SSL FAQ

Find answers to common questions about the Cloudflare Crypto app.


I have multiple Cloudflare certificates, which one is used?

Cloudflare certificates are prioritized by certificate type and also by most specific hostname.  In general, SSL certificate prioritization occurs as follows from highest to lowest priority:

Exceptions to general prioritization occur based on hostname specificity.  Certificates that mention a specific hostname are preferred to wildcard certificates.  For example, a Universal SSL certificate that explicitly mentions www.example.com takes priority over a certificate that matches the www hostname via a wildcard such as *.example.com.  


Will having Cloudflare's SSL help with SEO?

Yes, Google announced that they use HTTPS as a ranking signal for SEO.

For further SEO tweaks, see our article on improving SEO Rankings with Cloudflare.


Does Cloudflare SSL support Internationalized Domain Names (IDN)?

Cloudflare supports double byte / IDN / punycode domains.  Domains with non-Latin characters receive SSL certificates just like any other domain added to Cloudflare.


How long does it take for Cloudflare's SSL to activate?

If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.  Alternatively, if you use Cloudflare services via CNAME records set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of DNS verification records at your authoritative DNS provider.  Dedicated SSL certificates also typically issue within 15 minutes.

If the Certificate Authority requires a manual review of brand, phishing, or TLD requirements, a Universal SSL certificate can take longer than 24 hours to issue.


What does SSL invalid brand check mean?

Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.  

To resolve this issue, you can either:


How do I redirect all visitors to HTTPS/SSL?

To redirect traffic for all subdomains and hosts in your domain, enable the Always Use HTTPS feature in the Cloudflare Crypto app.  Alternatively if you don't want your whole site redirected to HTTPS, redirect on a URL basis using the Cloudflare Page Rules app.

While protecting your site via Cloudflare, it is not recommended to perform redirects at your origin web server:

  • Page Rule redirects are processed at the Cloudflare edge resulting in quicker response and reduced requests to your server.
  • Origin web server redirects can cause redirect loop errors.

When configuring Page Rules, the Always use HTTPS action is the simplest method to redirect HTTP requests to HTTPS.  You can also use the Forwarding URL action with a 301 redirect if you need to redirect to another subdomain in addition to forcing HTTPS. For example, a Page Rule match for

http://example.com/*

with a Forwarding URL of

https://www.example.com/$1

will redirect requests for the example.com root domain to the www.example.com subdomain while preserving the URL directory.

The Always Use HTTPS action will only appear if your zone has an active Cloudflare SSL certificate.

Forcing HTTPS does not resolve issues with mixed content, as browsers check the protocol of included resources before making a request. You will need to use only relative links or HTTPS links on pages that you force to HTTPS. Cloudflare can automatically resolve some mixed-content links using our Automatic HTTPS Rewrites functionality.


Does SSL work for hosting partners?

A Free Universal SSL certificate is available for all new Cloudflare domains added via a hosting partner through both CNAME and Full DNS integrations.

For domains added to Cloudflare prior to December 9, 2016, the hosting partner must delete and re-add the domain to Cloudflare to provision the SSL certificate.

Proxy a subdomain through Cloudflare to provision the Free Universal SSL certificate.


Are Cloudflare SSL certificates shared?

Universal SSL certificates are shared across multiple domains for multiple customers. If certificate sharing is a concern, Cloudflare recommends a Dedicated or Custom SSL certificate.


An SSL certificate is installed at my website , why do I see a Cloudflare certificate?

Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on the SSL option selected in the Crypto app.


I want Cloudflare to use an SSL certificate I've purchased elsewhere

Domains on Business and Enterprise plans are allowed to upload a Custom SSL certificate.


How do I force my site to only use HTTPS/SSL?

To force all traffic to HTTPS, enable the "Always use HTTPS" feature within the Cloudflare Crypto app or via the Page Rules app.


Does Project Galileo include SSL support?

Project Galileo customers can use Cloudflare's free Universal SSL to secure site traffic.


Does enabling Cloudflare affect PayPal's TLS 1.2 requirement?

No. Since Cloudflare does not proxy connections made directly to paypal.com, enabling Cloudflare for your domain does not affect how TLS connections are made.

To determine if your server or browser supports these standards, visit https://tlstest.paypal.com from a client or browser that uses PayPal. A response of PayPal_Connection_OK demonstrates the client already supports TLS standards compatible with PayPal.


How can I serve an SSL certificate from Cloudflare's China data centers?

Cloudflare Universal SSL and Dedicated SSL certificates are not deployed in China.  If your domain is on an Enterprise plan and has been granted access to China data centers, Cloudflare's data centers in China only serve a SSL certificate for your domain under the following conditions:

  1. You have uploaded a Custom SSL certificate.
  2. Allow Private Keys in China (Custom Certificates) is set to On in the Cloudflare Crypto app.

Does Cloudflare support TLS client authentication?

TLS Client Authentication validates that a certificate presented by a client is signed by the company’s root Certificate Authority certificate.  By validating this certificate on each request, access can be limited to authorized client connections.  To enable TLS client authentication via Cloudflare, refer to our documentation on Mutual TLS authentication.


How do I enable Universal SSL with Github?

Refer to the Cloudflare blog post about using Cloudflare's Universal SSL with GitHub Pages.

 

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk