For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs .
Availability per certificate type and encryption algorithm
Features, limitations and browser compatibility
- Hostname on certificate can contain up to 10 levels of subdomains.
- Duplicate certificate limit of per week.
The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts ISRG’s “ISRG Root X1” certificate. You can find the full list of supported clients in the . Older versions of Android and Java clients might not be compatible with Let’s Encrypt certificates.
Google Trust Services
- Punycode domains are not yet supported.
- Cloudflare will be supporting ECDSA with Google Trust Services soon.
Browser compatibility (most compatible)
Currently trusted by Microsoft, Mozilla, Safari, Cisco, Oracle Java, and Qihoo’s 360 browser. All browsers or operating systems that depend on these root programs are covered. In addition, some of Google Trust Services’ may rely on a cross-signature to ensure optimal support across a wide range of devices.
DigiCert (deprecating soon)
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
The following table lists the CAA record content for each CA:
|Certificate authority||CAA record content|
|Google Trust Services|