Understanding Custom SSL certificate packs

Certificate packs allow Cloudflare to fallback to a different SSL certificate for visitors who do not support the latest standards.


Cloudflare allows uploading Custom SSL certificates with different signature algorithms into certificate packs such as for SHA-2 ECDSA, SHA-2 RSA, or SHA-1 RSA. The Cloudflare SSL/TLS app automatically groups Custom SSL certificates that share the same hostnames and wildcards in the common name (CN) or subject alternative name (SAN) and serves the proper certificate to visitors based on their browser's crypto capabilities. Multiple certificates for the same hostnames only count as 1 SSL certificate against your Custom SSL quota.

You cannot delete the primary certificate if secondary certificates are present in the pack.

Visitors using recent versions Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, etc. see a SHA-2 ECDSA certificate. Alternatively, old browsers such as Internet Explorer 6 see a SHA-1 certificate.

SHA-2 consists of six hash functions with digests (hash values) that are either 224, 256, 384, or 512 bits in length. If you were to upload a SHA-512 RSA certificate, it is counted as the SHA-2 RSA certificate in the pack.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.