SSL/TLS FAQ
Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
Yes. Cloudflare can issue both RSA and ECDSA certificates.
No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.
Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type. For more details, refer to Certificate and hostname priority.
Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's encryption mode.
Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, and Sectigo. You can see a complete list of products and available CAs and algorithms in the certificate authorities reference page.
Sectigo is only used for backup certificates.
Refer to the certificate authorities reference page for a list of limitations for every CA in our pipeline. There you can also find information about device and browser compatibility.
If you are on a Business or Enterprise plan, you can upload a certificate from the CA of your choice.
You can use CFSSL trust store ↗, which includes all of the CAs that are used by Cloudflare managed certificates.
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
For more details, refer to Add CAA records.
CAA records are evaluated by a CA, not by Cloudflare. For details, refer to RFC 8659 ↗.
Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when ordering an advanced certificate.
If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, include CAA records that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization.
You can find CAA records associated with every Cloudflare CA in the certificate authorities reference page. If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
To be able to specify a CA, you must purchase Advanced Certificate Manager. Through Advanced Certificate Manager, you can choose the certificate authority when ordering an advanced certificate or you can choose a default CA when using Total TLS.
If you are on a Business or Enterprise plan, you can upload a certificate from the CA of your choice. In this case, certificate issuance and renewal will have to be managed by you.
Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.