Cloudflare Docs
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Enable Universal SSL certificates

By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all Cloudflare domains.

The process for activating a Universal SSL certificate depends on your domain’s DNS setup.

​​ Full DNS setup

For an authoritative or full domain — domains that changed their domain nameservers – your domain should automatically receive its Universal SSL certificate between 15 minutes to 24 hours of domain activation. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA).

This certificate covers your root domain ( and all first-level subdomains (

​​ Minimize downtime

For sites that require an SSL/TLS certificate prior to migrating traffic to Cloudflare, you could do the following:

​​ Partial DNS setup

For non-authoritative or partial domains, Universal SSL will be:

Unless you cover and validate multiple subdomains with an advanced certificate, you will need to proxy and validate new subdomains as they are added.

​​ Verify your certificate is active

Once you enable Universal SSL, you can review the certificate’s status in the dashboard at SSL/TLS > Edge Certificates or via the API with a GET request.