Get started with SSL/TLS
Follow the steps below to enable SSL/TLS protection for your application.
Step 1 — Choose an edge certificate
Cloudflare offers a variety of options for your application’s edge certificates:
- Universal certificates: By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all Cloudflare domains.
- Advanced certificates: Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.
- Custom certificates: Custom certificates are meant for Business and Enterprise clients who want to utilize their own SSL certificates.
- Keyless certificates (Enterprise only): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys.
Step 2 — Choose your encryption mode
Once you have chosen your edge certificate, choose an encryption mode to specify how Cloudflare should encrypt connections between a) visitors and Cloudflare and b) Cloudflare and your origin server.
Step 3 — Enforce HTTPS connections
Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.
Using various Cloudflare settings, however, you can force all or most visitor connections to use HTTPS.
Step 4 (optional) — Enable additional features
After you have chosen your edge certificate and updated your encryption mode, review the following Cloudflare settings:
- Edge certificates: Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
- Authenticated origin pull: Ensure all requests to your origin server originate from the Cloudflare network.
- Notifications: Set up alerts related to certificate validation status, issuance, deployment, renewal, and expiration.