Skip to content
Visit SSL on GitHub
Set theme to dark (⇧+D)

How to

Enable Universal SSL

Authoritative (Full) domains

For an authoritative or full domain — domains that changed their domain nameservers – Universal SSL requires two steps:

  1. Once you change your domain nameservers, your domain should receive its Universal SSL certificate within 24 hours.
  2. Your SSL/TLS mode defaults to Flexible, which encrypts traffic between a site visitor and Cloudflare (but not Cloudflare and your origin server). To encrypt traffic between Cloudflare and your origin server, see SSL modes and Origin CA certificates.

Non-authoritative (Partial) domains

For non-authoritative or partial domains (domains on a CNAME setup), Universal SSL will be:

Disable Universal SSL

Some customers may need to manage their own SSL certificates or rely on specific Certificate Authorities.

If you disable your domain's Universal SSL certificate, Cloudflare removes that certificate from our network and will not order or renew any additional Universal SSL certificates.

Potential errors

To avoid errors with your domain, either upload a custom certificate or purchase Advanced Certificate Manager before disabling Universal SSL.

If you disable Universal SSL, you may experience errors with the following scenarios:

Disable Universal SSL

To disable Universal SSL:

  1. Make sure you have uploaded a custom certificate or purchased Advanced Certificate Manager to protect your domain.
  2. Log in to the Cloudflare dashboard and select your account.
  3. Select your domain.
  4. Go to SSL/TLS > Edge Certificates.
  5. For Disable Universal SSL, select Disable Universal SSL.
  6. Read the warnings in the Acknowledgement.
  7. Select I Understand and click Confirm.