNS record.