Enable Universal SSL certificates
By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare.
The process for activating a Universal SSL certificate depends on your domain's DNS setup.
For domains on a full setup1, your domain should automatically receive its Universal SSL certificate within 15 minutes to 24 hours of domain activation2.
This certificate will cover your zone apex (example.com
) and all first-level subdomains (subdomain.example.com
), and is provisioned even if your records are DNS only. However, the certificate will only be presented if your domain or subdomains are proxied.
If your website or application is already live and cannot be uncovered while the Universal certificate is provisioned, consider the following:
- Order an advanced certificate before proxying traffic to Cloudflare.
- Upload a custom certificate prior to migrating and then delete the certificate after your Universal certificate is active.
- Keep DNS records unproxied until your certificate is active.
For non-authoritative or partial domains, Universal SSL will be:
-
Provisioned once the DNS record is proxied through Cloudflare.
-
Validated:
- Immediately if you add Domain Control Validation (DCV) records to your authoritative DNS.
- After a brief period of downtime if you do not add DCV records (once your traffic is proxied).
Unless you cover and validate multiple subdomains with an advanced certificate, you will need to proxy and validate new subdomains as they are added.
Once you enable Universal SSL, you can review the activation status in the dashboard at SSL/TLS > Edge Certificates or via the API with a GET request.
For Universal certificates, Cloudflare controls the validity periods and certificate authorities (CAs), making sure that renewal always occur.
Universal certificates issued by Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
For 90-day certificates, the auto renewal period starts 30 days before expiration.
If you are on a partial setup, make sure Domain control validation (DCV) is configured correctly. Refer to Troubleshooting DCV for further help.