Understanding Keyless SSL

Keyless SSL is a server-side security technology that allows customers to retain sole custody of their SSL private keys while using Cloudflare's performance and security features for HTTPS traffic.


Keyless SSL was developed by a world-class team of cryptographers, systems engineers, and network specialists at Cloudflare. Keyless SSL is covered by various US patents. World leaders in application security and cryptography have audited Cloudflare’s Keyless SSL, including iSEC Partners and Matasano Security (both part of the NCC Group).

Keyless SSL is only available to Enterprise customers that maintain their own SSL certificate purchased from a valid Certificate Authority.  Cloudflare does not supply any certificates for use with Keyless SSL.

Cloudflare continually expands the operating systems and distributions supported with pre-packaged keyless client software packages.

Keyless SSL benefits

Some organizations go to great lengths to protect their private keys and deploy expensive Hardware Security Modules (HSMs) or other controls. These customers wish to retain their current protections while moving more of their infrastructure to the cloud. Keyless SSL makes it easier for customers in regulated industries to use Cloudflare. The benefit to website visitors is faster access to websites enabled with Cloudflare, while also providing the privacy protection of SSL.

Keyless SSL and site performance

Keyless SSL adds a slight latency to the initial client connection. The exact latency depends on the network latency between the Cloudflare edge server and the customer’s origin website, but is typically in the tens or hundreds of milliseconds.  Cloudflare has two main technologies to help mitigate potential Keyless SSL performance impact:

1. Session cache and session tickets: 
Allow Keyless SSL to reuse previously negotiated symmetric session keys without requiring a new connection to the Keyless SSL client.

2. Persistent connections: 
Allow the connection between the keyless client and Cloudflare's infrastructure to remain open permanently to eliminate connection setup overhead.

The performance differential between Cloudflare Keyless SSL versus origin-terminated SSL varies based on latency between the end user, Cloudflare, and the origin. In many cases, Keyless SSL is faster even for an SSL client’s first connection. Cloudflare Keyless SSL is generally faster on subsequent connections than direct-to-origin SSL connections.

For further information, refer to our blog post on the Keyless SSL technical details.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk