Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Enable Universal SSL certificates

By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all Cloudflare domains.

The process for activating a Universal SSL certificate depends on your domain’s DNS setup.

​​ Full DNS setup

For domains on a full setup1, your domain should automatically receive its Universal SSL certificate within 15 minutes to 24 hours of domain activation2.

This certificate will cover your root domain ( and all first-level subdomains (, so long as your domain or subdomains have proxied DNS records within Cloudflare DNS.

  1. The most common Cloudflare setup that involves changing your authoritative nameservers. ↩︎

  2. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA). ↩︎

​​ Minimize downtime

For sites that require an SSL/TLS certificate prior to migrating traffic to Cloudflare, you could do the following:

​​ Partial DNS setup

For non-authoritative or partial domains, Universal SSL will be:

Unless you cover and validate multiple subdomains with an advanced certificate, you will need to proxy and validate new subdomains as they are added.

​​ Verify your certificate is active

Once you enable Universal SSL, you can review the certificate’s status in the dashboard at SSL/TLS > Edge Certificates or via the API with a GET request.