Skip to content

Enable Universal SSL certificates

By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare.

The process for activating a Universal SSL certificate depends on your domain's DNS setup.

Full DNS setup

For domains on a full setup1, your domain should automatically receive its Universal SSL certificate within 15 minutes to 24 hours of domain activation2.

This certificate will cover your zone apex (example.com) and all first-level subdomains (subdomain.example.com), and is provisioned even if your records are DNS only. However, the certificate will only be presented if your domain or subdomains are proxied.

Footnotes

  1. The most common Cloudflare setup that involves changing your authoritative nameservers.

  2. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA).

Minimize downtime

If your website or application is already live and cannot be uncovered while the Universal certificate is provisioned, consider the following:

Partial DNS setup

For non-authoritative or partial domains, Universal SSL will be:

Unless you cover and validate multiple subdomains with an advanced certificate, you will need to proxy and validate new subdomains as they are added.

Verify your certificate is active

Once you enable Universal SSL, you can review the activation status in the dashboard at SSL/TLS > Edge Certificates or via the API with a GET request.