Distinguish between the SSL certificates Cloudflare offers for traffic encryption. Learn the benefits and uses of each Cloudflare SSL certificate.
Standard HTTP sends unencrypted data over the Internet making it easy to intercept. In contrast, Hypertext Transfer Protocol Secure (HTTPS) encryption prevents wiretapping, stolen credit card numbers, and other interceptions. HTTPS secures Internet traffic through encryption. HTTPS is a combination of the standard HTTP protocol and a security protocol called SSL/TLS.
Cloudflare categorizes its SSL products based on where the traffic encryption occurs:
- Encrypt visitor traffic to your Cloudflare domain
- Encrypt Cloudflare traffic to your origin web server
- Extend SSL as a service for your end customers
Encrypt visitor traffic to your Cloudflare domain
There are several choices for encrypting traffic between visitors and your Cloudflare domain:
Universal SSL is the name for the free Cloudflare SSL service. If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation. Alternatively, if you use Cloudflare services via CNAME records set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of DNS verification records at your authoritative DNS provider.
In addition, compared to a Cloudflare Dedicated SSL certificate, Universal SSL certificates have these limitations:
- Browser and operating system support
- Shared amongst various Cloudflare customers
- Covers only first-level subdomains (ex: www.example.com but not dev.www.example.com)
There are several benefits to purchasing a Dedicated SSL certificate when compared to the Universal SSL certificate:
- Certificate is not shared with other customer domains
- Dedicated certificates with Custom Hostnames can cover additional levels of subdomains (ex: test.dev.www.example.com instead of just www.example.com)
Custom SSL (Business and Enterprise only)
Custom SSL allows customers to upload their own valid certificates to Cloudflare. A Custom SSL certificate is often preferred by customers that have purchased an Extended Validation (EV) or Organization Validated (OV) Certificate from a Certificate Authority and want to display their certificate to visitors. Custom SSL does not work with self-signed certificates that are not signed by a valid Certificate Authority.
Keyless SSL (Enterprise only)
Keyless SSL is designed for organizations with security policies that restrict control of certificate private keys. Customers interested in Keyless SSL should contact our Enterprise Sales Team for information and pricing.
Encrypt Cloudflare traffic to your origin web server
To encrypt Cloudflare traffic to your origin web server, Cloudflare offers Origin CA certificates.
Origin CA certificates
Cloudflare Origin CA certificates are more secure than self-signed certificates and more convenient and performant than publicly trusted certificates from a Certificate Authority. Origin CA certificates are free for all plan types.
Extend SSL as a service for your end customers
The Cloudflare Custom Hostnames feature allows Enterprise customers to provide their end customers with SSL.
Custom Hostnames (Enterprise only)
Cloudflare Custom Hostnames (also known as SSL for SaaS) allows customers of a SaaS company to use a custom domain to secure communication through SSL. Custom Hostnames extend several benefits to the end customers of SaaS companies:
- Branded visitor experience
- Improved trust and SEO rankings
- Improved speed via HTTP/2
- Efficient management of entire SSL lifecycle
- End-to-end encryption with Cloudflare - Part 1: conceptual overview
- End-to-end encryption with Cloudflare - Part 3: SSL options
- Understanding Universal SSL
- Managing Dedicated SSL certificates
- Managing Cloudflare Origin CA certificates
- Managing Custom SSL certificates
- Understanding Keyless SSL
- Managing Custom Hostnames
- PCI and Cloudflare SSL