End-to-end HTTPS with Cloudflare - Part 2: SSL certificates

Distinguish between the SSL certificates Cloudflare offers for HTTPS traffic encryption. Learn the benefits and uses of each Cloudflare SSL certificate.


Standard HTTP sends unencrypted data over the Internet making it easy to intercept.  In contrast, Hypertext Transfer Protocol Secure (HTTPS) encryption prevents wiretapping, stolen credit card numbers, and other interceptions. HTTPS secures Internet traffic through encryption. HTTPS is a combination of the standard HTTP protocol and a security protocol called SSL/TLS.

Cloudflare categorizes its SSL products based on where the traffic encryption occurs:

Encrypt visitor traffic to your Cloudflare domain

There are several choices for encrypting traffic between visitors and your Cloudflare domain:

Private keys for Universal and Dedicated SSL certificates are not visible or exportable and cannot be installed at your origin web server.

Universal SSL

Universal SSL is the name for the free Cloudflare SSL service. If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation. Alternatively, if you use Cloudflare services via CNAME records set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of DNS verification records at your authoritative DNS provider.

By default, Cloudflare provisions a free Universal SSL certificate for every active Cloudflare domain.

In addition, compared to a Cloudflare Dedicated SSL certificate, Universal SSL certificates have these limitations:

Dedicated SSL

There are several benefits to purchasing a Dedicated SSL certificate when compared to the Universal SSL certificate:

  • Certificate is not shared with other customer domains
  • Dedicated certificates with Custom Hostnames can cover additional levels of subdomains (ex: test.dev.www.example.com instead of just www.example.com)

Custom SSL (Business and Enterprise only)

Custom SSL allows customers to upload their own valid certificates to Cloudflare. A Custom SSL certificate is often preferred by customers that have purchased an Extended Validation (EV) or Organization Validated (OV) Certificate from a Certificate Authority and want to display their certificate to visitors. Custom SSL does not work with self-signed certificates that are not signed by a valid Certificate Authority.

Keyless SSL (Enterprise only)

Keyless SSL is designed for organizations with security policies that restrict control of certificate private keys. Customers interested in Keyless SSL should contact our Enterprise Sales Team for information and pricing.

Encrypt Cloudflare traffic to your origin web server

To encrypt Cloudflare traffic to your origin web server, Cloudflare offers Origin CA certificates.

Origin CA certificates

Cloudflare Origin CA certificates are more secure than self-signed certificates and more convenient and performant than publicly trusted certificates from a Certificate Authority. Origin CA certificates are free for all plan types.

Extend SSL as a service for your end customers

The Cloudflare Custom Hostnames feature allows Enterprise customers to provide their end customers with SSL.

Custom Hostnames (Enterprise only)

Cloudflare Custom Hostnames (also known as SSL for SaaS) allows customers of a SaaS company to use a custom domain to secure communication through SSL. Custom Hostnames extend several benefits to the end customers of SaaS companies:

  • Branded visitor experience
  • Improved trust and SEO rankings
  • Improved speed via HTTP/2
  • Efficient management of entire SSL lifecycle

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk