English (US) Deutsch Español (España) Français (France) 日本語 한국어 Português do Brasil 简体中文

Cloudflare Help Center

Detailed system status >

Articles in this section

Connect with the Cloudflare Community

Get answers

Understanding Universal SSL

  • Updated

Learn the benefits and limitations of Cloudflare’s free Universal SSL certificates and determine when Universal SSL is appropriate for your domain.

Overview

Universal SSL refers to the free SSL certificate that Cloudflare issues to customers within 24 hours of their domain activation and requires proxying traffic through Cloudflare in order to provision the certificate.

Universal SSL is only used to encrypt traffic between a site visitor and Cloudflare and doesn’t encrypt traffic between Cloudflare and the origin web server. For details on encryption between Cloudflare and your origin web server, review SSL/TLS encryption modes and Cloudflare Origin Certificates.

Universal SSL provisioning time strictly depends on certain security checks and other requirements mandated by Certificate Authorities (CA).

For sites that require an SSL certificate prior to migrating traffic to Cloudflare, purchase a Dedicated SSL Certificate or upload a Custom SSL certificate before proxying traffic to Cloudflare.

Origin web server SSL certificates are not required for Cloudflare to issue a Universal SSL certificate. However, Cloudflare recommends installing a Cloudflare Origin Certificate to ensure communication is encrypted between Cloudflare and your origin web server.

To guarantee SSL encryption between Cloudflare and your origin web server, set the SSL/TLS encryption mode in the Cloudflare SSL/TLS app to either Full or Full (strict).

If the origin web server lacks an installed SSL certificate, setting the SSL/TLS app to either Full or Full (strict) causes 521 or other 5XX errors for site visitors.

Limitations

Universal SSL certificates are limited by the hostnames they cover and the client browsers they support.

Be cautious when using Certificate Pinning with Cloudflare managed certificates. When we renew your SSL certificate prior to expiry; this will break applications using a pinned certificate.

Hostname coverage

Full Setup

Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com. To enable SSL support on second, third, and fourth level subdomains such as dev.www.example.com or app3.dev.www.example.com, you can:

CNAME Setup

On a CNAME setup zone, a Universal SSL certificate is deployed per proxied sub-domain. This means multi-level sub-domains will have their own Universal SSL certificate deployed, unlike the Full Setup, and do not require additional features for support.

Browser support

Universal SSL uses Server Name Indication (SNI) certificates with Elliptic Curve Digital Signature Algorithm (ECDSA).  It is possible for Cloudflare Support to enable non-SNI support for domains on Pro, Business, or Enterprise plans for Universal, Dedicated, Custom, or Custom Hostname certificates.  SNI and ECDSA certificates work with the following modern browsers:

Desktop Browsers installed on Windows Vista or OS X 10.6 or later:

  • Internet Explorer 7
  • Firefox 2
  • Opera 8 (with TLS 1.1 enabled)
  • Google Chrome v5.0.342.0
  • Safari 2.1

Mobile Browsers:

  • Mobile Safari for iOS 4.0
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7

Disabling Universal SSL

Some Cloudflare customers need to manage their own SSL certificates in order to comply with the standard operating procedures or the policies of their organization. Other customers only trust specific Certification Authorities (CA) and exclude the CAs Cloudflare uses to provision SSL certificates. You can disable Universal SSL via the SSL/TLS app of the Cloudflare dashboard after first uploading their own Custom SSL certificates.

What happens if I disable Universal SSL?

Disabling Universal SSL removes a domain’s Universal SSL certificates from the Cloudflare network. Cloudflare will not order or renew Universal SSL certificates until Universal SSL is re-enabled.

Errors might occur when visiting a domain that uses the following features while the site's SSL (Universal and Custom) is disabled through Cloudflare:

  • HSTS
  • Always Use HTTPS
  • Opportunistic Encryption
  • Any Page Rules redirecting traffic to HTTPS
  • Any HTTP to HTTPS redirects at the origin web server

To avoid errors with traffic to your site, upload a custom certificate or purchase a dedicated SSL certificate before disabling Universal SSL.

How do I disable Universal SSL?

To disable Universal SSL:

  1. Log in to the Cloudflare dashboard.
  2. Click the appropriate Cloudflare account for the domain where you want to disable Universal SSL.
  3. Ensure the proper domain is selected.
  4. Click the SSL/TLS app.
  5. Scroll to the Disable Universal SSL section.
  6. Click Disable Universal SSL and an Acknowledgement dialog appears.
  7. Read the warnings in the Acknowledgement.
  8. Check I Understand and click Confirm.

Related Resources

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request

Related articles

Not finding what you need?

Searching can help answer 95% of support questions. This is the quickest way to get answers.

Ask the Community Submit a request