Limitations
Universal SSL certificates present some limitations.
Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com. To enable SSL support on second, third, and fourth-level subdomains such as dev.www.example.com or app3.dev.www.example.com, you can:
- Purchase Advanced Certificate Manager to order advanced certificates.
- Upgrade to a Business or Enterprise plan to upload custom certificates.
On a CNAME setup zone, each subdomain has its own Universal SSL certificate and does not require additional features or purchases.
For Universal SSL certificates, Cloudflare chooses the certificate authority (CA) used for your certificate.
Cloudflare can change the certificate authority without prior notification, and will not send any notification as the change happens.
If you want to choose the issuing certificate authority, order an advanced certificate.
For Universal certificates, Cloudflare controls the validity period. Refer to validity periods and renewal for details.
Customizing cipher suites is only available with Advanced Certificate Manager or within Cloudflare for SaaS.
You can set up minimum TLS version at the zone level, but, for per-hostname settings, you must have Advanced Certificate Manager.
Delegated DCV allows zones with partial DNS setups to delegate the DCV process to Cloudflare. DCV delegation will not work with Universal SSL certificates and requires the use of an advanced certificate.
Universal SSL is not compatible with Cloudflare Spectrum. If you are trying to use Spectrum, use either an advanced certificate or a custom certificate.
Due to internal limitations, Universal SSL certificates do not cover load balancing hostnames by default. This behavior will be corrected in the future.
For more on browser support, see Browser compatibility.