Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Advanced certificates

On March 6, 2023, Cloudflare will stop using DigiCert as an issuing certificate authority (CA) for new advanced certificates. This will not affect existing custom hostname certificates.

On March 13, 2023, Cloudflare will stop using DigiCert as the CA for advanced certificate renewals. This will not affect existing advanced certificates, only their renewals.

​​ Summary of changes

This table provides a summary of the differences between DigiCert and Cloudflare’s other CAs.

AreaDigiCertOther CAsActions required
Domain Control
Validation (DCV)
If a certificate has multiple hostnames in the Subject Alternative Name (SAN), one DCV record is required to complete validation.If a certificate has multiple hostnames in the SAN, one DCV token is required for every hostname on the certificate (five hostnames in the SAN would require five DCV tokens).

This will also require two DCV tokens to validate a certificate that covers an apex and wildcard (example.com, *.example.com).
Full zones: As long as Cloudflare remains the Authoritative DNS provider, no action is required since Cloudflare can complete TXT based DCV for certificate issuances and renewals.

Partial zones: Cloudflare will complete HTTP DCV for non-wildcard hostnames, as long as they are proxying traffic through Cloudflare. You will be required to complete TXT DCV for Advanced certificates with wildcard hostnames by placing the TXT DCV token at your Authoritative DNS provider.
APICustomers can choose “digicert” as the issuing CA when using the API.Customers can only choose “lets_encrypt” or “google” when using the API.If you are currently using DigiCert as the issuing CA when creating advanced certificates, switch your integration to use Let’s Encrypt or Google.
DCV MethodsEmail DCV is available.Email DCV will be deprecated. Customers will be required to use HTTP or DNS DCV.If an existing certificate is relying on Email DCV then when the certificate comes up for renewal, Cloudflare will attempt to complete HTTP validation. If HTTP validation is not possible, then Cloudflare will use TXT DCV and return the associated tokens.
Validity periodAdvanced certificates can be valid for 14, 30, 90, or 365 days.Advanced certificates can be valid for 14, 30, or 90 days.No action required. Certificates will be renewed more frequently. Certificates using 14 or 30 day validity periods will be required to use Google Trust Services on renewal. Let’s Encrypt only supports certificates with 90 day validity periods.

​​ Required actions

​​ Before March 6, 2023

If your system integrates with the Cloudflare API to order advanced certificates, you will need to update the following fields:

  • The "certificate_authority" field should either use Google Trust Services ("google") or Let’s Encrypt ("lets_encrypt").
  • The "validation_method" field should either use "http" (only available for non-wildcard hostnames) or "txt".
  • The "validity_days" field should either use 14, 30, or 90 (14 or 30 day certificates will use Google Trust Services as the issuing CA).

​​ Changes after March 13, 2023

The following changes will automatically affect certificates that are renewed after March 13, 2023. The renewed certificate will have a different certificate pack ID than the DigiCert certificate.

​​ Certificate authorities

DigiCert certificates renewed after March 13th will be issued through a Certificate Authority chosen by Cloudflare (Let’s Encrypt or Google Trust Services).

​​ Validity period

If the current DigiCert certificate has a 365 day validity period, that value will change to 90 in the “validity_days” field.

​​ DCV method

If the DigiCert certificate had the “validation_method” set to “email”, then this value will change to either “txt” or “http” when the certificate is renewed.

Full zone certificate renewals will default to TXT DCV and are automatically renewed by Cloudflare. This is because Cloudflare can place the TXT DCV tokens as the Authoritative DNS provider.

Partial zone certificate renewals will default to HTTP DCV, unless there is a wildcard hostname on the certificate. Wildcard hostnames will be required to complete TXT DCV.

​​ DCV tokens

For multi-hostname or wildcard certificates using DigiCert, multiple DCV records will now be returned in the “validation_records” field.

This is because DigiCert only requires one DCV record to be placed to validate the apex, wildcard, and subdomains on a certificate. Let’s Encrypt and Google Trust Services follow the ACME protocol which requires that one DCV token is placed for every hostname on a certificate.

If your certificate covers multiple hostnames, then on renewal you will see one DCV token associated with every hostname on the certificate. These tokens will be returned in the “validation_records” field.

If your certificate includes a wildcard hostname, you will see a TXT DCV token returned for the wildcard hostname. Previously with DigiCert, only one TXT DCV token would have been required at the apex to complete validation for any subdomains or wildcard under the zone.

​​ Required actions

​​ Certificate migration

If you want to take control of migrating your certificates and choose a particular CA - instead of having Cloudflare handle migrations as certificates come up for renewal and choose a CA on your behalf - you will need to:

  1. Order new certificates (applying all the required changes noted before).
  2. Make sure your certificates are validated (partial zones will require additional steps than previously).
  3. Delete all existing DigiCert certificates (once each has been replaced and the new certificate is active).

​​ DCV - Full zones

For full zones1, the only required action is to confirm the your nameservers are still pointing to Cloudflare.

Certificates on full zones - whether using a wildcard hostname or not - will be automatically renewed and validated without any action from you. Cloudflare can complete DCV on your behalf by serving the TXT DCV tokens.

​​ DCV - Partial zones

For partial zones2, the process depends on whether the certificate uses a wildcard hostname.

Non-wildcard hostname certificates will automatically renew as long as the hostnames on the certificate are still proxying their traffic through Cloudflare. However, if one or more of the hostnames on the certificate is not proxying through Cloudflare, you will be required to complete DCV for those hostnames in order for the certificate to renew.

Wildcard hostname certificates will be required to use TXT based DCV for renewals of the certificate. You will need to place one TXT DCV token for every hostname on the certificate for it to successfully renew. If one or more of the hostnames on the certificate fail to validate, the certificate will not be renewed.

This means that a wildcard certificate covering example.com and *.example.com will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.

​​ Fetch DCV tokens

To automatically fetch tokens for certificates that are coming up for renewal, set up notifications for Advanced Certificate Alert events. This notification will include the DCV tokens associated with new or renewed certificates.

Notifications can be sent to an email address or a webhook.

Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.

These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.

You can access these tokens using the API with the GET request and including status=pending_validation as a request parameter.

For example, here are two tokens highlighted in the API response for a wildcard certificate.

Response
{
"result": [
{
"id": "<CERTIFICATE_ID>",
"type": "advanced",
"hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"],
"primary_certificate": "0",
"status": "pending_validation",
"certificates": [],
"created_on": "2022-10-12T21:46:21.979150Z",
"validity_days": 90,
"validation_method": "txt",
"validation_records": [
{
"status": "pending",
"txt_name": "_acme-challenge.best3.com",
"txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk"
},
{
"status": "pending",
"txt_name": "_acme-challenge.best3.com",
"txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns"
}
],
"certificate_authority": "google"
}
]
}
  1. Log in to the Cloudflare dashboard.
  2. Choose your account and domain.
  3. Navigate to SSL/TLS > Edge Certificates.
  4. Select a certificate.
  5. Copy the values for Certificate validation TXT name and Certificate validation TXT value.

If you had created a wildcard certificate, you would need to copy the values for two different validation TXT records.

You will need to add all of the DCV records returned in the validation_records field to your Authoritative DNS provider.

Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.

To request an immediate recheck, send another PATCH request with the same validation_method as your current validation method.

Once the certificate has been validated, the certificate status will change to Active.


  1. Meaning that Cloudflare is your Authoritative DNS provider. ↩︎

  2. Meaning that another DNS provider - not Cloudflare - maintains your Authoritative DNS. ↩︎