Learn the benefits and limitations of Cloudflare’s free Universal SSL certificates and determine when Universal SSL is appropriate for your domain.
Universal SSL refers to the free SSL certificate that Cloudflare issues to customers within 24 hours of their domain activation and requires proxying traffic through Cloudflare in order to provision the certificate.
Universal SSL is only used to encrypt traffic between a site visitor and Cloudflare and doesn’t encrypt traffic between Cloudflare and the origin web server.
Universal SSL provisioning time strictly depends on certain security checks and other requirements mandated by Certificate Authorities (CA).
Origin web server SSL certificates are not required for Cloudflare to issue a Universal SSL certificate. However, Cloudflare recommends installing a Cloudflare Origin Certificate to ensure communication is encrypted between Cloudflare and your origin web server.
To guarantee SSL encryption between Cloudflare and your origin web server, set the SSL/TLS encryption mode in the Cloudflare SSL/TLS app to either Full or Full (strict).
For additional SSL technical details, check out our blog post: Introducing Universal SSL.
Universal SSL certificates are limited by:
- the hostnames they cover, and
- the client browsers they support.
Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com. To enable SSL support on second, third, and fourth level subdomains such as dev.www.example.com or app3.dev.www.example.com, you can:
- Purchase the Advanced Certificate Manager feature
- Upgrade to a Business or Enterprise plan to upload a Custom SSL certificate.
On a CNAME setup zone, a Universal SSL certificate is deployed per proxied sub-domain. This means multi-level sub-domains will have their own Universal SSL certificate deployed, unlike the Full Setup, and do not require additional features for support.
Universal SSL uses Server Name Indication (SNI) certificates with Elliptic Curve Digital Signature Algorithm (ECDSA). It is possible for Cloudflare Support to enable non-SNI support for domains on Pro, Business, or Enterprise plans for Universal, Dedicated, Custom, or Custom Hostname certificates. SNI and ECDSA certificates work with the following modern browsers:
Desktop Browsers installed on Windows Vista or OS X 10.6 or later:
- Internet Explorer 7
- Firefox 2
- Opera 8 (with TLS 1.1 enabled)
- Google Chrome v5.0.342.0
- Safari 2.1
- Mobile Safari for iOS 4.0
- Android 3.0 (Honeycomb) and later
- Windows Phone 7
Should I disable Universal SSL?
Some Cloudflare customers need to manage their own SSL certificates in order to comply with the standard operating procedures or policies of their organization. Other customers only trust specific Certification Authorities (CA) and exclude the CAs Cloudflare uses to provision SSL certificates. Such customers can disable Universal SSL via the SSL/TLS app of the Cloudflare dashboard after first uploading their own Custom SSL certificates.
What happens if I disable Universal SSL?
Disabling Universal SSL removes a domain’s Universal SSL certificates from the Cloudflare network. Cloudflare will not order or renew Universal SSL certificates until Universal SSL is re-enabled.
Errors occur when visiting a domain that uses the following features while the site's SSL (Universal and Custom) is disabled through Cloudflare:
- Always Use HTTPS
- Opportunistic Encryption
- Any Page Rules redirecting traffic to HTTPS
Similarly, any HTTP to HTTPS redirect at the origin web server causes errors for site visitors.
How do I disable Universal SSL?
To disable Universal SSL:
1. Log in to the Cloudflare dashboard.
2. Click the appropriate Cloudflare account for the domain where you want to disable Universal SSL.
3. Ensure the proper domain is selected.
4. Click the SSL/TLS app.
5. Scroll to the Disable Universal SSL section.
6. Click Disable Universal SSL and an Acknowledgement dialog appears.
7. Read the warnings in the Acknowledgement.
8. Check I Understand and click Confirm.