Distinguish between the SSL certificates Cloudflare offers for HTTPS traffic encryption. Learn the benefits and uses of each Cloudflare SSL certificate.
Overview
Standard HTTP sends unencrypted data over the Internet making it easy to intercept. In contrast, Hypertext Transfer Protocol Secure (HTTPS) encryption prevents wiretapping, stolen credit card numbers, and other interceptions. HTTPS secures Internet traffic through encryption. HTTPS is a combination of the standard HTTP protocol and a security protocol called SSL/TLS.
Cloudflare categorizes its SSL products based on where the traffic encryption occurs:
- Encrypt visitor traffic to your Cloudflare domain
- Encrypt Cloudflare traffic to your origin web server
- Extend SSL as a service for your end customers
Encrypt visitor traffic to your Cloudflare domain
There are several choices for encrypting traffic between visitors and your Cloudflare domain:
Universal SSL
Universal SSL is the name for the free Cloudflare SSL service. If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation. Alternatively, if you use Cloudflare services via CNAME records set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of DNS verification records at your authoritative DNS provider.
In addition, compared to a Cloudflare Dedicated SSL certificate, Universal SSL certificates have these limitations:
- Browser and operating system support
- Covers only first-level subdomains (ex: www.example.com but not dev.www.example.com)
Dedicated SSL
When compared to a Universal SSL certificate, a Dedicated SSL certificate with Custom Hostnames can cover additional levels of subdomains (ex: test.dev.www.example.com instead of just www.example.com)
Custom SSL (Business and Enterprise only)
Custom SSL allows customers to upload their own valid certificates to Cloudflare. A Custom SSL certificate is often preferred by customers that have purchased an Extended Validation (EV) or Organization Validated (OV) Certificate from a Certificate Authority and want to display their certificate to visitors. Custom SSL does not work with self-signed certificates that are not signed by a valid Certificate Authority.
Keyless SSL (Enterprise only)
Keyless SSL is designed for organizations with security policies that restrict control of certificate private keys. Customers interested in Keyless SSL should contact our Enterprise Sales Team for information and pricing.
Encrypt Cloudflare traffic to your origin web server
For suggestions on how to use Cloudflare SSL (and other Cloudflare settings) to protect your origin server, refer to Protect your origin server.
Extend SSL as a service for your end customers
The Cloudflare Custom Hostnames feature allows Enterprise customers to provide their end customers with SSL.
Custom Hostnames (Enterprise only)
Cloudflare Custom Hostnames (also known as SSL for SaaS) allows customers of a SaaS company to use a custom domain to secure communication through SSL. Custom Hostnames extend several benefits to the end customers of SaaS companies:
- Branded visitor experience
- Improved trust and SEO rankings
- Improved speed via HTTP/2
- Efficient management of entire SSL lifecycle
Related resources
- End-to-end HTTPS with Cloudflare - Part 1: conceptual overview
- End-to-end HTTPS with Cloudflare - Part 3: SSL options
- Understanding Universal SSL
- Managing Dedicated SSL certificates
- Managing Cloudflare Origin CA certificates
- Managing Custom SSL certificates
- Understanding Keyless SSL
- Managing Custom Hostnames
- PCI and Cloudflare SSL