Understand common terms used to describe Cloudflare’s SSL certificates and features.
This article defines the following terms:
SSL certificates enable encryption over HTTPS for traffic between a client and a website. SSL certificates contain the website's public key and the website's identity along with related information. Devices attempting to communicate with the origin web server reference the SSL certificate to obtain the public key and verify the server's identity. Cloudflare provides a Universal SSL certificate for each active Cloudflare domain.
Certificate Authority (CA)
A CA is a trusted third party that provides SSL certificates for encrypting network traffic.
Certification Authority Authorization (CAA) record
A CAA record declares which CAs are allowed to issue an SSL certificate for a domain. Refer to our CAA FAQ for additional details.
Certificate packs allow Cloudflare to fallback to a different SSL certificate for browsers that do not support the latest standards. Certificate packs allow Custom SSL certificates to contain different signature algorithms for the same hostnames listed within the SSL certificate without taking up additional Custom SSL certificate quota for your Cloudflare account.
A cipher suite is a set of encryption algorithms for establishing a secure communications connection. There are several cipher suites in wide use, and a client and server agree on the cipher suite to use when establishing the TLS connection. Support of multiple cipher suites allows compatibility across various clients.
An encryption algorithm is a set of mathematical operations performed on data to ensure the data is only understood by the intended recipient.
Extended Validation (EV) certificate
EV certificates provide maximum trust to visitors, but require the most validation effort by the CA. EV certificates show the name of the company or organization in the address bar of the visitor’s browser. An EV certificate requires additional documentation by the company or organization in order for the CA to approve the certificate.
For security purposes, CAs issue intermediate certificates for signing website certificates. Intermediate certificates provide a means for the CA to revoke a single intermediate certificate, thus affecting only a small subset of website certificates.
Organization Validated (OV)
OVs are used by corporations or governments to portray an extra layer of confidence for their visitors. Rather than just validating domain ownership, the CA also validates the company’s registration using qualified independent information sources. The organization’s name is listed in the certificate.
Primary certificate / secondary certificate
Primary and Secondary indicates the order in which Custom SSL certificates were uploaded to Cloudflare. The primary certificate is the first certificate added to a pack. The primary certificate defines the hostnames covered by the certificate.
A protocol is a set of rules governing the exchange or transmission of data between devices.
Public key / private key
SSL public and private keys are essentially long strings of characters used for encrypting and decrypting data. Data encrypted with the public key can only be decrypted with the private key, and vice versa. Private keys are kept secret and unshared. See Certificate also.
A root certificate is generated by a CA and is used to sign certificates. Every browser includes a root store of trusted root certificates. Any certificate signed with the private key of a root certificate is automatically trusted by a browser.
Secure Sockets Layer (SSL)
SSL was a widely used cryptographic protocol for providing data security for Internet communications. SSL was superseded by TLS; however, most people still refer to Internet cryptographic protocols as SSL.
Server Name Indication (SNI)
SNI allows a server to host multiple TLS Certificates for multiple websites using a single IP address. SNI adds the website hostname in the TLS handshake to inform the server which website to present when using shared IPs. Cloudflare uses SNI for Dedicated SSL certificates and all Universal SSL certificates. Refer to our guide for details on modern SNI browser support.
Subject Alternative Name (SAN)
The SAN field of an SSL certificate specifies additional host names (sites, IP addresses, common names, subdomains, root domains, etc.) protected by a single SSL Certificate.
Transport Layer Security (TLS)
TLS is a security protocol that replaces SSL for data privacy and Internet communication security. TLS encrypts communications between web applications and servers such as between a visitor’s browser loading a website.