Skip to content
Visit SSL on GitHub
Set theme to dark (⇧+D)

Manage Universal SSL certificates

Enable Universal SSL

Once you enable Universal SSL, you can review the certificate's status in the dashboard at SSL/TLS > Edge Certificates or via the API with a GET request.

Authoritative (Full) domains

For an authoritative or full domain — domains that changed their domain nameservers – your domain should receive its Universal SSL certificate within 24 hours. This certificate covers your root domain and all first-level subdomains (

Based on your imported DNS records, Cloudflare sets your default SSL/TLS encryption mode. For help changing your encryption mode, refer to SSL modes.

Non-authoritative (Partial) domains

For non-authoritative or partial domains (domains on a CNAME setup), Universal SSL will be:

Unless you cover and validate multiple subdomains with an advanced certificate, you will need to proxy and validate each new subdomains as they are added.

Disable Universal SSL

Some customers may need to manage their own SSL certificates or rely on specific Certificate Authorities.

If you disable your domain's Universal SSL certificate, Cloudflare removes that certificate from our network and will not order or renew any additional Universal SSL certificates.

Potential errors

To avoid errors with your domain, either upload a custom certificate or purchase Advanced Certificate Manager before disabling Universal SSL.

If you disable Universal SSL, you may experience errors with the following scenarios:

Disable Universal SSL

To disable Universal SSL:

  1. Make sure you have uploaded a custom certificate or purchased Advanced Certificate Manager to protect your domain.
  2. Log in to the Cloudflare dashboard and select your account.
  3. Select your domain.
  4. Go to SSL/TLS > Edge Certificates.
  5. For Disable Universal SSL, select Disable Universal SSL.
  6. Read the warnings in the Acknowledgement.
  7. Select I Understand and click Confirm.