Understanding Universal SSL

Learn the benefits and limitations of Cloudflare’s free Universal SSL certificates and determine when Universal SSL is appropriate for your domain.


Universal SSL refers to the free SSL certificate that Cloudflare issues to customers within 24 hours of their domain activation and requires proxying traffic through Cloudflare in order to provision the certificate.

A Universal SSL Status of SSL authorizing is displayed in the Cloudflare SSL/TLS app when the Certificate Authority is still processing the certificate for the domain.

Universal SSL is only used to encrypt traffic between a site visitor and Cloudflare and doesn’t encrypt traffic between Cloudflare and the origin web server.

For details on encryption between Cloudflare and your origin web server, review our guides on SSL modes and Cloudflare Origin Certificates.

Universal SSL provisioning time strictly depends on certain security checks and other requirements mandated by Certificate Authorities (CA).

For sites that require an SSL certificate prior to migrating traffic to Cloudflare, purchase a Dedicated SSL Certificate or upload a Custom SSL certificate before proxying traffic to Cloudflare.

Origin web server SSL certificates are not required for Cloudflare to issue a Universal SSL certificate. However, Cloudflare recommends installing a Cloudflare Origin Certificate to ensure communication is encrypted between Cloudflare and your origin web server.

To guarantee SSL encryption between Cloudflare and your origin web server, set the SSL Mode in the Cloudflare SSL/TLS app to either Full or Full (strict).

If the origin web server lacks an installed SSL certificate, setting the SSL/TLS app to either Full or Full (strict) causes 521 or other 5XX errors for site visitors.

For additional SSL technical details, check out our blog post: Introducing Universal SSL.


Universal SSL certificates are limited by:

  • the hostnames they cover, and
  • the client browsers they support.

Hostname coverage

Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com. To enable SSL support on second, third, and fourth level subdomains such as dev.www.example.com or app3.dev.www.example.com, you can:

Browser support

Universal SSL uses Server Name Indication (SNI) certificates with Elliptic Curve Digital Signature Algorithm (ECDSA).  It is possible for Cloudflare Support to enable non-SNI support for domains on Pro, Business, or Enterprise plans for Universal, Dedicated, Custom, or Custom Hostname certificates.  SNI and ECDSA certificates work with the following modern browsers:

Desktop Browsers installed on Windows Vista or OS X 10.6 or later:

  • Internet Explorer 7
  • Firefox 2
  • Opera 8 (with TLS 1.1 enabled)
  • Google Chrome v5.0.342.0
  • Safari 2.1

Mobile Browsers:

  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7

Should I disable Universal SSL?

Some Cloudflare customers need to manage their own SSL certificates in order to comply with the standard operating procedures or policies of their organization. Other customers only trust specific Certification Authorities (CA) and exclude the CAs Cloudflare uses to provision SSL certificates. Such customers can disable Universal SSL via the SSL/TLS app of the Cloudflare dashboard after first uploading their own Custom SSL certificates.

What happens if I disable Universal SSL?

Disabling Universal SSL removes a domain’s Universal SSL certificates from the Cloudflare network. Cloudflare will not order or renew Universal SSL certificates until Universal SSL is re-enabled.

Errors occur when visiting a domain that uses the following features while the site's SSL (Universal and Custom) is disabled through Cloudflare:

  • HSTS
  • Always Use HTTPS
  • Opportunistic Encryption
  • Any Page Rules redirecting traffic to HTTPS

Similarly, any HTTP to HTTPS redirect at the origin web server causes errors for site visitors.

To avoid errors with traffic to your site, upload a custom certificate or purchase a dedicated SSL certificate before disabling Universal SSL.

How do I disable Universal SSL?

To disable Universal SSL:

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain where you want to disable Universal SSL.

3. Ensure the proper domain is selected.

4. Click the SSL/TLS app.

5. Scroll to the Disable Universal SSL section.

6. Click Disable Universal SSL and an Acknowledgement dialog appears.

7. Read the warnings in the Acknowledgement.

8. Check I Understand and click Confirm.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk