Find answers to common questions about the Cloudflare SSL/TLS app.

I have multiple Cloudflare certificates, which one is used?

Cloudflare certificates are prioritized by certificate type and also by most specific hostname.

Exceptions to general prioritization occur based on hostname specificity.  Certificates that mention a specific hostname are preferred to wildcard certificates. For example, a Universal SSL certificate that explicitly mentions www.example.com takes priority over a certificate that matches the www hostname via a wildcard such as *.example.com. 

For more details on hostname priority, refer to our developer documentation.

Will having Cloudflare's SSL help with SEO?

Yes, Google announced that they use HTTPS as a ranking signal for SEO.

For further SEO tweaks, see our article on improving SEO Rankings with Cloudflare.

How long does it take for Cloudflare's SSL to activate?

If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.  Alternatively, if you use Cloudflare services via CNAME records set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of DNS verification records at your authoritative DNS provider.  Advanced SSL certificates also typically issue within 15 minutes.

If the Certificate Authority requires a manual review of brand, phishing, or TLD requirements, a Universal SSL certificate can take longer than 24 hours to issue.

What does SSL invalid brand check mean?

Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.  

To resolve this issue, you can either:

• Upload your own certificate if the domain is on a Business or Enterprise plan, or
• Purchase an advanced certificate

Does Cloudflare SSL support Internationalized Domain Names (IDN)?

Cloudflare supports double byte / IDN / punycode domains.  Domains with non-Latin characters receive SSL certificates just like any other domain added to Cloudflare.

How do I redirect all visitors to HTTPS/SSL?

Refer to Always Use HTTPS.

Does SSL work for hosting partners?

A Free Universal SSL certificate is available for all new Cloudflare domains added via a hosting partner through both CNAME and Full DNS integrations.

Are Cloudflare SSL certificates shared?

None of the SSL certificates issued by Cloudflare are shared across multiple domains for multiple customers.

An SSL certificate is installed at my website, why do I see a Cloudflare certificate?

Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on the SSL option selected in the Overview tab of the SSL/TLS app.

I want Cloudflare to use an SSL certificate I've purchased elsewhere

Domains on Business and Enterprise plans are allowed to upload a Custom SSL certificate.

Does Project Galileo include SSL support?

Project Galileo customers can use Cloudflare's free Universal SSL to secure site traffic.

Does enabling Cloudflare affect PayPal's TLS 1.2 requirement?

No. Since Cloudflare does not proxy connections made directly to paypal.com, enabling Cloudflare for your domain does not affect how TLS connections are made.

How can I serve an SSL certificate from Cloudflare's China data centers?

Cloudflare Universal SSL and advanced certificates are not deployed in China.  If your domain is on an Enterprise plan and has been granted access to China data centers, Cloudflare's data centers in China only serve a SSL certificate for your domain under the following conditions:

1. You have uploaded a Custom SSL certificate.
2. Allow Private Keys in China (Custom Certificates) is set to On in the Edge Certificates tab of the Cloudflare SSL/TLS app.

Does Cloudflare support TLS client authentication?

TLS Client Authentication validates that a certificate presented by a client is signed by the company’s root Certificate Authority certificate.  By validating this certificate on each request, access can be limited to authorized client connections.  To enable TLS client authentication via Cloudflare, refer to our documentation on Mutual TLS authentication.

How do I enable Universal SSL with Github?

Refer to the Cloudflare blog post about using Cloudflare's Universal SSL with GitHub Pages.

How do I obtain an SSL certificate for customers on partial (CNAME) setup?

To receive an SSL certificate, proxy traffic through Cloudflare. The SSL certificate will be automatically issued within a few minutes.

Pausing Cloudflare or disabling the proxy will prevent SSL certificate provisioning

Currently, HTTP is the only officially supported domain validation method for SSL certificates for domains on a partial setup activated via a hosting provider. Cloudflare will add DNS as an alternative validation method (DCV) at a later date.

If you would like to complete validation using HTTP without proxying through Cloudflare, this is accomplished via the Cloudflare API.  Reach out to [email protected] if you need assistance.

Can I use Certificate Pinning?

No. Multiple industry leaders — including Digicert and Mozilla — have discouraged certificate pinning because of security concerns.

For a safer alternative, use Certificate Transparency Monitoring.

Where can I learn more about SSL?

To learn more about SSL, go to the Cloudflare Learning Center.

For SSL terms and definitions, go to the Cloudflare Glossary.

Redsys doesn't seem to be working with my Let's Encrypt Certificiate?

The Let's Encrypt Certificate Authority and SNI are not currently supported by Redsys.

We recommend either :

• Changing the Universal Certificate to CA back to Digicert (default)

OR

• Advanced Certificate Manager or Custom Certificate using a different CA other than Let's Encrypt