--- title: Cloudflare SSL/TLS description: Cloudflare SSL/TLS offers free Universal SSL alongside advanced and enterprise features to meet your encryption and certificate management needs. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare SSL/TLS Encrypt your web traffic to prevent data theft and other tampering. Available on all plans Through [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/), Cloudflare is the first Internet performance and security company to offer free SSL/TLS protection. Cloudflare SSL/TLS also provides a number of other features to meet your encryption requirements and certificate management needs. Refer to [Get started](https://developers.cloudflare.com/ssl/get-started/) for more. --- ## Features ### Total TLS Extending the protection offered by Universal SSL, Total TLS is an easy way to automatically issue certificates for all levels of subdomains that you have. [ Use Total TLS ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) ### Delegated DCV Even if you use a different provider for authoritative DNS, you can delegate domain control validation (DCV) to Cloudflare, reducing the need of manual intervention. [ Use Delegated DCV ](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) ### Custom TLS settings Cloudflare also allows you to specify the minimum TLS version that visitors must use to connect to your website or application, and [restrict cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) according to your security requirements. [ Use Custom TLS settings ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) Refer to [features and availability](https://developers.cloudflare.com/ssl/reference/all-features/) for a complete list of SSL/TLS features and their availability according to different Cloudflare plans. --- ## Related products **[Cloudflare DNS](https://developers.cloudflare.com/dns/)** When you use Cloudflare DNS, all DNS queries for your domain are answered by Cloudflare's global anycast network. This network delivers performance and global availability. **[Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/)** Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare's network to your customers via their own custom or vanity domains. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}}]} ``` --- --- title: Concepts description: This page defines and articulates key concepts that are relevant to Cloudflare SSL/TLS and are used in the Cloudflare SSL/TLS documentation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/concepts.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Concepts This page defines and articulates key concepts that are relevant to Cloudflare SSL/TLS and are used in this documentation. For more concepts and broader descriptions, check out the [Cloudflare Learning Center ↗](https://www.cloudflare.com/learning/ssl/what-is-ssl/). ## SSL/TLS certificate An SSL/TLS certificate is what enables websites and applications to establish secure connections. With SSL/TLS, a client - such as a browser - can verify the authenticity and integrity of the server it is connecting with, and use encryption to exchange information. Since [Cloudflare's global network ↗](https://www.cloudflare.com/network/) is at the core of several products and services that Cloudflare offers, what this implies in terms of SSL/TLS is that, instead of only one certificate, there can actually be two certificates involved in a single request: an edge certificate and an origin certificate. ### Edge certificate The [edge certificates](https://developers.cloudflare.com/ssl/edge-certificates/) are the ones that Cloudflare presents to clients visiting your website or application. You can manage edge certificates through the [Cloudflare Dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates). ### Origin certificate [Origin certificates](https://developers.cloudflare.com/ssl/origin-configuration/) guarantee the security and authentication on the other side of the network, between Cloudflare and the origin server of your website or application. Origin certificates are managed on your origin server. [SSL/TLS encryption modes](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) control whether and how Cloudflare will use both these ceritifcates, and you can choose between different modes on the [SSL/TLS overview page ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls). ## Validity period One common aspect of every SSL/TLS certificate is that they must have a fixed expiration date. If a certificate is expired, clients - such as your visitor's browser - will consider that a secure connection cannot be established, resulting in warnings or errors. Different [certificate authorities (CAs)](#certificate-authority-ca) support different validity periods. Cloudflare works with them to guarantee that both [Universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) and [Advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) edge certificates are always renewed. ## Certificate authority (CA) A [certificate authority (CA)](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) is a trusted third party that generates and gives out SSL/TLS certificates. The CA digitally signs the certificates with their own private key, allowing client devices - such as your visitor's browser - to verify that the certificate is trustworthy. As explained in the article about [what is an ssl certificate ↗](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/), this means that, besides not being expired, an SSL/TLS certificate should be issued by a certificate authority (CA) in order to avoid warnings or errors. ## Validation level SSL/TLS certificates vary in terms of the level to which a CA has validated them. As explained in the article about [types of certificates ↗](https://www.cloudflare.com/learning/ssl/types-of-ssl-certificates/), SSL/TLS certificates can be DV (Domain Validated), OV (Organization Validated) or EV (Extended Validation). Certificates issued through Cloudflare - [Universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/), [Advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/), and [Custom Hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/) certificates - are Domain Validated (DV). You can [upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) if your organization needs OV or EV certificates. ## Origin pull When visitors request content from your website or application, Cloudflare first attempts to [serve content from the cache ↗](https://www.cloudflare.com/learning/cdn/what-is-caching/). If this attempt fails, Cloudflare sends a request back to your origin web server to get the content. This request between Cloudflare and your origin web server is called origin pull. This relates to the difference between [edge certificates](#edge-certificate) and [origin certificates](#origin-certificate), and also explains why some specifications such as [cipher suites](#cipher-suites) can be set differently depending on whether they refer to the connection between Cloudflare and your visitor's browser or between Cloudflare and your origin server. ## Cipher suites Besides the authentication and integrity aspects that valid certificates guarantee, the other important aspect of SSL/TLS certificates is encryption. Cipher suites determine the set of algorithms that can be used for encryption/decryption and that will be negotiated during an [SSL/TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). For the purpose of this documentation, keep in mind that [cipher suites supported at Cloudflare's network](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/) may not be the same as [cipher suites presented by Cloudflare to your origin server](https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/). ## Trust store The list of [certificate authority (CA)](#certificate-authority-ca) and intermediate certificates that are trusted by operating systems, web browsers or other software that interacts with SSL/TLS certificates is called trust store. Cloudflare maintains its trust store on a public [GitHub repository ↗](https://github.com/cloudflare/cfssl%5Ftrust). While for most cases you do not have to worry about this list or how it is used when a client checks your SSL/TLS certificate, some features such as [Custom Origin Trust Store](https://developers.cloudflare.com/ssl/origin-configuration/custom-origin-trust-store/), and processes such as [bundle methodologies](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/), are directly related to it. ## Chain of trust Depending on your organization requirements, or if you have to troubleshoot an issue with your certificates, for example, you might come across the terms root certificate, intermediate certificate and leaf certificate. These terms refer to the way in which the certificate presented to a client - the leaf certificate - has to be traceable back to a trusted certificate authority (CA) certificate - the [root certificate ↗](https://en.wikipedia.org/wiki/Root%5Fcertificate). This process is structured around a [chain of trust ↗](https://en.wikipedia.org/wiki/Chain%5Fof%5Ftrust). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/concepts/","name":"Concepts"}}]} ``` --- --- title: Get started description: Follow the steps below to enable SSL/TLS protection for your application. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/get-started.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Get started Follow the steps below to enable SSL/TLS protection for your application. ## Before you begin * [Create an account and register an application](https://developers.cloudflare.com/fundamentals/account/) ## Choose an edge certificate As explained in the [concepts page](https://developers.cloudflare.com/ssl/concepts/#ssltls-certificate), edge certificates are the SSL/TLS certificates that Cloudflare presents to your visitors. Cloudflare offers a variety of options for your application's edge certificates: * [**Universal certificates**](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/): By default, Cloudflare issues — and [renews](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/#universal-ssl) — free, unshared, publicly trusted SSL certificates to all domains [added to](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) and [activated on](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) Cloudflare. * [**Advanced certificates**](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/): Use advanced certificates when you want something more customizable than [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) but still want the convenience of SSL certificate issuance and renewal. * [**Custom certificates**](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/): Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates. * [**Keyless certificates**](https://developers.cloudflare.com/ssl/keyless-ssl/) (Enterprise only): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys. Refer to [Edge certificates](https://developers.cloudflare.com/ssl/edge-certificates/) for more information on how different certificate types can respond to common use cases. For SaaS providers Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare's network to your customers via their own custom or vanity domains. For more details, refer to [Cloudflare for SaaS (managed hostnames)](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/). ## Choose your encryption mode Once you have chosen your edge certificate, [choose an encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/). Encryption modes specify how Cloudflare encrypts connections between (a) visitors and Cloudflare, and (b) Cloudflare and your origin server. For more context about this two-part process refer to the [concepts page](https://developers.cloudflare.com/ssl/concepts/#ssltls-certificate). Note that some encryption modes will require you to have a valid [origin certificate](https://developers.cloudflare.com/ssl/concepts/#origin-certificate), which is managed on your origin server. Each encryption mode setup page lists out this and other requirements and you can also [consider other Cloudflare options to use with your origin server](https://developers.cloudflare.com/ssl/origin-configuration/), such as [Origin CA certificates](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/). ## Enforce HTTPS connections Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections. Using various Cloudflare settings, however, you can force all or most visitor connections to [use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/encrypt-visitor-traffic/). ## SEO considerations Using HTTPS can improve user trust and may be used as a ranking signal by search engines. For related guidance, refer to [Improve SEO](https://developers.cloudflare.com/fundamentals/performance/improve-seo/). ## Optional - Enable additional features After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings: * [Edge certificates](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/): Customize different aspects of your edge certificates, from enabling **Opportunistic Encryption** to specifying a **Minimum TLS Version**. * [Authenticated origin pull](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/): Ensure all requests to your origin server originate from the Cloudflare network. * [Notifications](https://developers.cloudflare.com/notifications/notification-available/): Set up alerts related to certificate validation status, issuance, renewal, and expiration. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/get-started/","name":"Get started"}}]} ``` --- --- title: Edge certificates description: Edge certificates are the SSL/TLS certificates that Cloudflare presents to your visitors. Consider how different certificate types align to common use cases. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Edge certificates Consider the information below for guidance on how to choose different edge certificates for common use cases, or refer to the other pages in this section for more options. If you are not familiar with what SSL/TLS certificates are, refer to [Concepts](https://developers.cloudflare.com/ssl/concepts/). Note Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol `*`). This behavior occurs when all of the following conditions are true: * The zone is on a [subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/). * The certificate has a subject or SAN that is a wildcard for the zone's parent domain. ## Use cases ### Simplify issuance and renewal Issuing and renewing certificates can take up a lot of time from your technical teams. Leverage Cloudflare [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) or [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) to simplify this process. Advanced certificates offer more customization than Universal SSL. With [custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/), you have full control in terms of certificate authority (CA) or certificate [validation level](https://developers.cloudflare.com/ssl/concepts/#validation-level), but you need to handle issuance and renewal on your own. ### Meet cipher suites requirements The different algorithms used in SSL/TLS encryption can vary in terms of how secure they are. Through [cipher suites customization](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) you can control which ciphers are used for your domain and/or specific hostnames, making it possible to achieve balance between highly available marketing websites (`www.example.com`) that even legacy devices can access and highly secure services or applications (`shop.example.com`) that require [standards compliance](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/). Cipher suites customization applies to any edge certificate used in connections to a given hostname. However, to enable [custom cipher suites and other features](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/#advanced-certificate-manager), you must [purchase the Advanced Certificate Manager add-on ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/acm/). If you already have Advanced Certificate Manager, use the API to set up custom cipher suites. Refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) for more guidance. ### Automate domain control validation (DCV) If you want to use Cloudflare but manage DNS externally ([partial setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/)), you may need to perform [domain control validation (DCV)](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) to prove that you have control over your domain before your SSL/TLS certificate can be issued. To make this process easier and automate DCV at certificate renewal, use [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) and set up [delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}}]} ``` --- --- title: Always Use HTTPS description: Always Use HTTPS redirects all your visitor requests from http to https, for all subdomains and hosts in your application. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/always-use-https.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Always Use HTTPS Always Use HTTPS redirects all your visitor requests from `http` to `https`, for all subdomains and hosts in your application. Note This process does not impact certificate validation. If you use [HTTP DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/), you can still enable Always Use HTTPS. Cloudflare recommends not performing redirects at your origin web server, as this can cause [redirect loop errors](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Encrypt all visitor traffic To redirect traffic for all subdomains and hosts in your application, you can enable **Always Use HTTPS**. Note If only some parts of your application can support HTTPS traffic, do not enable **Always Use HTTPS** and use a [single redirect](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) to selectively perform the redirect to HTTPS. Refer to [Redirect admin area requests to HTTPS](https://developers.cloudflare.com/rules/url-forwarding/examples/redirect-admin-https/) for an example. * [ Dashboard ](#tab-panel-6529) * [ API ](#tab-panel-6530) To enable **Always Use HTTPS** in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Make sure that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/) is not set to **Off**. When you set your encryption mode to **Off**, the **Always Use HTTPS** option will not be visible in your Cloudflare dashboard. 3. Go to the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. 4. Turn on **Always Use HTTPS**. To enable or disable **Always Use HTTPS** with the API: 1. Make sure that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/) **is not** set to **Off**. 2. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `always_use_https` as the setting name in the URI path, and the `value` parameter set to your desired setting (`"on"` or `"off"`). ## Limitations Forcing HTTPS does not resolve issues with [mixed content](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/), as browsers check the protocol of included resources before making a request. You will need to use only relative links or HTTPS links on pages that you force to HTTPS. Cloudflare can automatically resolve some mixed-content links using our [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/) functionality. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/always-use-https/","name":"Always Use HTTPS"}}]} ``` --- --- title: Automatic HTTPS Rewrites description: Automatic HTTPS Rewrites prevents end users from seeing "mixed content" errors by rewriting URLs from http to https for resources or links on your web site that can be served with HTTPS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/automatic-https-rewrites.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Automatic HTTPS Rewrites Automatic HTTPS Rewrites prevents end users from seeing "mixed content" errors by rewriting URLs from `http` to `https` for resources or links on your web site that can be served with HTTPS. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Additional details If your site contains links or references to HTTP URLs that are also available securely via HTTPS, Automatic HTTPS Rewrites can help. If you connect to your site over HTTPS and the lock icon is not present, or has a yellow warning triangle on it, your site may contain references to HTTP assets (“mixed content”). Mixed content is often due to factors not under the website owner’s control such as embedded third-party content or complex content management systems. By rewriting URLs from “http” to “https”, Automatic HTTPS Rewrites simplifies the task of making your entire website available over HTTPS, helping to eliminate mixed content errors and ensuring that all data loaded by your website is protected from eavesdropping and tampering. Note For security reasons, this feature will run on URLs pointing to `localhost` if the URL is fetching an active resource (script, iframe, link, object, etc.). ## Enable Automatic HTTPS Rewrites * [ Dashboard ](#tab-panel-6531) * [ API ](#tab-panel-6532) To enable **Automatic HTTPS Rewrites** in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Automatic HTTPS Rewrites**, switch the toggle to **On**. To enable or disable **Automatic HTTPS Rewrites** with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `automatic_https_rewrites` as the setting name in the URI path, and the `value` parameter set to your desired setting (`"on"` or `"off"`). Note To use this feature on specific hostnames - instead of across your entire zone - use a [configuration rule](https://developers.cloudflare.com/rules/configuration-rules/). ## Limitations Before a rewrite is applied, Cloudflare checks the HTTP resources to ensure they are accessible via HTTPS. If they are not available over HTTPS, Cloudflare cannot rewrite the URL. Some resources are loaded by JavaScript or CSS via HTTP when the site is loaded in a browser. You will see mixed content warnings in those situations. To determine which URLs do not have HTTPS support, Cloudflare uses data from [EFF’s HTTPS Everywhere ↗](https://www.eff.org/https-everywhere/faq#how-do-i-add-my-own-site-to-https-everywhere) and [Chrome’s HSTS preload list ↗](https://hstspreload.org). If your zone is not on one of these lists, only active content will be rewritten. Passive content (such as images) will not be rewritten and will still cause mixed content errors. If a third-party domain supports HTTPS and is not rewritten automatically, you can manually change those links to relative links or HTTPS links. Alternatively, you can ask the third-party domain owner to submit their site for inclusion in the HTTPS Everywhere rulesets, which [accept pull requests on GitHub ↗](https://github.com/EFForg/https-everywhere/). For more information on how to fix mixed content errors, refer to [Troubleshooting mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/automatic-https-rewrites/","name":"Automatic HTTPS Rewrites"}}]} ``` --- --- title: Certificate Signing Requests (CSRs) description: Generate a Certificate Signing Request (CSR) to get a custom certificate from the Certificate Authority (CA) of your choice while maintaining control of the private key on Cloudflare. The private key associated with the CSR will be generated by Cloudflare and will never leave our network. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/certificate-signing-requests.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Certificate Signing Requests (CSRs) Generate a Certificate Signing Request (CSR) to get a custom certificate from the Certificate Authority (CA) of your choice while maintaining control of the private key on Cloudflare. The private key associated with the CSR will be generated by Cloudflare and will never leave our network. A CSR contains information about your domain: your organization name and address, the common name (domain name), and Subject Alternative Names (SANs). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | ----------------------------------------------------------------------------------------------------------------------------------- | | Availability | No | No | No | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | ## Types of CSRs You can create two types of CSRs: * **Zone-level**: Meant only for sign certificates associated with the current zone. * **Account-level**: Meant for organizations that issue certificates across multiple domains. ## Create and use a CSR To create a CSR: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. On **Certificate Signing Request (CSR)**, select **Generate**. 3. Choose a **Scope** (only [certain customers](#types-of-csrs) can choose **Account**). 4. Enter relevant information on the form and select **Create**. To use a CSR: 1. On the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page, select the CSR record you just created under **Certificate Signing Request (CSR)**. 2. Copy (or select **Click to copy**) the value for **Certificate Signing Request**. 3. Obtain a certificate from the Certificate Authority (CA) of your choice using your CSR. 4. When you [upload the custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/) to Cloudflare, select an **Encoding mode** of **Certificate Signing Request (CSR)** and enter the associated value. Note You will not see the option to adjust your **Encoding Mode** until after you have created a CSR associated with the specific zone or your account. ## Renew a certificate When you [renew a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/renewing/), you need to reuse a previously generated CSR. Note that it is not possible to use a different CSR with the same certificate. In this case, you must upload the certificate as a new certificate, selecting the new CSR. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/certificate-signing-requests/","name":"Certificate Signing Requests (CSRs)"}}]} ``` --- --- title: Certificate Transparency Monitoring description: Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Certificate Transparency Monitoring Certificate Transparency (CT) Monitoring is an [opt-in](#opt-in-and-out) feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain. CT Monitoring alerts are triggered not only by Cloudflare processes - including [backup certificates](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/) \-, but whenever a certificate that covers your monitored domain is issued by a [Certificate Authority (CA)](https://developers.cloudflare.com/ssl/concepts/#certificate-authority-ca) and added to a public CT log. You can learn more about how this works in the [introductory blog post ↗](https://blog.cloudflare.com/introducing-certificate-transparency-and-nimbus/). Aspects to consider * If you use Cloudflare or other services that automatically issue certificates for your domain or subdomains, this may trigger CT Monitoring emails as well. * If your domain is included in a shared certificate, you may receive notifications for domains or subdomains that do not belong to you but are included as subject alternative names (SANs) together with your domain. You can use a tool like [Certificate Search ↗](https://crt.sh/) to gather more information in such cases. * CT Monitoring does not detect phishing attempts. For example, for `cloudflare.com`, an alert would not trigger if a certificate was issued for `cloudf1are.com` or `cloud-flare.com`. --- ## Availability | Free | Pro | Business | Enterprise | | | ---------------- | ------------------- | ------------------- | ------------------------- | ------------------------- | | Availability | Yes | Yes | Yes | Yes | | Email Recipients | All account members | All account members | Specified email addresses | Specified email addresses | --- ## Opt in and out Alerts are turned off by default. If you want to receive alerts, go to the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates#ct-alerting-card) page and enable **Certificate Transparency Monitoring**. If you are in a Business or Enterprise zone, select **Add Email**. To stop receiving alerts, disable **Certificate Transparency Monitoring** or remove your email from the feature card. --- ## Emails to be concerned about Most certificate alerts are routine. Cloudflare sends alerts whenever a certificate for your domain appears in a log. Certificates expire (and must be reissued), so it is completely normal to receive issuance emails. If your domain is listed in the email, along with reasonable ownership and certificate information, then **no action is required**. Additionally, you should check whether the certificate was issued through Cloudflare. Cloudflare partners with [multiple CAs](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) to provide certificates. To view all Cloudflare-issued certificates and backup certificates - which require no additional actions - visit the [Edge Certificates page ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) in the dashboard. You _should_ take action when something is clearly wrong, such as if you: * Do not recognize the certificate issuer. Note Cloudflare provisions backup certificates, so you may see a certificate listed that is not in active use for your site. The [Edge Certificates page ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) will show all certificates requested for your site. * Have recently noticed problems with your website. --- ## How to take action ### Option 1: Contact certificate authorities Only Certificate Authorities can revoke malicious certificates. If you believe an illegitimate certificate was issued for your domain, contact the Certificate Authority listed as the **Issuer** in the email. * [GlobalSign support ↗](https://support.globalsign.com/) * [GoDaddy support ↗](https://www.godaddy.com/contact-us?sp%5Fhp=B) * [Google Trust Services support ↗](https://pki.goog/faq/) * [IdenTrust support ↗](https://www.identrust.com/support/support-team) * [Let's Encrypt support ↗](https://letsencrypt.org/contact/) * [Sectigo support ↗](https://sectigo.com/support) * [SSL.com support ↗](https://www.ssl.com/submit-a-ticket/) ### Option 2: Contact domain registrars Domain registrars may be able to **suspend** potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars. ### Option 3: Improvise There are other ways to combat malicious certificates. You can warn your visitors with an on-site notification or ask browser makers (Google for Chrome, etc.) to block these domains. If someone is attempting to impersonate you online, you should absolutely take action. This is usually difficult to recognize, so exercise caution. **Remember: the vast majority of certificates are not malicious. Only take action if you believe something is wrong.** --- ## HTTP Public Key Pinning Certificate Transparency Monitoring addresses the same problems as HTTP Public Key Pinning (HPKP), but with [fewer technical issues ↗](https://scotthelme.co.uk/im-giving-up-on-hpkp/). Cloudflare does not offer or support HPKP and advises against using it with Universal SSL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/","name":"Certificate Transparency Monitoring"}}]} ``` --- --- title: Cipher suites description: Consider information about supported cipher suites, how to meet your security requirements, and how to troubleshoot compatibility and other issues. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cipher suites Cipher suites are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) (and therefore separate from the [SSL/TLS protocol](https://developers.cloudflare.com/ssl/reference/protocols/)). This section covers cipher suites used in connections between clients — such as your visitor's browser — and the Cloudflare network. For information about cipher suites used between Cloudflare and your origin server, refer to [Origin server > Cipher suites](https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/). Note Cloudflare maintains a [public repository of our SSL/TLS configurations ↗](https://github.com/cloudflare/sslconfig) on GitHub, where you can find changes in the commit history. [RC4 cipher suites ↗](https://blog.cloudflare.com/end-of-the-road-for-rc4/) or [SSLv3 ↗](https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/) are no longer supported. ## Cipher suites and edge certificates While the cipher suites used by default for all Cloudflare domains/zones are meant to balance security and compatibility, some of them might be considered weak by third-party testing tools, such as the Qualys SSL Labs test. If the default option ([Legacy](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/)) does not meet your business requirements, you can [purchase the Advanced Certificate Manager add-on ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/acm/) to be able to [specify more secure cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/). Custom cipher suites is a hostname-level setting. Once specified, the configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of [certificate type](https://developers.cloudflare.com/ssl/edge-certificates/) (universal, advanced, or custom). ## Related SSL/TLS settings Although configured independently, cipher suites interact with other SSL/TLS settings. ### Minimum TLS Version You can specify a [minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) that is required for a client to connect to your website or application. For example, if TLS 1.1 is selected as the minimum, visitors attempting to connect using TLS 1.0 will be rejected while visitors attempting to connect using TLS 1.1, 1.2, or 1.3 (if enabled) will be allowed. Each cipher suite relates to a specific minimum protocol that it supports. This means that if you use a [higher security level](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) for your cipher suites and stop supporting TLS 1.0, you should also adjust your minimum TLS version accordingly. [Compliance standards](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) can also require you to up the minimum TLS version accepted in connections to your website or application. ### TLS 1.3 You cannot set specific TLS 1.3 ciphers. Instead, you can enable [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use [all applicable TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). In combination with this, you can still [disable weak cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) for TLS 1.0-1.2. Cloudflare may return the following names for TLS 1.3 cipher suites. This is how they map to [RFC 8446 ↗](https://www.rfc-editor.org/rfc/rfc8446.html) names: | Cloudflare | RFC 8446 | | ----------------------------- | ------------------------------- | | AEAD-AES128-GCM-SHA256 | TLS\_AES\_128\_GCM\_SHA256 | | AEAD-AES256-GCM-SHA384 | TLS\_AES\_256\_GCM\_SHA384 | | AEAD-CHACHA20-POLY1305-SHA256 | TLS\_CHACHA20\_POLY1305\_SHA256 | ## Resources * [ Customize cipher suites ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) * [ Security levels ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) * [ Compliance standards ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) * [ Supported cipher suites ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/) * [ Troubleshooting ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/) ## Limitations It is not possible to configure cipher suites for [Cloudflare Pages](https://developers.cloudflare.com/pages/) hostnames. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}}]} ``` --- --- title: Compliance standards description: Consider the following recommendations on custom cipher suites for when your organization needs to comply with regulatory standards. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/compliance-status.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Compliance standards Consider the following recommendations on custom [cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/) for when your organization needs to comply with regulatory standards. Refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to learn how to specify cipher suites at zone level or per hostname. Warning Also [enable TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and, when opting for [PCI DSS](#pci-dss), make sure to up your [Minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. Refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/) and [TLS protocols](https://developers.cloudflare.com/ssl/reference/protocols/) to learn more. ## PCI DSS Recommended cipher suites for compliance with the [Payment Card Industry Data Security Standard (PCI DSS) ↗](https://www.pcisecuritystandards.org/standards/pci-dss/). Enhances payment card data security. Cipher suites list `AEAD-AES128-GCM-SHA256`[1](#user-content-fn-1), `AEAD-AES256-GCM-SHA384`[2](#user-content-fn-2), `AEAD-CHACHA20-POLY1305-SHA256`[3](#user-content-fn-3), `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-CHACHA20-POLY1305` If you are customizing cipher suites via API, refer to [Steps and API examples](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/#steps-and-api-examples) for a snippet you can copy with the formatted array. ## FIPS-140-2 Recommended cipher suites for compliance with the [Federal Information Processing Standard (140-2) ↗](https://csrc.nist.gov/pubs/fips/140-2/upd2/final). Used to approve cryptographic modules. Cipher suites list `AES128-GCM-SHA256`, `AES128-SHA`, `AES128-SHA256`, `AES256-SHA`, `AES256-SHA256`, `DES-CBC3-SHA`, `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-SHA`, `ECDHE-RSA-AES256-SHA384` If you are customizing cipher suites via API, refer to [Steps and API examples](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/#steps-and-api-examples) for a snippet you can copy with the formatted array. ## Footnotes 1. Same as `TLS_AES_128_GCM_SHA256`. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [↩](#user-content-fnref-1) 2. Same as `TLS_AES_256_GCM_SHA384`. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [↩](#user-content-fnref-2) 3. Same as `TLS_CHACHA20_POLY1305_SHA256`. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [↩](#user-content-fnref-3) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/","name":"Compliance standards"}}]} ``` --- --- title: Customize cipher suites description: With an Advanced Certificate Manager subscription, you can restrict connections between Cloudflare and clients — such as your visitor's browser — to specific cipher suites. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Customize cipher suites With an [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) subscription, you can restrict connections between Cloudflare and clients — such as your visitor's browser — to specific [cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). You may want to do this to follow specific [recommendations](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/), to [disable weak cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/#ssl-labs-weak-ciphers-report), or to comply with [industry standards](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/). Customizing cipher suites will not lead to any downtime in your SSL/TLS protection. Cloudflare for SaaS If you are a SaaS provider looking to restrict cipher suites for connections to [custom hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/), this can be configured with a [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) subscription. Refer to [TLS management](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites) instead. ## How it works Custom cipher suites is a hostname-level setting, which implies that: * When you customize cipher suites for a zone, this will affect all hostnames within that zone. If you are not familiar with what a Cloudflare zone is, refer to [Fundamentals](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones). * The configuration is applicable to all edge certificates used to connect to the hostname(s), regardless of the [certificate type](https://developers.cloudflare.com/ssl/edge-certificates/) (universal, advanced, or custom). * If you need to use a per-hostname cipher suite customization, you must ensure that the hostname is specified on the certificate. ## Scope Currently, you have the following options: * Set custom cipher suites for a zone: either [via API](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) or [on the dashboard](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard/). * Set custom cipher suites per-hostname: only available [via API](https://developers.cloudflare.com/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/). Refer to the [how-to](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/) for details. * For guidance around custom hostnames, refer to [TLS settings - Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites). Note This documentation only refers to connections [between clients and the Cloudflare network](https://developers.cloudflare.com/ssl/concepts/#edge-certificate). For connections between Cloudflare and your origin server, refer to [Origin server > Cipher suites](https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/). ## Settings priority and ciphers order Cloudflare uses the [hostname priority logic](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/) to determine which setting to apply. ECDSA cipher suites are prioritized over RSA, and Cloudflare preserves the specified cipher suites in the order they are set. This means that, if both ECDSA and RSA are used, Cloudflare presents the ECDSA ciphers first - in the order they were set - and then the RSA ciphers, also in the order they were set. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/","name":"Customize cipher suites"}}]} ``` --- --- title: Customize cipher suites via API description: Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake (and therefore separate from the SSL/TLS protocol). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Customize cipher suites via API Cipher suites are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) (and therefore separate from the [SSL/TLS protocol](https://developers.cloudflare.com/ssl/reference/protocols/)). ## Prerequisites Cipher suite customization requires an [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) subscription. If you are a SaaS provider looking to restrict cipher suites for connections to [custom hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/), this can be configured with a [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) subscription. Refer to [TLS management](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites) instead. ## Before you begin Note that: * Updating the cipher suites will result in certificates being redeployed. * Cipher suites are used in combination with other [SSL/TLS settings](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings). * You cannot set specific TLS 1.3 ciphers. Instead, you can [enable TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use all applicable [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). * Each cipher suite also supports a specific algorithm (RSA or ECDSA) so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. * It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](https://developers.cloudflare.com/pages/) hostnames. * If you use Windows you might need to adjust the `curl` syntax, refer to [Making API calls on Windows](https://developers.cloudflare.com/fundamentals/api/how-to/make-api-calls/#making-api-calls-on-windows) for further guidance. Warning If setting up a per-hostname cipher suite customization, make sure that the hostname is specified on the certificate (instead of being covered by a wildcard). Applying a per-hostname configuration on a wildcard certificate will result in the configuration being applied to all hostnames. ## Steps and API examples 1. Decide which cipher suites you want to specify and which ones you want to disable (meaning they will not be included in your selection). Below you will find samples covering the recommended ciphers [by security level](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) and [compliance standards](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/), but you can also refer to the [full list](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/) of supported ciphers and customize your choice. 2. Log in to the Cloudflare dashboard and get your Global API Key in [**My Profile** \> **API Tokens** ↗](https://dash.cloudflare.com/?to=/:account/profile/api-tokens/). 3. Get the Zone ID from the [Overview page ↗](https://dash.cloudflare.com/?to=/:account/:zone/) of the domain you want to specify cipher suites for. 4. Make an API call to either the [Edit zone setting](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) endpoint or the [Edit TLS setting for hostname](https://developers.cloudflare.com/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/) endpoint, specifying `ciphers` in the URL. List your array of chosen cipher suites in the `value` field. * [ modern ](#tab-panel-6535) * [ compatible ](#tab-panel-6536) * [ pci dss ](#tab-panel-6537) * [ fips-140-2 ](#tab-panel-6538) Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": [ "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384" ] }' ``` To configure cipher suites per hostname, replace the first two lines by the following: Terminal window ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": [ "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384" ] }' ``` To configure cipher suites per hostname, replace the first two lines by the following: Terminal window ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ ``` Note For compliance with PCI DSS, also [enable TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) on your zone and make sure to up your [Minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) to `1.2`. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": [ "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305" ] }' ``` To configure cipher suites per hostname, replace the first two lines by the following: Terminal window ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ ``` Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": [ "AES128-GCM-SHA256", "AES128-SHA", "AES128-SHA256", "AES256-SHA", "AES256-SHA256", "DES-CBC3-SHA", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-SHA", "ECDHE-RSA-AES128-SHA256", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-SHA", "ECDHE-RSA-AES256-SHA384" ] }' ``` To configure cipher suites per hostname, replace the first two lines by the following: Terminal window ``` curl --request PUT \ "https://api.cloudflare.com/client/v4/zones/{zone_id}/hostnames/settings/ciphers/{hostname}" \ ``` ### Reset to default values * [ zone ](#tab-panel-6533) * [ per-hostname ](#tab-panel-6534) To reset to the default cipher suites at zone level, use the [Edit zone setting](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) endpoint, specifying `ciphers` as the setting name in the URL, and send an empty array in the `value` field. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ciphers" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": [] }' ``` For specific hostname settings, use the [Delete TLS setting for hostname](https://developers.cloudflare.com/api/resources/hostnames/subresources/settings/subresources/tls/methods/delete/) endpoint. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Delete TLS setting for hostname ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/hostnames/settings/ciphers/$HOSTNAME" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` For guidance around custom hostnames, refer to [TLS settings - Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/","name":"Customize cipher suites"}},{"@type":"ListItem","position":7,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/","name":"Customize cipher suites via API"}}]} ``` --- --- title: Customize cipher suites via dashboard description: Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake (and therefore separate from the SSL/TLS protocol). image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Customize cipher suites via dashboard Cipher suites are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) (and therefore separate from the [SSL/TLS protocol](https://developers.cloudflare.com/ssl/reference/protocols/)). ## Prerequisites Cipher suite customization requires an [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) subscription. If you are a SaaS provider looking to restrict cipher suites for connections to [custom hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/), this can be configured with a [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) subscription. Refer to [TLS management](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#cipher-suites) instead. ## Selection modes When configuring cipher suites via dashboard, you can use three different selection modes: * **By security level**: allows you to select between the predefined [Cloudflare recommendations](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) (Modern[1](#user-content-fn-1), Compatible, or Legacy). * **By compliance standard**: allows you to select cipher suites grouped according to [industry standards](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) (PCI DSS or FIPS-140-2). * **Custom**: allows you to individually select the cipher suites you would like to support. For any of the modes, you should keep in mind the following configuration conditions. If using the **security level** or the **compliance standard** mode, some actions may be blocked and explained referencing these conditions. Configuration conditions * Cipher suites are used in combination with other [SSL/TLS settings](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings). * You cannot set specific TLS 1.3 ciphers. Instead, you can [enable TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use all applicable [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). * Each cipher suite also supports a specific algorithm (RSA or ECDSA), so you should consider the algorithms in use by your edge certificates when making your ciphers selection. You can find this information under each certificate listed on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates)page. \* It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](https://developers.cloudflare.com/pages/) hostnames. ## Steps 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For the **Cipher suites** setting select **Configure**. 3. Choose a mode to select your cipher suites and select **Next**. 4. Select a predefined set of cipher suites or, if you opted for **Custom**, specify which cipher suites you want to allow. Make sure you are aware of how your selection will interact with Minimum TLS version, TLS 1.3, and the certificate algorithm (ECDSA or RSA). 5. Select **Save** to confirm. Modern or PCI DSS When used with [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13), Modern is the same as PCI DSS. ## Footnotes 1. When used with TLS 1.3, Modern is the same as PCI DSS. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/","name":"Customize cipher suites"}},{"@type":"ListItem","position":7,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard/","name":"Customize cipher suites via dashboard"}}]} ``` --- --- title: Security levels description: Refer to the sections below for three different security levels and how Cloudflare recommends that you set them up if you need to restrict the cipher suites used between Cloudflare and clients that access your website or application. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/recommendations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Security levels Refer to the sections below for three different security levels and how Cloudflare recommends that you set them up if you need to restrict the [cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/) used between Cloudflare and clients that access your website or application. Refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to learn how to specify cipher suites at zone level or per hostname. Warning Before opting for [compatible](#compatible) or [modern](#modern), review the [related SSL/TLS settings](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings)[1](#user-content-fn-4). ## Modern Offers the best security and performance, limiting your range of clients to modern devices and browsers. Supports TLS 1.2-1.3 cipher suites. All suites are forward-secret and support authenticated encryption (AEAD). Cipher suites list `AEAD-AES128-GCM-SHA256`[2](#user-content-fn-1), `AEAD-AES256-GCM-SHA384`[3](#user-content-fn-2), `AEAD-CHACHA20-POLY1305-SHA256`[4](#user-content-fn-3),`ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384` If you are customizing cipher suites via API, refer to [Steps and API examples](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/#steps-and-api-examples) for a snippet you can copy with the formatted array. ## Compatible Provides broader compatibility with somewhat weaker security. Supports TLS 1.2-1.3 cipher suites. All suites are forward-secret. Cipher suites list `AEAD-AES128-GCM-SHA256`[2](#user-content-fn-1), `AEAD-AES256-GCM-SHA384`[3](#user-content-fn-2), `AEAD-CHACHA20-POLY1305-SHA256`[4](#user-content-fn-3), `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384` If you are customizing cipher suites via API, refer to [Steps and API examples](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/#steps-and-api-examples) for a snippet you can copy with the formatted array. ## Legacy (default) Includes all cipher suites that Cloudflare supports today. Broadest compatibility with the weakest security. Supports TLS 1.0-1.3 cipher suites. Cipher suites list `AEAD-AES128-GCM-SHA256`[2](#user-content-fn-1), `AEAD-AES256-GCM-SHA384`[3](#user-content-fn-2), `AEAD-CHACHA20-POLY1305-SHA256`[4](#user-content-fn-3), `ECDHE-ECDSA-AES128-GCM-SHA256`, `ECDHE-ECDSA-CHACHA20-POLY1305`, `ECDHE-RSA-AES128-GCM-SHA256`, `ECDHE-RSA-CHACHA20-POLY1305`, `ECDHE-ECDSA-AES256-GCM-SHA384`, `ECDHE-RSA-AES256-GCM-SHA384`, `ECDHE-ECDSA-AES128-SHA256`, `ECDHE-RSA-AES128-SHA256`, `ECDHE-ECDSA-AES256-SHA384`, `ECDHE-RSA-AES256-SHA384`, `ECDHE-ECDSA-AES128-SHA`, `ECDHE-RSA-AES128-SHA`, `AES128-GCM-SHA256`, `AES128-SHA256`, `AES128-SHA`, `ECDHE-RSA-AES256-SHA`, `AES256-GCM-SHA384`, `AES256-SHA256`, `AES256-SHA`, `DES-CBC3-SHA` To reset your option to the default, [use an empty array](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/#reset-to-default-values). ## Footnotes 1. Although configured independently, cipher suites interact with **Minimum TLS version** and **TLS 1.3**. [↩](#user-content-fnref-4) 2. Same as `TLS_AES_128_GCM_SHA256`. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [↩](#user-content-fnref-1) [↩2](#user-content-fnref-1-2) [↩3](#user-content-fnref-1-3) 3. Same as `TLS_AES_256_GCM_SHA384`. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [↩](#user-content-fnref-2) [↩2](#user-content-fnref-2-2) [↩3](#user-content-fnref-2-3) 4. Same as `TLS_CHACHA20_POLY1305_SHA256`. Refer to [TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#tls-13) for details. [↩](#user-content-fnref-3) [↩2](#user-content-fnref-3-2) [↩3](#user-content-fnref-3-3) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/recommendations/","name":"Security levels"}}]} ``` --- --- title: Supported cipher suites description: Cloudflare supports the following cipher suites by default. If needed, you can restrict your website or application to only use specific cipher suites. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Supported cipher suites Cloudflare supports the following cipher suites by default. If needed, you can [restrict your website or application](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) to only use specific cipher suites. | Cipher name | Minimum protocol | [Security recommendation](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/) | Cipher suite | IANA name | | -------------------------------- | ---------------- | ------------------------------------------------------------------------------------------------------------------------------------ | ------------ | --------------------------------------------------- | | ECDHE-ECDSA-AES128-GCM-SHA256 | TLS 1.2 | Modern, Compatible, Legacy | \[0xc02b\] | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256 | | ECDHE-ECDSA-CHACHA20-POLY1305 | TLS 1.2 | Modern, Compatible, Legacy | \[0xcca9\] | TLS\_ECDHE\_ECDSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | | ECDHE-RSA-AES128-GCM-SHA256 | TLS 1.2 | Modern, Compatible, Legacy | \[0xc02f\] | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | | ECDHE-RSA-CHACHA20-POLY1305 | TLS 1.2 | Modern, Compatible, Legacy | \[0xcca8\] | TLS\_ECDHE\_RSA\_WITH\_CHACHA20\_POLY1305\_SHA256 | | ECDHE-ECDSA-AES128-SHA256 | TLS 1.2 | Compatible, Legacy | \[0xc023\] | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA256 | | ECDHE-ECDSA-AES128-SHA | TLS 1.0 | Legacy | \[0xc009\] | TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_CBC\_SHA | | ECDHE-RSA-AES128-SHA256 | TLS 1.2 | Compatible, Legacy | \[0xc027\] | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | | ECDHE-RSA-AES128-SHA | TLS 1.0 | Legacy | \[0xc013\] | TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA | | AES128-GCM-SHA256 | TLS 1.2 | Legacy | \[0x9c\] | TLS\_RSA\_WITH\_AES\_128\_GCM\_SHA256 | | AES128-SHA256 | TLS 1.2 | Legacy | \[0x3c\] | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256 | | AES128-SHA | TLS 1.0 | Legacy | \[0x2f\] | TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA | | ECDHE-ECDSA-AES256-GCM-SHA384 | TLS 1.2 | Modern, Compatible, Legacy | \[0xc02c\] | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384 | | ECDHE-ECDSA-AES256-SHA384 | TLS 1.2 | Compatible, Legacy | \[0xc024\] | TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_CBC\_SHA384 | | ECDHE-RSA-AES256-GCM-SHA384 | TLS 1.2 | Modern, Compatible, Legacy | \[0xc030\] | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | | ECDHE-RSA-AES256-SHA384 | TLS 1.2 | Compatible, Legacy | \[0xc028\] | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA384 | | ECDHE-RSA-AES256-SHA | TLS 1.0 | Legacy | \[0xc014\] | TLS\_ECDHE\_RSA\_WITH\_AES\_256\_CBC\_SHA | | AES256-GCM-SHA384 | TLS 1.2 | Legacy | \[0x9d\] | TLS\_RSA\_WITH\_AES\_256\_GCM\_SHA384 | | AES256-SHA256 | TLS 1.2 | Legacy | \[0x3d\] | TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA256 | | AES256-SHA | TLS 1.0 | Legacy | \[0x35\] | TLS\_RSA\_WITH\_AES\_256\_CBC\_SHA | | DES-CBC3-SHA | TLS 1.0 | Legacy | \[0x0a\] | TLS\_RSA\_WITH\_3DES\_EDE\_CBC\_SHA | | AEAD-AES128-GCM-SHA256 \* | TLS 1.3 | Modern, Compatible, Legacy | {0x13,0x01} | TLS\_AES\_128\_GCM\_SHA256 | | AEAD-AES256-GCM-SHA384 \* | TLS 1.3 | Modern, Compatible, Legacy | {0x13,0x02} | TLS\_AES\_256\_GCM\_SHA384 | | AEAD-CHACHA20-POLY1305-SHA256 \* | TLS 1.3 | Modern, Compatible, Legacy | {0x13,0x03} | TLS\_CHACHA20\_POLY1305\_SHA256 | \* TLS 1.3 minimum protocol Ciphers `AEAD-AES128-GCM-SHA256`, `AEAD-AES256-GCM-SHA384`, and `AEAD-CHACHA20-POLY1305-SHA256` are automatically supported by your zone if you [enable TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13). TLS 1.3 uses the same cipher suite space as previous versions of TLS, but defines these cipher suites differently. TLS 1.3 only specifies the symmetric ciphers and cannot be used for TLS 1.2\. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 ([RFC 8446 ↗](https://www.rfc-editor.org/rfc/rfc8446.html)). BoringSSL also hard-codes cipher preferences in this order for TLS 1.3. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/","name":"Supported cipher suites"}}]} ``` --- --- title: Troubleshooting description: If you encounter issues with edge certificate cipher suites, refer to the following scenarios. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting If you encounter issues with edge certificate cipher suites, refer to the following scenarios. ## Compatibility with Minimum TLS Version When you adjust the setting used for your domain's [Minimum TLS Version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/), your domain only allows HTTPS connections using that TLS protocol version. As explained in [About cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/#related-ssltls-settings), although configured independently, cipher suites and TLS versions are closely related. Minimum TLS Version can cause issues if you are not supporting TLS 1.2 ciphers on your domain. If you experience issues, review your domain's [Minimum TLS Version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) setting and Cloudflare's [supported ciphers list](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). ### Testing Minimum TLS version with curl To test supported TLS versions, attempt a request to your website or application while specifying a TLS version. For example, to test TLS 1.1, use the `curl` command below. Replace `www.example.com` with your Cloudflare domain and hostname. Terminal window ``` curl https://www.example.com -svo /dev/null --tls-max 1.1 ``` If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error: `* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert` Note Local VPN or a device security client may prevent insecure connections using legacy protocols like TLS 1.0\. Make sure to disable such network or security client before running the test on your device. ## Compatibility with certificate encryption If you [upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/), make sure the certificate is compatible with the chosen cipher suites for your zone or hostname. For example, if you upload an RSA certificate, your cipher suite selection cannot only support ECDSA certificates. ## Compatibility with Cloudflare Pages It is not possible to configure minimum TLS version nor cipher suites for [Cloudflare Pages](https://developers.cloudflare.com/pages/) hostnames. ## API requirements for custom hostname certificate When using the [Edit Custom Hostname endpoint](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/edit/), make sure to include `type` and `method` within the `ssl` object, as well as the `settings` specifications. Including the `settings` only will result in the error message `The SSL attribute is invalid. Please refer to the API documentation, check your input and try again`. ## TLS 1.3 settings You cannot set specific TLS 1.3 ciphers. Instead, you can enable [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use [all applicable TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). In combination with this, you can still [disable weak cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) for TLS 1.0-1.2. ## SSL Labs weak ciphers report If you try to [disable](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) all of the `WEAK` cipher suites according to what is listed on a [Qualys SSL Labs ↗](https://www.ssllabs.com/ssltest/) report, you might notice that the naming conventions are not the same. This is because SSL Labs follows RFC cipher naming convention while Cloudflare follows OpenSSL cipher naming convention. The cipher suite names list in the [OpenSSL documentation ↗](https://www.openssl.org/docs/man1.0.2/man1/ciphers.html) may help you map the names. ## Warnings related to CVE-2019-1559 Even though applications on Cloudflare are not vulnerable to [CVE-2019-1559](https://developers.cloudflare.com/ssl/reference/cloudflare-and-cve-2019-1559/), some security scanners may flag your application erroneously. To remove these warnings, refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) and exclude the following ciphers: * `ECDHE-ECDSA-AES256-SHA384` * `ECDHE-ECDSA-AES128-SHA256` * `ECDHE-RSA-AES256-SHA384` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/","name":"Cipher suites"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: HTTP Strict Transport Security (HSTS) description: HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/http-strict-transport-security.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HTTP Strict Transport Security (HSTS) HSTS protects HTTPS web servers from downgrade attacks. These attacks redirect web browsers from an HTTPS web server to an attacker-controlled server, allowing bad actors to compromise user data and cookies. HSTS adds an HTTP header that directs [compliant web browsers](https://developers.cloudflare.com/ssl/reference/browser-compatibility/) to: * Transform HTTP links to HTTPS links * Prevent users from bypassing SSL browser warnings Before enabling HSTS, review the [requirements](#requirements). Note For more background information on HSTS, see the [introductory blog post ↗](https://blog.cloudflare.com/enforce-web-policy-with-hypertext-strict-transport-security-hsts/). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Requirements In order for HSTS to work as expected, you need to: * Have enabled HTTPS before HSTS so browsers can accept your HSTS settings * Keep HTTPS enabled so visitors can access your site Once you enabled HSTS, avoid the following actions to ensure visitors can still access your site: * Changing your DNS records from [Proxied to DNS only](https://developers.cloudflare.com/dns/proxy-status/) * [Pausing Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/) on your site * Pointing your nameservers away from Cloudflare * Redirecting HTTPS to HTTP * Disabling SSL (invalid or expired certificates or certificates with mismatched hostnames) Warning If you remove HTTPS before disabling HSTS or before waiting for the duration of the original **Max Age Header** specified in your Cloudflare HSTS configuration, your website becomes inaccessible to visitors for the duration of the Max Age Header or until you enable HTTPS. ## Enable HSTS * [ Dashboard ](#tab-panel-6539) * [ API ](#tab-panel-6540) To enable HSTS using the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. 3. Read the dialog and select **I understand**. 4. Select **Next**. 5. Configure the [HSTS settings](#configuration-settings). 6. Select **Save**. To enable HSTS with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `security_header` as the setting name in the URI path, and specify the `value` object that includes your HSTS settings. Note To enable HSTS on a specific subdomain only, configure a [subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/). Alternatively, you can add the appropriate HSTS header at the origin, or use a [response header transform rule](https://developers.cloudflare.com/rules/transform/response-header-modification/). ## Disable HSTS To disable HSTS on your website: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. 3. Set the **Max Age Header** to **0 (Disable)**. 4. If you previously enabled the **No-Sniff** header and want to remove it, set it to **Off**. 5. Select **Save**. ## Configuration settings | Name | Required | Description | Options | | --------------------------------------------------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | | Enable HSTS (Strict-Transport-Security) | Yes | Serves HSTS headers to browsers for all HTTPS requests. HTTP (non-secure) requests will not contain the header. | Off / On | | Max Age Header (max-age) | Yes | Specifies duration for a browser HSTS policy and requires HTTPS on your website. | Disable, or a range from 1 to 12 months | | Apply HSTS policy to subdomains (includeSubDomains) | No | Applies the HSTS policy from a parent domain to subdomains. Subdomains are inaccessible if they do not support HTTPS. | Off / On | | Preload | No | Permits browsers to automatically preload HSTS configuration. Prevents an attacker from downgrading a first request from HTTPS to HTTP. Preload can make a website without HTTPS completely inaccessible. | Off / On | | No-Sniff Header | No | Sends the X-Content-Type-Options: nosniff header to prevent Internet Explorer and Chrome from automatically detecting a content type other than those explicitly specified by the Content-Type header. | Off / On | Note Once HSTS **Preload** is configured, submit requests for addition to each browser’s preload list. Chrome, Firefox/Mozilla, and Safari use the Chrome preload list. A minimum **Max Age Header** of 12 months is required for inclusion in HSTS preload lists. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/http-strict-transport-security/","name":"HTTP Strict Transport Security (HSTS)"}}]} ``` --- --- title: Minimum TLS Version description: Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/minimum-tls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Minimum TLS Version Minimum TLS Version only allows HTTPS connections from visitors that support the selected TLS protocol version or newer. For example, if TLS 1.1 is selected, visitors attempting to connect using TLS 1.0 will be rejected. Visitors attempting to connect using TLS 1.1, 1.2, or 1.3 ([if enabled](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/)) will be allowed to connect. Note If you are looking to restrict cipher suites, refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/). For guidance on which TLS version to use, refer to [TLS protocols](https://developers.cloudflare.com/ssl/reference/protocols/). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | Availability | Yes | Yes | Yes | Yes | | Per-hostname | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | It is not possible to configure minimum TLS version for [Cloudflare Pages](https://developers.cloudflare.com/pages/) hostnames. ## How to disable TLS 1.0 You can disable TLS 1.0 by choosing a higher minimum TLS version. All users can apply this configuration to all hostnames in their zones following the steps under [zone-level](#zone-level). If you have an [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/#advanced-certificate-manager) subscription, you also have the option to disable TLS 1.0 (or other versions) with a [per-hostname](#per-hostname) setup. ## Setup Warning The Minimum TLS version that you set up following these steps does not apply to [R2](https://developers.cloudflare.com/r2/) custom domains. To control the TLS version for R2 custom domains, refer to the [custom domains documentation](https://developers.cloudflare.com/r2/buckets/public-buckets/#minimum-tls-version). ### Zone-level To manage the TLS version applied to your whole zone when proxied through Cloudflare: * [ Dashboard ](#tab-panel-6541) * [ API ](#tab-panel-6542) 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Minimum TLS Version**, select an option. Use the [Edit zone setting](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) endpoint with `min_tls_version` as the setting name in the URI path, and specify your preferred minimum version in the `value` field. In the following example, the minimum TLS version for the zone will be set to `1.2`. Replace the zone ID and API token placeholders with your information, and adjust the `value` field with your chosen TLS version. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/min_tls_version" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "id": "min_tls_version", "value": "1.2" }' ``` ### Per-hostname [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) users also have the option to specify minimum TLS versions per specific hostnames in their Cloudflare zone. This is currently only available via the API: * Use the [Edit TLS setting for hostname](https://developers.cloudflare.com/api/resources/hostnames/subresources/settings/subresources/tls/methods/update/) endpoint to specify different values for `min_tls_version`. * Use the [Delete TLS setting for hostname](https://developers.cloudflare.com/api/resources/hostnames/subresources/settings/subresources/tls/methods/delete/) endpoint to clear previously defined `min_tls_version` setting. Cloudflare uses the [hostname priority logic](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/) to determine which setting to apply. In the following example, the minimum TLS version for a specific hostname will be set to `1.2`. Replace the zone ID, hostname, and authentication placeholders with your information, and adjust the `value` field with your chosen TLS version. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Edit TLS setting for hostname ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/hostnames/settings/min_tls_version/$HOSTNAME" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": "1.2" }' ``` ### Cloudflare for SaaS If you are a SaaS provider looking to configure minimum TLS version for your custom hostnames, refer to the Cloudflare for SaaS [TLS management](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/#minimum-tls-version). ## Test supported TLS versions To test supported TLS versions, attempt a request to your website or application while specifying a TLS version. For example, to test TLS 1.1, use the `curl` command below. Replace `www.example.com` with your Cloudflare domain and hostname. Terminal window ``` curl https://www.example.com -svo /dev/null --tls-max 1.1 ``` If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error: `* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert` Note Local VPN or a device security client may prevent insecure connections using legacy protocols like TLS 1.0\. Make sure to disable such network or security client before running the test on your device. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/minimum-tls/","name":"Minimum TLS Version"}}]} ``` --- --- title: Opportunistic Encryption description: Opportunistic Encryption allows browsers to access HTTP URIs over an encrypted TLS channel. It's not a substitute for HTTPS, but provides additional security for otherwise vulnerable requests. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/opportunistic-encryption.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Opportunistic Encryption Opportunistic Encryption allows browsers to access HTTP URIs over an encrypted TLS channel. It's not a substitute for HTTPS, but provides additional security for otherwise vulnerable requests. Use HTTPS when both strong encryption and authentication are required. HTTP Opportunistic Encryption provides a means of enabling TLS when needed for other protocols such as HTTP/2\. It does not provide the same indications of security as HTTPS (the green lock icon in most browser address bars). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Enable Opportunistic Encryption You do not need to configure your origin web server to support Opportunistic Encryption. All it requires is updating your settings in the Cloudflare dashboard. * [ Dashboard ](#tab-panel-6543) * [ API ](#tab-panel-6544) To enable Opportunistic Encryption in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Opportunistic Encryption**, switch the toggle to **On**. To adjust your Opportunistic Encryption settings with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `opportunistic_encryption` as the setting name in the URI path, and specify the `value` parameter with your desired setting (`"on"` or `"off"`). Note To use this feature on specific hostnames - instead of across your entire zone - use a [configuration rule](https://developers.cloudflare.com/rules/configuration-rules/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/opportunistic-encryption/","name":"Opportunistic Encryption"}}]} ``` --- --- title: TLS 1.3 description: TLS 1.3 enables the latest version of the TLS protocol (when supported) for improved security and performance. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/tls-13.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # TLS 1.3 TLS 1.3 enables the latest version of the TLS protocol (when supported) for improved security and performance. ## What is TLS 1.3? TLS 1.3 is the newest, fastest, and most secure version of the [TLS protocol](https://developers.cloudflare.com/ssl/reference/protocols/). By turning on the TLS 1.3 feature, traffic to and from your website will be served over the TLS 1.3 protocol when supported by clients. TLS 1.3 protocol has improved latency over older versions, has several new features, and is currently supported in all updated major browsers. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Enable TLS 1.3 TLS 1.3 can be activated in the Cloudflare dashboard or through the API: * [ Dashboard ](#tab-panel-6545) * [ API ](#tab-panel-6546) To enable TLS 1.3 in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **TLS 1.3**, switch the toggle to **On**. To adjust your TLS 1.3 settings with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `tls_1_3` as the setting name in the URI path, and set the `value` parameter to your desired setting (`"on"`, `"zrt"` or `"off"`). `zrt` refers to [Zero Round Trip Time Resumption (0-RTT) ↗](https://blog.cloudflare.com/introducing-0-rtt/). ### Troubleshooting Since TLS 1.3 implementations are relatively new, some failures may occur. If you experience errors, submit a Cloudflare Support ticket with the following information: * Steps to replicate the issue (if possible) * Client build version * Client diagnostic information * Packet captures Chrome users should submit a [net-internals trace ↗](https://dev.chromium.org/for-testers/providing-network-details) to Google. Firefox users should [report bugs to Mozilla ↗](https://bugzilla.mozilla.org/home). ## Limitations You cannot set specific TLS 1.3 ciphers. Instead, you can enable [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/#enable-tls-13) for your entire zone and Cloudflare will use [all applicable TLS 1.3 cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/). In combination with this, you can still [disable weak cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) for TLS 1.0-1.2. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/tls-13/","name":"TLS 1.3"}}]} ``` --- --- title: Total TLS description: Total TLS allows Cloudflare to issue individual certificates for your proxied hostnames. These certificates will protect proxied hostnames not covered by Universal certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/total-tls/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Total TLS Total TLS allows Cloudflare to issue individual certificates for your proxied hostnames. These certificates will protect proxied hostnames not covered by [Universal certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/). Warning Total TLS certificates follow the Common Name (CN) restriction of 64 characters ([RFC 5280 ↗](https://www.rfc-editor.org/rfc/rfc5280.html)). If you have a hostname that exceeds this length, you can create an [Advanced Certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate) via API to cover it. When issued, these certificates will have a type of **Advanced - Total TLS**, and their default validity period is 90 days. ## Reference * [ Enable ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/enable/) * [ Error messages ](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/error-messages/) ## Availability Total TLS is available for domains that have purchased [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) and are currently using a [full DNS setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/). ## Limitations ### Hostnames used with other Cloudflare products Total TLS does not issue certificates for any hostnames used with: * [Cloudflare Load Balancing](https://developers.cloudflare.com/load-balancing/) * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/) * [Cloudflare Spectrum](https://developers.cloudflare.com/spectrum/) You can use other types of certificates or manually [order advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate) for these hostnames. ### Deleting certificates Once you [enable Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/enable/), be careful deleting any Total TLS certificates associated with proxied hostnames. If you do, our system assumes you want to opt that hostname out of Total TLS certificate and will not order new certificates for the hostname in the future. This behavior applies even if you delete and re-create the hostname's DNS record. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/total-tls/","name":"Total TLS"}}]} ``` --- --- title: Enable description: To enable Total TLS - which issues individual certificates for your proxied hostnames - follow these instructions: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/total-tls/enable.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable To enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) \- which issues individual certificates for your proxied hostnames - follow these instructions: * [ Dashboard ](#tab-panel-6547) * [ API ](#tab-panel-6548) To enable Total TLS in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Total TLS**, switch the toggle to **On** and - if desired - choose an issuing **Certificate Authority**. To enable Total TLS with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/acm/subresources/total%5Ftls/methods/create/) request with the `enabled` parameter set to your desired setting (`true` or `false`). You can also specify a desired certificate authority by adding a value to the `certificate_authority` parameter. ## Aspects to consider * Total TLS certificates follow the Common Name (CN) restriction of 64 characters ([RFC 5280 ↗](https://www.rfc-editor.org/rfc/rfc5280.html)). If you have a hostname that exceeds this length, you can create an [Advanced Certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate) via API to cover it. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/total-tls/","name":"Total TLS"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/total-tls/enable/","name":"Enable"}}]} ``` --- --- title: Error messages description: To help avoid ERR_SSL_VERSION_OR_CIPHER_MISMATCH errors, Cloudflare automatically shows an error message - This hostname is not covered by a certificate - on proxied DNS records not covered by a TLS certificate. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/additional-options/total-tls/error-messages.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Error messages To help avoid [ERR\_SSL\_VERSION\_OR\_CIPHER\_MISMATCH](https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch/) errors, Cloudflare automatically shows an error message - `This hostname is not covered by a certificate` \- on proxied DNS records not covered by a TLS certificate. ## Pending domains If you recently [added your domain](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) to Cloudflare - meaning that your zone is in a [pending state](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) \- you can often ignore this warning. Once most domains becomes **Active**, Cloudflare will automatically issue a Universal SSL certificate, which will provide SSL/TLS coverage and remove the warning message. Note Since there are a few nuances to certificate coverage and issuance timing, review [Enable Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/) to make sure your domain will receive SSL/TLS coverage automatically. ## Active domains If your zone is already active on Cloudflare, this warning identifies subdomains that are not covered by your current SSL/TLS certificate. By default, Cloudflare [Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) only cover your apex domain and one level of subdomain. | Hostname | Covered by Universal certificate? | | ------------------------ | --------------------------------- | | example.com | Yes | | www.example.com | Yes | | docs.example.com | Yes | | dev.docs.example.com | No | | test.dev.api.example.com | No | To prevent insecure connections on a multi-level subdomain, do one of the following: * Enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/), which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate. * Order an [Advanced Certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) covering the subdomain. * Upload a [Custom Certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) covering the subdomain. If none of these solutions work, you could also remove the multi-level subdomain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/additional-options/","name":"Additional options"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/additional-options/total-tls/","name":"Total TLS"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/additional-options/total-tls/error-messages/","name":"Error messages"}}]} ``` --- --- title: Advanced certificates description: Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Advanced certificates Use advanced certificates when you want something more customizable than [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) but still want the convenience of SSL certificate issuance and renewal. To order advanced certificates you must purchase the Advanced Certificate Manager add-on, which also includes other features. ## Advanced Certificate Manager Advanced Certificate Manager allows you to: * Order advanced certificates that can: * Include the zone apex and up to 50 hosts as covered hostnames. * Cover more than one level of subdomain. * Be issued by the certificate authority (CA) you choose. * Use your preferred validation method. * Have the validity period you choose. * Use [delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) to delegate the DCV process of your partial zones ([CNAME setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/)) to Cloudflare. * Enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) to automatically protect proxied hostnames. * Select a [custom trust store](https://developers.cloudflare.com/ssl/origin-configuration/custom-origin-trust-store/) for origin authentication. * Control [cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) and [per-hostname minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/#per-hostname). Note Enterprise customers can also purchase a subscription for Advanced Certificate Manager, which allows them to add up to 100 edge certificates per zone. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | ----------- | ----------- | ----------- | ----------- | | Availability | Paid add-on | Paid add-on | Paid add-on | Paid add-on | Note Enterprise customers can preview this product as a [non-contract service](https://developers.cloudflare.com/billing/preview-services/), which provides full access, free of metered usage fees, limits, and certain other restrictions. ## Limitations Advanced certificates are not used with [Cloudflare Pages](https://developers.cloudflare.com/pages/) nor [R2](https://developers.cloudflare.com/r2/) due to [certificate prioritization](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/). Both Pages and R2 custom domains use Cloudflare for SaaS certificates. Advanced certificates are [Domain Validated (DV)](https://developers.cloudflare.com/ssl/concepts/#validation-level). If your organization needs Organization Validated (OV) or Extended Validation (EV) certificates, refer to [Custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/). Advanced certificates do not cover multiple different domains. For multi-domain certificate (MDC), consider the [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) product. You can also find further guidance in [Leveraging Cloudflare for your SaaS applications](https://developers.cloudflare.com/reference-architecture/design-guides/leveraging-cloudflare-for-your-saas-applications/). ## Related resources * [ Manage advanced certificates ](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) * [ API commands ](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/api-commands/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/advanced-certificate-manager/","name":"Advanced certificates"}}]} ``` --- --- title: API commands description: Use the following API commands to manage advanced certificates. If you are using our API for the first time, review our API documentation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/api-commands.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # API commands Use the following API commands to manage advanced certificates. If you are using our API for the first time, review our [API documentation](https://developers.cloudflare.com/fundamentals/api/). | Command | Method | Endpoint | Additional notes | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | ---------------------------------------------------- | ------------------------------------------------------------------------------------------- | | [Order advanced certificate](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/create/) | POST | zones/<>/ssl/certificate\_packs/order | | | [Restart certificate validation](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/edit/) | PATCH | zones/<>/ssl/certificate\_packs/<> | For a Certificate Pack in a validation\_timed\_out status. | | [Delete certificate pack](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/delete/) | DELETE | zones/<>/ssl/certificate\_packs/<> | | | [List certificate packs in a zone](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/list/) | GET | zones/<>/ssl/certificate\_packs?status=all | This API call returns all certificate packs for a domain (Universal, Custom, and Advanced). | | List Cipher Suite settings: [Get zone setting](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/get/) with ciphers as the setting name in the URI path | GET | zones/<>/settings/ciphers | | | Change Cipher Suite settings: [Edit zone setting](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) with ciphers as the setting name in the URI path | PATCH | zones/<>/settings/ciphers | To restore default settings, send a blank array in the value parameter. | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/advanced-certificate-manager/","name":"Advanced certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/advanced-certificate-manager/api-commands/","name":"API commands"}}]} ``` --- --- title: Manage advanced certificates description: Learn how to create, delete and perform other operations to manage your Cloudflare Advanced SSL certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/advanced-certificate-manager/manage-certificates.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage advanced certificates ## Create a certificate If you are using an existing [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/), Cloudflare will automatically replace this certificate once you finish ordering your advanced certificate. Once you order a certificate, you can review the [certificate's status](https://developers.cloudflare.com/ssl/reference/certificate-statuses/) on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or via the API with a [GET request](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/list/). * [ Dashboard ](#tab-panel-6549) * [ API ](#tab-panel-6550) To create a new advanced certificate in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Select **Order Advanced Certificate**. 3. If Cloudflare does not have your billing information, you will need to enter that information. 4. Enter the following information: * Certificate authority * Certificate hostnames * For hostnames longer than 64 characters, use the API. * Validation method * Certificate validity period 5. Select **Save**. To create a new certificate using the API, send a [POST request](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/create/) to the Cloudflare API. If you need certificates for hostnames longer than 64 characters ([RFC 5280 ↗](https://www.rfc-editor.org/rfc/rfc5280.html)), set the `cloudflare_branding` option to `true`. This will add `sni.cloudflaressl.com` in the Common Name (CN) field and will include the long hostname as a part of the Subject Alternative Name (SAN). Warning The available options for **Validation method** and **Certificate Validity Period** may vary depending on the certificate authority you choose and the hostnames that you include in your Advanced certificate order. --- ## Delete a certificate * [ Dashboard ](#tab-panel-6551) * [ API ](#tab-panel-6552) To delete an advanced certificate in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Select a certificate. 3. Select **Delete Certificate**. To delete a certificate using the API, send a [DELETE request](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/delete/) to the Cloudflare API. --- ## Restart validation To restart validation for a certificate in a `validation_timed_out` status, send a [PATCH request](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/edit/) to the API. --- ## Restrict cipher suites Cipher suites are a combination of ciphers used to negotiate security settings during the [SSL/TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) (and therefore separate from the [SSL/TLS protocol](https://developers.cloudflare.com/ssl/reference/protocols/)). For more details, refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/). --- ## Perform domain control validation (DCV) Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV). Normally, you only need to update DCV if you have your application on a partial setup (Cloudflare does not run your authoritative nameservers). For more information about DCV, refer to [DCV methods](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/). --- ## Set up alerts You can configure alerts to receive notifications for changes in your certificates. Advanced Certificate Alert **Who is it for?** Customers with [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) that want to be alerted on validation, issuance, renewal, and expiration of certificates. **Other options / filters** None. **Included with** When an advanced certificate is validated, issued, renewed, or expired. **What should you do if you receive one?** Action only needed if notification is about a certificate that failed to be issued. Refer to [SSL expired or SSL mismatch errors](https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch/) for more information. Refer to [Cloudflare Notifications](https://developers.cloudflare.com/notifications/get-started/) for more information on how to set up an alert. --- ## Advanced certificate renewal The certificate validity period you choose determines when the auto renewal will start for your certificate. For details, refer to [Validity period and renewal](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/advanced-certificate-manager/","name":"Advanced certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/","name":"Manage advanced certificates"}}]} ``` --- --- title: Backup certificates description: If Cloudflare is providing authoritative DNS for your domain, Cloudflare will issue a backup Universal SSL certificate for every standard Universal certificate issued. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/backup-certificates.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Backup certificates If Cloudflare is providing [authoritative DNS](https://developers.cloudflare.com/dns/zone-setups/full-setup/) for your domain, Cloudflare will issue a backup [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) for every standard Universal certificate issued. Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, Sectigo, or SSL.com — than your domain's primary Universal SSL certificate. These backup certificates are not normally deployed, but they will be deployed automatically by Cloudflare in the event of a certificate revocation or key compromise. For additional details, refer to the [introductory blog post ↗](https://blog.cloudflare.com/introducing-backup-certificates/). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | | Can opt out? | No | No | No | Yes | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/backup-certificates/","name":"Backup certificates"}}]} ``` --- --- title: Add CAA records description: A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/caa-records.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Add CAA records A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization. For additional security, set up [Certificate Transparency Monitoring](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/) as well. Note For more technical details about CAA records, refer to the [introductory blog post ↗](https://blog.cloudflare.com/caa-of-the-wild/). ## Who should create CAA records? You should [create CAA records](#create-caa-records) in Cloudflare if each of the following is true: * You uploaded your own custom origin server certificate (not provisioned by Cloudflare). * That certificate was issued by a CA (not self-signed). * Your domain is on a [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/) (not a [CNAME setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup)). * When adding new [Custom Hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/) and your customer has existing CAA records. In this case, ask your customer to remove the existing CAA records or add the missing CAA record. ## CAA records added by Cloudflare Cloudflare adds CAA records automatically in the following situations: * When you have [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) and add any CAA records to your zone. * When you have [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) and add any CAA records to your zone. These records make sure Cloudflare can still issue Universal certificates on your behalf. Subdomain zones caveat CAA records are inherited. This means that, if you are using a [subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/) \- with `subdomain.example.com` on Cloudflare but `example.com` on a different DNS provider -, you should make sure that the parent domain (`example.com`) either has CAA records that allow [Cloudflare's partner CAs](https://developers.cloudflare.com/ssl/reference/certificate-authorities/), or has no CAA records at all. If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using `dig`, you can see any existing CAA records, including those added by Cloudflare (replacing `example.com` with your own domain on Cloudflare): Terminal window ``` ➜ ~ dig example.com caa +short # CAA records added by Google Trust Services 0 issue "pki.goog; cansignhttpexchanges=yes" 0 issuewild "pki.goog; cansignhttpexchanges=yes" # CAA records added by Let's Encrypt 0 issue "letsencrypt.org" 0 issuewild "letsencrypt.org" # CAA records added by SSL.com 0 issue "ssl.com" 0 issuewild "ssl.com" # CAA records added by Sectigo 0 issue "sectigo.com" 0 issuewild "sectigo.com" ``` Note This list is not exhaustive, and other CAs might be added or removed for operational reasons. ## Create CAA records Create a CAA record for each Certificate Authority (CA) that you plan to use for your domain. * [ Dashboard ](#tab-panel-6553) * [ API ](#tab-panel-6554) To add a CAA record in the dashboard, 1. In the Cloudflare dashboard, go to the **DNS Records** page. [ Go to **Records** ](https://dash.cloudflare.com/?to=/:account/:zone/dns/records) 2. Select **Add record**. 3. For **Type**, select **CAA**. 4. For **Name**, type your domain. 5. Choose a **Tag**, which specifies the behavior associated with the record. 6. For **CA domain name**, enter the CA name. 7. Select **Save**. 8. Repeat for each CA associated with your domain. To create a CAA record via the API, use this [POST endpoint](https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/create/). Once you have finished creating all the records, you can review them in the list of records appearing under the DNS Records panel. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/caa-records/","name":"Add CAA records"}}]} ``` --- --- title: Domain control validation (DCV) description: Learn when and how to perform Domain Control Validation when using Cloudflare SSL/TLS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Domain control validation (DCV) Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV). Note Refer to [Domain control validation flow](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/dcv-flow/) to learn more about the steps and parties involved in the DCV process. For [custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/), DCV will always be handled by you, when you request the certificate from the CA. For certificates issued through Cloudflare, this process may be done automatically or it may require you to take action, as described in the following sections. --- ## Full DNS setup - no action required If your domain is on a [**full setup**](https://developers.cloudflare.com/dns/zone-setups/full-setup/) — meaning that Cloudflare runs your authoritative nameservers — Cloudflare handles DCV automatically on your behalf using a TXT record. For more details, refer to [Enable Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#full-dns-setup). --- ## Partial DNS setup - action sometimes required If your application is on a [partial DNS setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) — meaning that Cloudflare does not run your authoritative nameservers — you may need to perform additional steps to complete DCV. ### Non-wildcard certificates If every hostname on a non-wildcard certificate is [proxying traffic](https://developers.cloudflare.com/dns/proxy-status/) through Cloudflare and the DCV method is [HTTP](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/http/), Cloudflare can automatically complete DCV on your behalf. This applies to customers using [Universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) or [Advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). If one of the hostnames on the certificate is not proxying traffic through Cloudflare, certificate issuance and renewal will vary based on the type of certificate you are using: * **Universal**: Perform DCV using one of the available [methods](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/). * **Advanced**: In most cases, you can opt for [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/), which greatly simplifies certificate management. Tip If all hostnames are proxied and non-wildcard but you are using [TXT](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/) as DCV method for advanced certificates, also consider [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) to simplify the process. ### Wildcard certificates For wildcard hostname certificates, certificate issuance and renewal varies based on the type of certificate you are using: * **Universal**: Perform DCV using [TXT validation method](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/). * **Advanced**: In most cases, you can opt for [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/), which greatly simplifies certificate management. If you cannot use Delegated DCV, you need to use [TXT based DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/) for certificate issuance and renewal. This means you will need to place one TXT DCV token for every hostname on the certificate. If one or more of the hostnames on the certificate fails to validate, the certificate will not be issued or renewed. This means that a wildcard certificate covering `example.com` and `*.example.com` will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}}]} ``` --- --- title: Domain control validation flow description: Consider the steps that have to take place before the DCV process is completed and certificate authorities can issue SSL/TLS certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/dcv-flow.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Domain control validation flow To obtain [Universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/), [Advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/), and [Custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/) certificates, Cloudflare partners with different publicly trusted [certificate authorities (CAs)](https://developers.cloudflare.com/ssl/reference/certificate-authorities/). However, every time a CA is requested to issue or renew a certificate, the requester must prove that they have control over the domain. That is when the DCV process takes place, with the proof usually consisting of placing an HTTP token at a standard URL path (`/.well-known/pki-validation`), or placing a TXT record at the authoritative DNS provider. ## Where Cloudflare sits in the DCV process For the use cases mentioned above, there are three different parties involved in the process: * The website or application for which the certificate is issued. * The requester (Cloudflare). * The CA that processes the request. ## Steps in the process In summary, five steps have to succeed after Cloudflare requests a CA to issue or renew a certificate: 1. Cloudflare receives the DCV tokens from the CA. 2. Cloudflare either places the tokens on your behalf ([Full DNS setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/), [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/)), or makes the tokens available for you to place them. 3. Cloudflare polls the validation URLs to check for the tokens. 4. After Cloudflare can confirm that the tokens are placed via multiple DNS resolvers, the CA is asked to check as well. 5. If the CA can confirm the tokens are placed, the certificate gets issued. If the CA cannot confirm the tokens are placed, the certificate is not issued and the tokens are no longer valid. ## Aspects to consider * Settings that interfere with the validation URLs - firewall blocks or misconfigured DNSSEC, for example - can cause issues with your certificate issuance or renewal. Refer to the [troubleshooting guide](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/). * When your certificate is in `pending_validation` and valid tokens are in place, some security features targeting your zone's path for `/.well-known/*` can be automatically bypassed. * Certificate authority authorization (CAA) records may block certificate issuance. Refer to [CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/). ### DCV tokens DCV tokens are generated and controlled by the CA and not by Cloudflare. You can find further technical specification of how they work in [RFC 8555 ↗](https://www.rfc-editor.org/rfc/rfc8555#section-7.1.5). * As mentioned in [Step 5](#steps-in-the-process), DCV tokens will change upon verification failures. For example, if a DCV check fails because of a DNSSEC issue, the certificate order is no longer valid and Cloudflare must start a new certificate request. Since tokens cannot be reused, a new token is required. * DCV tokens also have [validity periods](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/). If you are handling the DCV process manually, it is recommended that you place the tokens as soon as the certificate is up for renewal. Otherwise, the tokens may expire and new tokens will be required. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/dcv-flow/","name":"Domain control validation flow"}}]} ``` --- --- title: Methods description: Review different methods to perform Domain Control Validation when using Cloudflare SSL/TLS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Methods Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV). ## Perform DCV For details on each method available for DCV, refer to the following resources: * [ Delegated ](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) * [ TXT ](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/) * [ HTTP ](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/http/) Note For guidance on when you need to perform DCV, refer to [Domain Control Validation](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/). --- ## Verify DCV status To verify the [DCV status](https://developers.cloudflare.com/ssl/reference/certificate-statuses/) of a certificate, either monitor the certificate's status on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or use the [Verification Status endpoint](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/get/). A status of `active` means that the certificate has been deployed to Cloudflare’s global network and will be served as soon as HTTP traffic is proxied to Cloudflare. ## Update DCV methods You cannot update the DCV method for an active certificate. To update the DCV method for a subdomain, wait until the DCV expires and then change the DCV method. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/","name":"Methods"}}]} ``` --- --- title: Delegated description: Delegated DCV allows zones with partial DNS setups - meaning authoritative DNS is not provided by Cloudflare - to delegate the DCV process to Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Delegated Delegated DCV allows zones with [partial DNS setups](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) \- meaning authoritative DNS is not provided by Cloudflare - to delegate the DCV process to Cloudflare. DCV Delegation requires you to place a one-time record that allows Cloudflare to auto-renew all future certificate orders, so that there’s no manual intervention at the time of the renewal. Note DCV Delegation will not work with Universal Certificates and requires the use of an [Advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- | | Availability | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | ## When to use You should use Delegated DCV when all of the following conditions are true: * Your zone is using a [partial DNS setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/). * Cloudflare is not already [performing DCV automatically](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/). * Your zone is using an [Advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). * The Certificate Authority is either Google Trust Services, SSL.com, or Let's Encrypt ### Aspects to keep in mind As explained in the [announcement blog post ↗](https://blog.cloudflare.com/introducing-dcv-delegation/), currently, you can only delegate DCV to one provider at a time. This means: * If you also issue publicly trusted certificates for the same hostname for your [origin server](https://developers.cloudflare.com/ssl/concepts/#origin-certificate), this will no longer be possible. You can use [Cloudflare origin CA certificates](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) instead. * If your zone is using multiple CDN providers, you might want to use an alternative [method](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/). This is because, once the DCV delegation is configured for Cloudflare, only Cloudflare will be able to perform DCV on your behalf, blocking your external CDN providers from doing the same. ## Setup To set up Delegated DCV: 1. Order an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) for your zone, choosing `TXT` as the **Certificate validation method**. 2. On the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page, go to **DCV Delegation for Partial Zones**. 3. Copy the Cloudflare validation URL. 4. At your authoritative DNS provider, create `CNAME` record(s) considering the following: * If your certificate only covers the apex domain and a wildcard, you only need to create a single `CNAME` record for your apex domain. Any direct subdomains will be covered as well. ``` _acme-challenge.example.com CNAME example.com.. ``` * If your certificate also covers subdomains specified by their name, you will need to add multiple `CNAME` records to your authoritative DNS provider, one for each specific subdomain. For example, a certificate covering `example.com`, `*.example.com`, and `sub.example.com` would require the following records. ``` _acme-challenge.example.com CNAME example.com.. _acme-challenge.sub.example.com CNAME sub.example.com.. ``` Remove previous TXT records Existing TXT records for `_acme-challenge` will conflict with the delegated DCV CNAME record. Make sure to check and remove records such as the following: ``` _acme-challenge.example.com TXT ``` Once the `CNAME` records are in place, Cloudflare will add TXT DCV tokens for every hostname on the Advanced certificate that has a DCV delegation record in place, as long as the zone is [active](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) on Cloudflare. Because DCV happens regularly, do not remove the `CNAME` record(s) at your authoritative DNS provider. Otherwise, Cloudflare will not be able to perform DCV on your behalf and your certificate will not be issued. ## Further details ### Testing If you use a `dig` command to test, you should only be able see the placed tokens if the certificate is up for issuance. This is because Cloudflare places the tokens when needed and then cleans them up. Terminal window ``` dig TXT +noadditional +noquestion +nocomments +nocmd +nostats _acme-challenge.example.com. @1.1.1.1 _acme-challenge.example.com. 3600 IN CNAME example.com. ``` ### Renewal If a hostname becomes unreachable during certificate renewal time, the certificate will not be able to be renewed automatically via Delegated DCV. Should you need to renew a certificate for a hostname that is not resolving currently, you can send a PATCH request to [the changing DCV method API endpoint](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/edit/) and change the method to TXT to proceed with manual renewal per [the TXT DCV method](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/). Once the hostname becomes resolvable again, [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) will resume working as expected. ### Moved domains If you [move your zone to another account](https://developers.cloudflare.com/fundamentals/manage-domains/move-domain/), you will need to update the `CNAME` record at your authoritative DNS provider with a new validation URL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/","name":"Methods"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/","name":"Delegated"}}]} ``` --- --- title: HTTP description: When you choose HTTP DCV, Cloudflare automatically adds a verification HTTP token to your domain. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/http.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # HTTP When you choose HTTP DCV, Cloudflare automatically adds a verification HTTP token to your domain. Only use this method if your domain can tolerate a few minutes of downtime. Note If you encounter issues with HTTP DCV, refer to the [troubleshooting guide](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/). ## Limitations HTTP DCV is only available for [proxied domains](https://developers.cloudflare.com/dns/proxy-status/). It is possible to manually add the DCV token to the `.well-known/pki-validation/` directory on your origin web server to pre-validate your certificates. HTTP DCV validation does not work for wildcard certificates. If you want to use wildcard certificates, use [TXT validation](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/). Based on your chosen certificate authority (CA), you may also not be able to use HTTP verification with [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). ## Setup ### Specify DCV method If you want to use a [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/), you will need to edit the `validation_method` [via the API](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/edit/) and specify your chosen validation method. Alternatively, you could [order an advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate) via the API. In either case, you would need to set a `"validation_method":"http"` parameter. ### Review other Cloudflare settings To make sure your domain does not accidentally block HTTP DCV, review your Cloudflare settings for [common setup issues](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/). ### Complete DCV Your HTTP token will be available for the certificate authority as soon as you finish your [partial domain setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/setup/#3-add-dns-records). This means that you need to add a CNAME record to Cloudflare in your authoritative DNS and create [proxied DNS records](https://developers.cloudflare.com/dns/proxy-status/) for your hostname within Cloudflare. This process may involve a few minutes of downtime. What happens after you create your records Cloudflare contacts one of our certificate authority (CA) providers and asks them to issue certificates for the specified hostname. The CA will then inform Cloudflare that we need to demonstrate control of this hostname by returning a `$DCV_TOKEN` at a specified `$DCV_FILENAME`; both the token and the filename are randomly generated by the CA and not known to Cloudflare ahead of time. For example, if you create a new custom hostname for `site.example.com`, the CA might ask us to return the value `ca3-38734555d85e4421beb4a3e6d1645fe6` for a request to `http://site.example.com/.well-known/pki-validation/ca3-39f423f095be4983922ca0365308612d.txt"`. As soon as we receive that value from the CA we make it accessible at our edge and ask the CA to confirm it is there so that they can complete validation and the certificate order. To check whether your certificates have been validated and reissued: * **Dashboard**: Find the certificate(s) on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page and make sure that the **Status** is **Active**. * **API**: Send a [GET](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/list/) request and confirm that your certificate(s) have `"status": "active"`. ## Renewal Even if you manually handle DCV when issuing certificates in a [partial DNS setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), at certificate renewal, Cloudflare will attempt to automatically perform DCV via HTTP. If all of the following conditions are confirmed at the first attempt, the renewal happens automatically via [HTTP](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/http/). * Hostnames are proxied. * Hostnames on the certificate resolve to the IPs assigned to the zone. * The certificate does not contain wildcards. Note To automatically renew certificates that do not meet the referred criteria, consider using [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). If the conditions are met but HTTP DCV fails successively, the process will fall back to TXT. This schedule varies according to the certificate validity period. * 90-days certificates: after failing for 15 days * 30-days certificates: after failing for 7 days * 14-days certificates: after failing for 3 days ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/","name":"Methods"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/http/","name":"HTTP"}}]} ``` --- --- title: TXT description: TXT record validation requires the creation of a TXT record in the hostname's authoritative DNS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/methods/txt.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # TXT TXT record validation requires the creation of a TXT record in the hostname's authoritative DNS. --- ## When to use Generally, you need to perform TXT-based DCV when your certificate [requires DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) and you cannot perform [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). --- ## Setup ### Specify DCV method If you want to use a [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/), you will need to edit the `validation_method` [via the API](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/edit/) and specify your chosen validation method. Alternatively, you could [order an advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) via the dashboard or the API. ### Get DCV values Once you [create a new certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/#create-a-certificate) and choose the validation method of **TXT**, your tokens will be ready after a few seconds. These tokens can be fetched through the API or the dashboard when the certificates are in a [pending validation](https://developers.cloudflare.com/ssl/reference/certificate-statuses/#new-certificates) state during custom hostname creation or during certificate renewals. * [ API ](#tab-panel-6555) * [ Dashboard ](#tab-panel-6556) You can access these tokens using the API with the [GET request](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/get/) and including `status=pending_validation` as a request parameter. For example, here are two tokens highlighted in the API response for a wildcard certificate. Response ``` { "result": [ { "id": "", "type": "advanced", "hosts": ["*..com", ".com"], "primary_certificate": "0", "status": "pending_validation", "certificates": [], "created_on": "2022-10-12T21:46:21.979150Z", "validity_days": 90, "validation_method": "txt", "validation_records": [ { "status": "pending", "txt_name": "_acme-challenge..com", "txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk" }, { "status": "pending", "txt_name": "_acme-challenge..com", "txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns" } ], "certificate_authority": "google" } ] } ``` 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Select a certificate. 3. Copy the values for **Certificate validation TXT name** and **Certificate validation TXT value**. If you had created a **wildcard** certificate, you would need to copy the values for two different validation TXT records. ### Update DNS records At your authoritative DNS provider, create a TXT record named the `txt_name` and containing the `txt_value`. Repeat this process for all the DCV records returned in the `validation_records` field to your Authoritative DNS provider. If one or more of the hostnames on the certificate fail to validate, the certificate will not be issued or renewed. This means that a wildcard certificate covering `example.com` and `*.example.com` will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider. Certificates with several packs (RSA and ECDSA for example) may also require several DCV tokens. ### Complete DCV Once you update your DNS records, you can either [wait for the next retry](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/) or request an immediate recheck. To request an immediate recheck, send another [PATCH request](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/edit/) with the same `validation_method` as your current validation method. TXT records used for DCV can be removed from your authoritative DNS provider as soon as the certificate is issued. ## Renewal Even if you manually handle DCV when issuing certificates in a [partial DNS setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), at certificate renewal, Cloudflare will attempt to automatically perform DCV via HTTP. If all of the following conditions are confirmed at the first attempt, the renewal happens automatically via [HTTP](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/http/). * Hostnames are proxied. * Hostnames on the certificate resolve to the IPs assigned to the zone. * The certificate does not contain wildcards. Note To automatically renew certificates that do not meet the referred criteria, consider using [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). If any one of the conditions is not met, the certificate renewal falls back to your chosen method and you will need to [repeat the DCV process](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/#get-dcv-values) manually. Cloudflare generates renewal tokens 30 days before certificate expiration. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/","name":"Methods"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/methods/txt/","name":"TXT"}}]} ``` --- --- title: Troubleshooting description: Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting Taking into account the [steps involved in DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/dcv-flow/), some situations may interfere with certificate issuance and renewal. [Blocked validation URLs](#blocked-validation-url) or [misconfigured DNS settings](#dns-settings-and-records) might interfere with the certificate authority's ability to finish the validation process. In these situations, you may need to update your configuration at Cloudflare or at your authoritative DNS provider. Additionally, there can also be [errors on the CA side](#ca-errors). Note If you are using the Cloudflare API, error messages are presented under the `validation_errors` parameter. ## Blocked validation URL If you have issues while HTTP DCV is in place, review the following settings: * **Anything affecting `/.well-known/*`**: Review [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/), [IP Access Rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/), and other [configuration rules](https://developers.cloudflare.com/rules/configuration-rules/) to make sure that your rules _do not_ enable interactive challenge on the validation URL. * **Cloudflare Account Settings** and **Page Rules**: Review your [account settings](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/), [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/), and [Page Rules](https://developers.cloudflare.com/rules/page-rules/) to ensure you have not enabled Under Attack mode on the validation URL. Warning When your certificate is in `pending_validation` and valid tokens are in place, some security features targeting your zone's path for `/.well-known/*` can be automatically bypassed. ## Redirection Enabling [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) does not impact the validation process. In a [Partial (CNAME) setup](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required) where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the `/.well-known/*` path. When using [Redirect Rules](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) the `/.well-known/*` path should be excluded from redirections. ## DNS settings and records The errors below refer to situations that have to be addressed at the authoritative DNS provider: * `the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for : dnssec: bogus` * `Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.` Consider the following when troubleshooting: * [DNSSEC ↗](https://www.cloudflare.com/learning/dns/dns-security/) must be configured correctly. You can use [DNSViz ↗](https://dnsviz.net/) to understand and troubleshoot the deployment of DNSSEC. * The HTTP verification process is done preferably over **IPv6**, so if any AAAA record exists and does not point to the same dual-stack location as the A record, the validation will fail. * If an [NS record](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#ns) is present for the hostname or its parent, DNS resolution will be managed externally by the DNS provider defined in the NS target. In this case, you must either add the DCV TXT record at the external DNS provider, or remove the NS record at Cloudflare. ### CAA records * Your [CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/) must be resolvable from all locations. * Your [CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/) should allow Cloudflare's partner [certificate authorities (CAs)](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) to issue certificates on your behalf. * If you are using a [subdomain setup](https://developers.cloudflare.com/dns/zone-setups/subdomain-setup/) (`subdomain.example.com`) and Cloudflare is not the authoritative DNS provider for the parent domain (`example.com`), you should make sure that the parent domain (`example.com`) either has CAA records that allow [Cloudflare's partner CAs](https://developers.cloudflare.com/ssl/reference/certificate-authorities/), or has no CAA records at all. You can check the CAA records by running the following command: * [ macOS and Linux ](#tab-panel-6557) * [ Windows ](#tab-panel-6558) Terminal window ``` dig example.com CAA +short ``` PowerShell ``` Resolve-DnsName -Name example.com -Type CAA ``` ## CA errors ### Rate limiting As mentioned in [Certificate authorities](https://developers.cloudflare.com/ssl/reference/certificate-authorities/), specific CAs may have their own limitations. If you use Let’s Encrypt and receive the error below, it means you hit the [duplicate certificate limit ↗](https://letsencrypt.org/docs/duplicate-certificate-limit/) imposed by Let's Encrypt. `The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority.` A certificate is considered a duplicate of an earlier certificate if it contains the exact same set of hostnames. In this case, you can either wait for the rate limit window to end or choose a different certificate authority. ### Multiple perspective CAA check error The error `Certificate authority encountered a multiple perspective CAA check error, please ensure your DNS is configured to allow CAA queries` means that the CA was not able to resolve the CAA records related to your domain from specific geographic locations. You can investigate for resolution error using the [ping.pe tool ↗](https://dig.ping.pe/). For example, for a [Google Trust Services](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#google-trust-services) certificate encountering this issue, you can check for: `:CAA:8.8.8.8`. Read more from Certificate Authorities specific documentation: [SSL.com ↗](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt ↗](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services ↗](https://pki.goog/faq/#faq-mpic). ### Internal errors When the certificate authority finds an issue during the CA check portion of the [DCV flow](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/dcv-flow/), you may see a `Internal error with Certificate Authority` message. In this case, either wait or try a different certificate authority. When the error states that the `certificate authority will not issue for this domain`, you can try a different certificate authority or contact the CA directly. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Validation backoff schedule description: Consider what happens if a domain control validation (DCV) fails and what schedule Cloudflare follows for new attempts and backoff. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Validation backoff schedule Domain control validation (DCV) has to happen before a certificate authority (CA) will issue a certificate for a domain. If DCV fails during issuance or renewal, Cloudflare automatically retries it on a schedule. If you use [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) or if [Cloudflare automatically performs DCV for you](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/), this page is only informational. If you have to manually perform DCV, consider the following sections about the validation schedule and remember that DCV tokens have a [fixed validity period](#dcv-tokens-validity). Note You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/edit/), specifying the same `validation_method` as the [method](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/) you currently use. --- ## DCV tokens validity The DCV process relies on tokens that are generated by the issuing certificate authority. These tokens have a validity period defined by each CA: * Google Trust Services - 14 days * Let's Encrypt - 7 days * SSL.com - 14 days After this period, DCV tokens expire as dictated by the [CA/B Baseline Requirements ↗](https://cabforum.org/baseline-requirements-documents/), and new, valid tokens must be placed. Warning Tokens may also become invalid upon validation failure. For more details, refer to [Domain control validation flow](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/dcv-flow/#dcv-tokens). --- ## Successive checks function Cloudflare caps the check backoff to a maximum of four hours to avoid the function growing exponentially, which would result in large gaps between checks towards the end of the month. ``` now() + min((floor(60 * pow(1.05, retry_attempt)) * INTERVAL '1 second'), INTERVAL '4 hours') ``` --- ## Capped attempts reference table As presented in the following table, most of the checks take place on the first day after the DCV token is generated. In manual processes, it is possible that you fall behind schedule when you place the token, meaning that it may not be validated immediately. In automatic processes, most validations complete within the first five minutes, unless there is a setup misconfiguration. | Retry Attempt | In Seconds | In Minutes | In Hours | | ------------- | ---------- | ---------- | -------- | | 0 | 60 | 1.000 | 0.016667 | | 1 | 63 | 1.050 | 0.017500 | | 2 | 66 | 1.100 | 0.018333 | | 3 | 69 | 1.150 | 0.019167 | | 4 | 72 | 1.200 | 0.020000 | | 5 | 76 | 1.267 | 0.021111 | | 6 | 80 | 1.333 | 0.022222 | | 7 | 84 | 1.400 | 0.023333 | | 8 | 88 | 1.467 | 0.024444 | | 9 | 93 | 1.550 | 0.025833 | | 10 | 242 | 4.033 | 0.067222 | | 11 | 279 | 4.650 | 0.077500 | | 12 | 321 | 5.350 | 0.089167 | | 13 | 369 | 6.150 | 0.102500 | | 14 | 424 | 7.067 | 0.117778 | | 15 | 488 | 8.133 | 0.135556 | | 16 | 561 | 9.350 | 0.155833 | | 17 | 645 | 10.750 | 0.179167 | | 18 | 742 | 12.367 | 0.206111 | | 19 | 853 | 14.217 | 0.236944 | | 20 | 981 | 16.350 | 0.272500 | | 21 | 1129 | 18.817 | 0.313611 | | 22 | 1298 | 21.633 | 0.360556 | | 23 | 1493 | 24.883 | 0.414722 | | 24 | 1717 | 28.617 | 0.476944 | | 25 | 1975 | 32.917 | 0.548611 | | 26 | 2271 | 37.850 | 0.630833 | | 27 | 2612 | 43.533 | 0.725556 | | 28 | 3003 | 50.050 | 0.834167 | | 29 | 3454 | 57.567 | 0.959444 | | 30 | 3972 | 66.200 | 1.103333 | | 31 | 4568 | 76.133 | 1.268889 | | 32 | 5253 | 87.550 | 1.459167 | | 33 | 6041 | 100.683 | 1.678056 | | 34 | 6948 | 115.800 | 1.930000 | | 35 | 7990 | 133.167 | 2.219444 | | 36 | 9189 | 153.150 | 2.552500 | | 37 | 10567 | 176.117 | 2.935278 | | 38 | 12152 | 202.533 | 3.375556 | | 39 | 13975 | 232.917 | 3.881944 | | 40 | 14400 | 240.000 | 4.000000 | | 41 | 14400 | 240.000 | 4.000000 | | 42 | 14400 | 240.000 | 4.000000 | | 43 | 14400 | 240.000 | 4.000000 | | 44 | 14400 | 240.000 | 4.000000 | | 45 | 14400 | 240.000 | 4.000000 | | 46 | 14400 | 240.000 | 4.000000 | | 47 | 14400 | 240.000 | 4.000000 | | 48 | 14400 | 240.000 | 4.000000 | | 49 | 14400 | 240.000 | 4.000000 | | 50 | 14400 | 240.000 | 4.000000 | | 51 | 14400 | 240.000 | 4.000000 | | 52 | 14400 | 240.000 | 4.000000 | | 53 | 14400 | 240.000 | 4.000000 | | 54 | 14400 | 240.000 | 4.000000 | | 55 | 14400 | 240.000 | 4.000000 | | 56 | 14400 | 240.000 | 4.000000 | | 57 | 14400 | 240.000 | 4.000000 | | 58 | 14400 | 240.000 | 4.000000 | | 59 | 14400 | 240.000 | 4.000000 | | 60 | 14400 | 240.000 | 4.000000 | | 61 | 14400 | 240.000 | 4.000000 | | 62 | 14400 | 240.000 | 4.000000 | | 63 | 14400 | 240.000 | 4.000000 | | 64 | 14400 | 240.000 | 4.000000 | | 65 | 14400 | 240.000 | 4.000000 | | 66 | 14400 | 240.000 | 4.000000 | | 67 | 14400 | 240.000 | 4.000000 | | 68 | 14400 | 240.000 | 4.000000 | | 69 | 14400 | 240.000 | 4.000000 | | 70 | 14400 | 240.000 | 4.000000 | | 71 | 14400 | 240.000 | 4.000000 | | 72 | 14400 | 240.000 | 4.000000 | | 73 | 14400 | 240.000 | 4.000000 | | 74 | 14400 | 240.000 | 4.000000 | | 75 | 14400 | 240.000 | 4.000000 | | 76 | 14400 | 240.000 | 4.000000 | | 77 | 14400 | 240.000 | 4.000000 | | 78 | 14400 | 240.000 | 4.000000 | | 79 | 14400 | 240.000 | 4.000000 | | 80 | 14400 | 240.000 | 4.000000 | | 81 | 14400 | 240.000 | 4.000000 | | 82 | 14400 | 240.000 | 4.000000 | | 83 | 14400 | 240.000 | 4.000000 | | 84 | 14400 | 240.000 | 4.000000 | | 85 | 14400 | 240.000 | 4.000000 | | 86 | 14400 | 240.000 | 4.000000 | | 87 | 14400 | 240.000 | 4.000000 | | 88 | 14400 | 240.000 | 4.000000 | | 89 | 14400 | 240.000 | 4.000000 | | 90 | 14400 | 240.000 | 4.000000 | | 91 | 14400 | 240.000 | 4.000000 | | 92 | 14400 | 240.000 | 4.000000 | | 93 | 14400 | 240.000 | 4.000000 | | 94 | 14400 | 240.000 | 4.000000 | | 95 | 14400 | 240.000 | 4.000000 | | 96 | 14400 | 240.000 | 4.000000 | | 97 | 14400 | 240.000 | 4.000000 | | 98 | 14400 | 240.000 | 4.000000 | | 99 | 14400 | 240.000 | 4.000000 | | 100 | 14400 | 240.000 | 4.000000 | | 101 | 14400 | 240.000 | 4.000000 | | 102 | 14400 | 240.000 | 4.000000 | | 103 | 14400 | 240.000 | 4.000000 | | 104 | 14400 | 240.000 | 4.000000 | | 105 | 14400 | 240.000 | 4.000000 | | 106 | 14400 | 240.000 | 4.000000 | | 107 | 14400 | 240.000 | 4.000000 | | 108 | 14400 | 240.000 | 4.000000 | | 109 | 14400 | 240.000 | 4.000000 | | 110 | 14400 | 240.000 | 4.000000 | | 111 | 14400 | 240.000 | 4.000000 | | 112 | 14400 | 240.000 | 4.000000 | | 113 | 14400 | 240.000 | 4.000000 | | 114 | 14400 | 240.000 | 4.000000 | | 115 | 14400 | 240.000 | 4.000000 | | 116 | 14400 | 240.000 | 4.000000 | | 117 | 14400 | 240.000 | 4.000000 | | 118 | 14400 | 240.000 | 4.000000 | | 119 | 14400 | 240.000 | 4.000000 | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/","name":"Domain control validation (DCV)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/","name":"Validation backoff schedule"}}]} ``` --- --- title: Custom certificates description: Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Custom certificates Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates. Unlike [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) or [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/), Cloudflare does not manage issuance and renewal for custom certificates. When you use custom certificates, the following actions should be considered and accomplished by you: * [Upload the certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate). * [Update the certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#update-an-existing-custom-certificate). * [Observe the certificate expiration date to avoid downtime](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/renewing/). Note If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) to cover them. If your custom certificate is from a [certificate authority that Cloudflare partners with](https://developers.cloudflare.com/ssl/reference/certificate-authorities/), consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal. ## Certificate packs Before deploying custom certificates to Cloudflare's global network, Cloudflare automatically groups the certificates into certificate packs. A certificate pack is a group of certificates that share the same set of hostnames — for example, `example.com` and `*.example.com` — but use different signature algorithms. Each pack can include up to three certificates, one from each of the following signature algorithms: * `SHA-2/RSA` * `SHA-2/ECDSA` * `SHA-1/RSA` Each pack only counts as one SSL certificate against your custom certificate quota. Note You cannot delete the primary certificate if secondary certificates are present in the pack. ## Availability | Free | Pro | Business | Enterprise | | | --------------------- | --- | -------- | --------------------- | ------------------------------------------------------------- | | Availability | No | No | Yes | Yes | | Certificates included | 0 | 0 | 1 Modern and 1 Legacy | 1 Modern (can purchase more) and 1 Legacy (can purchase more) | ## Related features ### Certificate Signing Requests (CSRs) As part of the custom certificate process, you can leverage Cloudflare to generate your [Certificate Signing Request (CSR)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-signing-requests/). This additional option means that Cloudflare will safely generate and store the private key associated with the CSR. ### Geo Key Manager (private key restriction) By default, Cloudflare encrypts and securely distributes private keys to all Cloudflare data centers, where they can be used for local SSL/TLS termination. If you want to restrict where your private keys may be used, use [Geo Key Manager](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/). ### Keyless SSL If you want to upload a custom certificate but retain your private key on your own infrastructure, consider using [Keyless SSL](https://developers.cloudflare.com/ssl/keyless-ssl/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/custom-certificates/","name":"Custom certificates"}}]} ``` --- --- title: Bundle methodologies description: When an SSL certificate is deployed to Cloudflare's global network, it may be augmented with intermediate and root certificates to assist the user agent in finding a chain to a publicly trusted root. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/custom-certificates/bundling-methodologies.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Bundle methodologies When an SSL certificate is deployed to Cloudflare's global network, it may be augmented with intermediate and root certificates to assist the user agent in finding a chain to a publicly trusted root. You can control the mechanics of how certificates are bundled by specifying a bundling methodology. ## Intermediate and root certificates Cloudflare maintains intermediate and root certificates used for bundling on a [GitHub repository ↗](https://github.com/cloudflare/cfssl%5Ftrust). As the certificates expire or are removed by certificate authorities, Cloudflare removes and adds them accordingly. Expiration values for these certificates may appear in the `expires_on` field when you use the [Analyze Certificate endpoint](https://developers.cloudflare.com/api/resources/ssl/subresources/analyze/methods/create/) \- often when the methodology you specify is [Compatible](#compatible). However, these expiration values reflect intermediate and root certificates - which are handled by Cloudflare -, not the leaf certificate you would have previously uploaded to Cloudflare. Note When using `compatible` or `modern`, a selection might be done on the intermediates you provide at upload time, meaning it is not guaranteed all of them will make it to the final chain. If you must ensure the chain you upload is the one used, select `user-defined`. ## Methodologies ### Compatible Compatible is the default methodology and uses common and well distributed intermediate certificates to complete the chain. This ensures that the resulting bundle is compatible with as many clients as possible. The related value for the `bundle_method` parameter when using the [API](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/create/) is `ubiquitous`. ### Modern Modern consists of attempts to make the chain as efficient as possible, often by using newer or fewer intermediate certificates. The related value for the `bundle_method` parameter when using the [API](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/create/) is `optimal`. ### User-defined User-defined allows you to paste your own certificate chain and present that bundle to clients. If you are using a self-signed certificate (not recommended), you must use this mode. The related value for the `bundle_method` parameter when using the [API](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/create/) is `force`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/custom-certificates/","name":"Custom certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/custom-certificates/bundling-methodologies/","name":"Bundle methodologies"}}]} ``` --- --- title: Remove key file password description: You cannot upload a custom certificate with a password-protected key file. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/custom-certificates/remove-file-key-password.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Remove key file password You cannot upload a custom certificate with a password-protected key file. The process for removing the password depends on your operating system. The following examples remove the password from `example.com.key`. Linux 1. Open a command console. 2. Go to the directory containing the `example.com.key` file. 3. Copy the original key. Terminal window ``` cp example.com.key temp.key ``` 4. Run the following command (if using an ECDSA certificate, replace `rsa` with `ec`). Terminal window ``` openssl rsa -in temp.key -out example.com.key ``` 5. When prompted in the console window, enter the original key password. 6. [Upload the file contents](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) to Cloudflare. Windows 1. Go to [https://indy.fulgan.com/SSL/ ↗](https://indy.fulgan.com/SSL/) and download the latest version of OpenSSL for your x86 or x86\_64 operating system. 2. Open the `.zip` file and extract it. 3. Select **openssl.exe**. 4. In the command window that appears, run: Terminal window ``` rsa -in C:\Path\To\example.com.key -out key.pem ``` 5. Enter the original key password when prompted by the **openssl.exe** command window. 6. [Upload](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) the contents of the `key.pem` file to Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/custom-certificates/","name":"Custom certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/custom-certificates/remove-file-key-password/","name":"Remove key file password"}}]} ``` --- --- title: Renewal and expiration description: Learn how renewal and expiration work when using Cloudflare Custom SSL certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/custom-certificates/renewing.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Renewal and expiration ## Renew custom certificates Since Cloudflare cannot renew uploaded certificates, you should ensure that you replace or [update](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#update-an-existing-custom-certificate) an expiring custom certificate before it expires, otherwise your visitors may not be able to connect. Cloudflare automatically sends email notifications 30 and 14 days before your custom certificate expires. The email is sent to users who have the SSL/TLS, Administrator, or Super Administrator [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/). Note When renewing a custom certificate, you can reuse a [previously generated CSR](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-signing-requests/). If you are on an Enterprise plan and want to renew a custom (modern) certificate, consider requesting access to [Staging environment (Beta)](https://developers.cloudflare.com/ssl/edge-certificates/staging-environment/). ## Expired certificates If a valid replacement - covering some or all of the SANs in the expiring custom certificate - is already available, Cloudflare will remove the expiring custom certificate in the 24 hours before expiration. There is no expected downtime due to certificate transition. If no valid replacement is available, Cloudflare will remove the custom certificate after it expires. Affected domains and subdomains will fall back to any other active certificate covering the hostnames on the expiring certificate. Warning All certificates in a [certificate pack](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/#certificate-packs) are treated as one object. The expiration date of a certificate pack is equivalent to the soonest `Not After` date among the certificates in the pack. For example if you have a custom certificate made of an ECSDA and a RSA certificate, if one of them expires the whole pack will be removed. ## Migrate to other certificate types If you no longer want to use your custom certificate but still want your website or application to be covered with SSL/TLS, you can do the following: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Make sure there is already an active [universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) or [advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) certificate covering the same hostnames. 3. Delete your custom certificate. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/custom-certificates/","name":"Custom certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/custom-certificates/renewing/","name":"Renewal and expiration"}}]} ``` --- --- title: Troubleshooting description: Troubleshoot issues with Client certificates image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/custom-certificates/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting ## Generic troubleshooting ### Make sure your key and certificate match You can use an external tool such as the [SSLShopper Certificate Key Matcher ↗](https://www.sslshopper.com/certificate-key-matcher.html) to check your certificate and make sure the key matches. ### Check the certificate details You can use `openssl` to check all the details of your certificate: Terminal window ``` openssl x509 -in certificate.crt -noout -text ``` Then, make sure all the information is correct before uploading. ## Moved domains If you move a domain without deleting the custom certificate from the previous zone, the certificate may still [take precedence](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/) and be presented to your visitors, until the previous zone is [deleted](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/). Refer to [Move a domain between Cloudflare accounts](https://developers.cloudflare.com/fundamentals/manage-domains/move-domain/#issue-new-certificates) for details. ## Let's Encrypt chain update As Let's Encrypt - one of the [certificate authorities (CAs)](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) used by Cloudflare - has announced changes in its [chain of trust](https://developers.cloudflare.com/ssl/concepts/#chain-of-trust), you may face issues. If you are using a Let's Encrypt certificate uploaded by yourself as a custom certificate, consider the following: * If you use **compatible** or **modern** [bundle method](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/) and have uploaded your certificate before September 9, 2024, [update your custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#update-an-existing-custom-certificate) so that it can be bundled with the new chain. * If you use **user-defined** bundle method, make sure that your certificates uploaded after September 30, 2024, do not use the Let's Encrypt cross-signed chain. ## Error codes ### Invalid certificate. (Code: 1002) **Root cause** The certificate you are trying to upload is invalid. For example, there might be extra lines, or the BEGIN/END text is not correct, or extra characters are added following a copy/paste. In the case of an update with the [PATCH API call](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/edit/), it can mean the path parameter `{custom_certificate_id}` is invalid. **Solution** Carefully check the content of the certificate. You may use `openssl` to check all the details of your certificate: Terminal window ``` openssl x509 -in certificate.crt -noout -text ``` When using the API, carefully check the `{custom_certificate_id}` path parameter. You can confirm the certificate ID by [listing the existing custom certificates](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/list/) (`id` in the response). ### You have reached the maximum number of custom certificates. (Code: 1212) **Root cause** You have used up your custom certificate quota. **Solution** Delete some existing certificates to add a new one. If you are an Enterprise customer, you can contact your account team to acquire more custom certificates. ### This certificate has already been submitted. (Code: 1220) **Root cause** You are trying to upload a custom certificate that you have already uploaded. **Solution** Delete the existing one and try again. ### The SSL attribute is invalid. Please refer to the API documentation, check your input and try again. (Code: 1434) **Root cause** You are trying to upload a custom certificate that does not support any cipher that is needed by Chromium-based browsers. **Solution** Modify the certificate so that it supports chromium-supported ciphers and try again. ### You have reached your quota for the requested resource. (Code: 2005) **Root cause** The quota for custom certificates depends on the **type** of certificate (**Custom Legacy** vs **Custom Modern**). If you try to upload a certificate **type** but have already reached your quota, you will receive this error. **Solution** First, check your custom certificate entitlements on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. Then, when actually uploading or editing the certificate, make sure you select the appropriate option for **Legacy Client Support**. ### The certificate chain you uploaded cannot be bundled using Cloudflare's trust store. Please check your input and try again. (Code: 2100) **Root cause** You are trying to upload a custom certificate that contains the root and leaf certificate at the same time. **Solution** Upload the leaf certificate only. ### The certificate chain you uploaded has no leaf certificates. Please check your input and try again. (Code: 2101) **Root cause** You are trying to upload a root + intermediate + intermediate `.crt` file, but the actual leaf certificate is in a separate file. **Solution** Add the leaf to the `.crt` file, or just use the leaf by itself since the Certificate Authority has a public chain of trust in our trust store. ### The certificate chain you uploaded does not include any hostnames from your zone. Please check your input and try again. (Code: 2103) **Root cause** Cloudflare verifies that uploaded custom certificates include a hostname for the associated zone. Moreover, this hostname must be included as a Subject Alternative Name (SAN). This is following the standard set by the [CA/Browser Forum ↗](https://cabforum.org/wp-content/uploads/BRv1.2.5.pdf#page=16). **Solution** Make sure your certificate contains a Subject Alternative Name (SAN) specifying a hostname in your zone. You can use the `openssl` command below and look for `Subject Alternative Name` in the output. Terminal window ``` openssl x509 -in certificateFile.pem -noout -text ``` If it does not exist, you will need to request a new certificate. ### The private key you uploaded is invalid. Please check your input and try again. (Code: 2106) **Root cause** Cloudflare requires separate, pem-encoded files for the SSL private key and certificate. **Solution** Contact your Certificate Authority (CA) to confirm whether your current certificate meets this requirement or request your CA to assist with certificate format conversion. Make sure your certificate complies with these [requirements](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#certificate-requirements). Check that the certificate and private keys match before uploading the certificate in the Cloudflare dashboard. This [external resource ↗](https://www.sslshopper.com/article-most-common-openssl-commands.html) might help. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/custom-certificates/","name":"Custom certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/custom-certificates/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Manage custom certificates description: This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/custom-certificates/uploading.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage custom certificates This page lists Cloudflare requirements for custom certificates and explains how to upload and update these certificates using Cloudflare dashboard or API. ## Certificate requirements Before accepting custom certificates, Cloudflare parses them and checks for validity according to a list of requirements. Full list of requirements Each custom certificate you upload must: * Be encoded in PEM format (PEM, PKCS#7, or PKCS#12). See [Converting Using OpenSSL ↗](https://www.sslshopper.com/article-most-common-openssl-commands.html) for conversion examples. * Not have a [key file password](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/remove-file-key-password/). * Not be expiring in less than 14 days from time of upload. * Have a subject alternative name (SAN) matching at least one hostname in the zone where it is being uploaded. * Use a private key greater than or equal to a minimum length. Currently, 2048 bit for RSA and 225 bit for ECDSA. * Be publicly trusted by a major browser. This does not apply for certificates that specify `User Defined` as their [bundling methodology](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/). * Be one of the following certificate types: * Unified Communications Certificates (UCC) * Extended Validation (EV) * Domain Validated (DV) * Organization Validated (OV) --- ## Upload a custom certificate Warning When using `compatible` or `modern` [bundling](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies), make sure to upload only the leaf certificate. This will allow Cloudflare to properly handle [the expiration of intermediate and root certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/#intermediate-and-root-certificates). * [ Dashboard ](#tab-panel-6561) * [ API ](#tab-panel-6562) To upload a custom SSL certificate in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. In **Edge Certificates**, select **Upload Custom SSL Certificate**. 3. Copy and paste relevant values into **SSL Certificate** and **Private key** text areas (or select **Paste from file**). Note If doing this manually, include the `---BEGIN CERTIFICATE---` and `---END CERTIFICATE---` like the placeholder text. 4. Choose the appropriate [**Bundle Method**](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/). 5. Select a value for [**Private Key Restriction**](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/#geo-key-manager-private-key-restriction). 6. Select a value for **Legacy Client Support**, which specifies [Server Name Indication (SNI)](https://developers.cloudflare.com/ssl/reference/browser-compatibility/#non-sni-support) support: * **Modern (recommended)**: SNI only * **Legacy**: Supports non-SNI Warning Custom certificates of the type `legacy_custom` are not compatible with [BYOIP](https://developers.cloudflare.com/byoip/). 7. Select **Upload Custom Certificate**. If you see an error for `The key you provided does not match the certificate`, contact your Certificate Authority to ensure the private key matches the certificate. 8. (optional) [Add a CAA DNS record](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/). The following call will upload a certificate for use with `app.example.com`. Cloudflare will automatically bundle the certificate with a certificate chain optimized for maximum compatibility with browsers. Warning Note that if you are using an ECC key generated by OpenSSL, you will need to first remove the `-----BEGIN EC PARAMETERS-----...-----END EC PARAMETERS-----` section of the file. 1. Update the file and build the payload Terminal window ``` cat app_example_com.pem ``` ``` -----BEGIN CERTIFICATE----- MIIFJDCCBAygAwIBAgIQD0ifmj/Yi5NP/2gdUySbfzANBgkqhkiG9w0BAQsFADBN MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E ... SzSHfXp5lnu/3V08I72q1QNzOCgY1XeL4GKVcj4or6cT6tX6oJH7ePPmfrBfqI/O OeH8gMJ+FuwtXYEPa4hBf38M5eU5xWG7 -----END CERTIFICATE----- ``` Terminal window ``` MYCERT="$(cat app_example_com.pem|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')" MYKEY="$(cat app_example_com.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')" ``` With the certificate and key saved to environment variables (using escaped newlines), build the payload: Terminal window ``` request_body=$(< <(cat <" \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data "$request_body" ``` 1. (Optional) Add a CAA record. A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization. For more guidance, refer to [Create a CAA record](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/). --- ## Update an existing custom certificate Before you update an existing custom certificate, you might want to consider having active [universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) or [advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) certificates as fallback options. Go to the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page to check a list of hostnames and status of the edge certificates in your zone. If you are on an Enterprise plan and want to update a custom (modern) certificate, also consider requesting access to [Staging environment (Beta)](https://developers.cloudflare.com/ssl/edge-certificates/staging-environment/). Replacing a custom certificate following these steps does not lead to any downtime. No connections will be terminated and new connections will use the new certificate. The old certificate will only actually be deleted when the new certificate is uploaded and active. * [ Dashboard ](#tab-panel-6559) * [ API ](#tab-panel-6560) To update a certificate in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. In **Edge Certificates**, locate a custom certificate and select it to expand. 3. Select the wrench button and choose **Replace SSL certificate and key**. 4. Follow the same steps as [upload a new certificate](#upload-a-custom-certificate). To update a certificate using the API, send a [PATCH](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/edit/) command. Note To update the **Private Key Restriction** setting of a certificate, delete and re-add the certificate. --- ## Delete a custom certificate 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. In **Edge Certificates**, locate a custom certificate and select it to expand. 3. Select the cross button. 4. Select **Confirm** to delete the certificate. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/custom-certificates/","name":"Custom certificates"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/custom-certificates/uploading/","name":"Manage custom certificates"}}]} ``` --- --- title: ECH Protocol description: ECH stands for Encrypted Client Hello. It is a protocol extension in the context of Transport Layer Security (TLS). ECH encrypts part of the handshake and masks the Server Name Indication (SNI) that is used to negotiate a TLS session. This means that whenever a user visits a website on Cloudflare that has ECH enabled, intermediaries will be able to see that you are visiting a website on Cloudflare, but they will not be able to determine which one. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/ech.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # ECH Protocol ECH stands for [Encrypted Client Hello ↗](https://datatracker.ietf.org/doc/draft-ietf-tls-esni/16/). It is a protocol extension in the context of Transport Layer Security (TLS). ECH encrypts part of the handshake and masks the Server Name Indication (SNI) that is used to negotiate a TLS session. This means that whenever a user visits a website on Cloudflare that has ECH enabled, intermediaries will be able to see that you are visiting a website on Cloudflare, but they will not be able to determine which one. ## What ECH does ECH limits access to information that a particular user is visiting your website, ensuring that it is not unnecessarily shared with intermediaries, like Internet Service Providers (ISP). With ECH, specific details regarding their visit no longer leak to network intermediaries when the user accesses your website. ## How ECH works In a typical [TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/), the client sends a ClientHello message to the server to initiate the TLS session. This message contains important information, including the list of supported cryptographic algorithms, TLS version, and the requested server name (the domain name of the website the client wants to connect to). The server name is indicated through Server Name Indication (SNI). With ECH, the ClientHello message part is split into two separate messages: an inner part and an outer part. The outer part contains the non-sensitive information such as which ciphers to use and the TLS version and an "outer ClientHello". The inner part is encrypted and contains an "inner ClientHello". The outer ClientHello contains a common name (SNI) that represents that a user is trying to visit an encrypted website on Cloudflare. We chose `cloudflare-ech.com` as the SNI that all websites will share on Cloudflare. Because Cloudflare controls that domain, we have the appropriate certificates to be able to negotiate a TLS handshake for that server name. The inner ClientHello contains the actual server name that the user is trying to visit. This is encrypted using a public key and can only be read by Cloudflare. Once the handshake completes, the web page is loaded as normal, just like any other website loaded over TLS. In practice, this means that any intermediary that is looking at your traffic will simply see normal TLS handshakes with one caveat: any traffic to an ECH-enabled server name on Cloudflare will look the same. Every TLS handshake will appear identical in that it looks like it is trying to load a website for `cloudflare-ech.com`, as opposed to the actual website. In the example below, a user is visiting `example.com`. Without ECH, any intermediate networks will be able to detect the website being accessed by the user. With ECH, the visible information will be limited to `cloudflare-ech.com` instead. flowchart LR accTitle: What intermediaries see with and without ECH accDescr: This diagram describes what intermediaries see with and without ECH. A(User visits example.com) A -- With ECH --> C(intermediaries see cloudflare-ech.com)-->B(Cloudflare) A -- Without ECH --> D(intermediaries see example.com)-->B(Cloudflare) For more details about ECH protocol technology, refer to our [introductory blog ↗](https://blog.cloudflare.com/encrypted-client-hello/). ## Enable ECH ECH is enabled by default on Free zones. Other plans can turn it on or off following the steps below. 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Encrypted ClientHello (ECH)**, change the setting to **Enabled**. ## Enterprise network applicability Some enterprise or regional networks may need to audit or apply filtering policies to traffic that traverses their network. These policies are expressed in terms of domain names, not IP addresses. Consequently, they are best applied at the local DNS resolver in response to the `A` and `AAAA` queries for the individual domain names. However, for settings wherein DNS-based filtering is not applicable, there are two ways in which networks can disable ECH to allow existing filtering mechanisms to continue working as expected. The most reliable way is via the local or recursive DNS resolver itself, by dropping ECH configurations from HTTPS resource records returned to clients, or, preferably, by returning a “no error no answer” or NXDOMAIN response to HTTPS queries. This prevents clients from obtaining the necessary information to use ECH. Note that modifying HTTPS resource records may cause failures for clients that perform DNSSEC validation, so dropping HTTPS responses may be the preferred approach. This will prevent browsers, such as Chrome from using ECH. The second way to disable ECH is via a network canary domain. In particular, your network’s DNS resolver can return a “no error no answer” or an NXDOMAIN response to queries made to the `use-application-dns.net` [canary domain ↗](https://support.mozilla.org/en-US/kb/canary-domain-use-application-dnsnet). This will prevent browsers, such as Firefox from using ECH. For more information, see Firefox's [frequently asked questions page ↗](https://support.mozilla.org/en-US/kb/faq-encrypted-client-hello#w%5Fhow-will-ech-interact-with-dohs-opt-outs) for Encrypted Client Hello. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/ech/","name":"ECH Protocol"}}]} ``` --- --- title: Enforce HTTPS connections description: Even with an active SSL/TLS certificate, visitors can still access resources over unsecured HTTP connections. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/encrypt-visitor-traffic.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enforce HTTPS connections Even with an active SSL/TLS certificate, visitors can still access resources over unsecured HTTP connections. It is best to redirect this traffic over HTTPS, as well as ensure other resources (such as images) are also loaded over HTTPS. ## Prerequisites Before trying to enforce HTTPS connections, make sure that your application has an active [edge certificate](https://developers.cloudflare.com/ssl/get-started/#choose-an-edge-certificate). Otherwise, visitors will not be able to access your application at all. Also, make sure that your [SSL encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is not set to **Off**. Otherwise, Cloudflare will redirect all visitor connections automatically to HTTP. ## 1\. Evaluate existing redirects To make sure that your visitors do not get stuck in a [redirect loop](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/), evaluate existing redirects at your origin server and within the Cloudflare dashboard. You should generally avoid redirects at your origin server. Not only are you likely to forget about them, but they also reduce application performance. It is much faster for Cloudflare to redirect requests before they ever reach your origin. Make sure that your redirects within Cloudflare are not forwarding traffic to URLs starting with `http`. ## 2\. Rewrite HTTP URLs If your application contains links or references to HTTP URLs, your visitors might see [mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) when accessing an HTTPS page. To avoid these issues, enable [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/) and pay attention to which HTTP requests are still reaching your origin server. ## 3\. Redirect traffic to HTTPS If your entire application can support HTTPS traffic, enable [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/#encrypt-all-visitor-traffic). If only some parts of your application can support HTTPS traffic, do not enable **Always Use HTTPS** and use a [single redirect](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) to selectively perform the redirect to HTTPS. Refer to [Redirect admin area requests to HTTPS](https://developers.cloudflare.com/rules/url-forwarding/examples/redirect-admin-https/) for an example. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/encrypt-visitor-traffic/","name":"Enforce HTTPS connections"}}]} ``` --- --- title: Geo Key Manager description: Geo Key Manager allows customers to store and manage the encryption keys for their domains in different geographic locations so they can meet compliance regulations and keep data secure. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/geokey-manager/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Geo Key Manager Restrict where the private keys used for TLS certificates are stored and managed. Geo Key Manager allows customers to store and manage the encryption keys for their domains in different geographic locations so they can meet compliance regulations and keep data secure. ## Resources * [ Setup ](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/setup/) * [ Supported options ](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/supported-options/) ## Limitations Currently, Geo Key Manager is limited to [custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) and available only through the Cloudflare API. --- ## Related products **[Data Localization Suite](https://developers.cloudflare.com/data-localization/)** The Data Localization Suite (DLS) is a set of products that helps customers who want to maintain local control over their traffic while retaining the security benefits of a global network. **[Geo Key Manager (v1)](https://blog.cloudflare.com/introducing-cloudflare-geo-key-manager/)** The first version of Geo Key Manager supports 3 regions: U.S., E.U., and a set of High Security Data Centers. If you would like to restrict your private key to another country or region, [apply for the closed beta ↗](https://www.cloudflare.com/lp/geo-key-manager/) of the new version. --- ## More resources [Plans](https://www.cloudflare.com/plans/#overview) Compare available Cloudflare plans ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/geokey-manager/","name":"Geo Key Manager"}}]} ``` --- --- title: Setup description: Learn how to set up Geo Key Manager and choose the geographical boundaries of where your private encryption keys are stored. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/geokey-manager/setup.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Setup ## Geo Key Manager v2 Beta Note Geo Key Manager v2 is only available through the Cloudflare API. Geo Key Manager v2 gives customers flexibility when choosing the geographical boundaries of where their keys are stored. Using the `policy` field, customers can define policies containing allow and block lists of countries or regions where the private key should be stored. To use Geo Key Manager v2 with the API, generally, follow the steps to [upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate). When sending the [POST](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/create/) request, include the `policy` parameter to define policies containing allow and block lists of countries or regions where the private key should be stored. Note You also have access to the `geo_restrictions` parameter, which is mutually exclusive with the `policy` parameter and is part of [Geo Key Manager v1](#geo-key-manager-v1). ### Examples Store private keys in the E.U. and the U.S. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Mutual TLS Certificates Write` * `SSL and Certificates Write` Create SSL Configuration ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/custom_certificates" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "certificate": "certificate", "private_key": "", "policy": "(country: US) and (region: EU)", "type": "sni_custom" }' ``` Store private keys in the E.U., but not in France Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Mutual TLS Certificates Write` * `SSL and Certificates Write` Create SSL Configuration ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/custom_certificates" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "certificate": "certificate", "private_key": "", "policy": "(region: EU) and (not country: FR)", "type": "sni_custom" }' ``` Note For more information on the `policy` field, refer to [Supported options](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/supported-options/). ## Geo Key Manager v1 The first version of Geo Key Manager supports 3 regions: U.S., E.U., and a set of High Security Data Centers. If you would like to restrict your private key to another country or region, [apply for the closed beta ↗](https://www.cloudflare.com/lp/geo-key-manager/) of the new version. * [ Dashboard ](#tab-panel-6563) * [ API ](#tab-panel-6564) To use Geo Key Manager in the dashboard: 1. Follow the steps to [upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate). 2. For **Private Key Restriction**, choose one of the following options: * **Distribute to all Cloudflare data centers (optimal performance)** * **Distribute only to U.S. data centers** * **Distribute only to E.U. data centers** * **Distribute only to highest security data centers** ([more details](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/supported-options/#highest-security-data-centers)) 3. Select **Upload Custom Certificate**. To use Geo Key Manager with the API, generally, follow the steps to [upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate). When sending the [POST](https://developers.cloudflare.com/api/resources/custom%5Fcertificates/methods/create/) request, include the `geo_restrictions` parameter set to one of the following options: * `us` * `eu` * `highest_security`([more details](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/supported-options/#highest-security-data-centers)) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/geokey-manager/","name":"Geo Key Manager"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/geokey-manager/setup/","name":"Setup"}}]} ``` --- --- title: Supported options description: Learn which options are supported for Geo Key Manager. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/geokey-manager/supported-options.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Supported options ## Available regions For customers with Geo Key Manager v2, you can use the `policy` parameter to specify following regions using the **Region code**: | Region code | Region name | | ----------- | --------------------- | | AFR | Africa | | APAC | Asia Pacific | | EEUR | Eastern Europe | | ENAM | Eastern North America | | EU | European Union | | ME | Middle East | | OC | Oceania | | SAM | South America | | WEUR | Western Europe | | WNAM | Western North America | --- ## Available countries For customers with Geo Key Manager v2, you can use the `policy` parameter to specify individual countries as well. Cloudflare is constantly expanding the number of supported countries. To indicate a country, specify the two-letter (ISO 3166) country code. Examples of supported countries are Japan, Canada, India, and Australia. --- ## Highest security data centers For customers with both Geo Key Manager v1 and v2, you can use the `geo_restrictions` parameter to only choose Cloudflare's highest security data centers. The following aspects are unique to our highest security data centers, but the baseline security requirements for all data centers are also detailed in [our blog ↗](https://blog.cloudflare.com/introducing-cloudflare-geo-key-manager/). ### Pre-scheduled and biometric controlled facility access Employees of Cloudflare permitted to access the facility must have previously scheduled a visit before access will be granted. Access to the entrance of the facility is controlled through the use of a biometric hand reader combined with an assigned access code. ### Private cages with biometric readers All equipment is in private cages with physical access controlled via biometrics and recorded in audit logs. Entrants have to pass through five separate readers before they can access the cage. ### Exterior security controls and monitoring All points of ingress/egress are monitored by an intrusion detection system (IDS), with authorized users and access events archived for historical review. ### Interior security controls and monitoring Interior points of ingress/egress are controlled by the access control subsystem, with entry routed through a mantrap. All areas are monitored and recorded with closed-circuit television, with data kept for a minimum of thirty days. Exterior walls are airtight and may incorporate additional security measures such as reinforced concrete, Kevlar bullet board, vapor barriers, or bullet-proof front doors. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/geokey-manager/","name":"Geo Key Manager"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/geokey-manager/supported-options/","name":"Supported options"}}]} ``` --- --- title: Staging environment description: Use your certificate staging environment to test new custom (modern) certificates before pushing them to your production environment. This process helps you solve potential certificate problems before there's an incident, such as when: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/staging-environment.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Staging environment Use your certificate staging environment to test new custom (modern) certificates before pushing them to your production environment. This process helps you solve potential certificate problems **before** there's an incident, such as when: * You make a mistake when uploading a new custom certificate. * You misunderstand the order of your certificates. * Clients have previously pinned your custom certificate, causing a TLS termination error. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --------------- | | Availability | No | No | No | Yes (open beta) | --- ## Use your staging environment ### 1\. Upload certificate To upload custom (modern) certificates to your staging environment: 1. In the Cloudflare dashboard, go to the **Staging Certificates** page. [ Go to **Staging Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/staging-certificates) 2. Select **Upload Custom Staging Certificate**. 3. Upload your custom (modern) certificate ([detailed instructions](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/)). 4. Your certificate will appear in the dashboard with a status of **Staging Deployment**. If you refresh the page, its status should go to **Staging Active**. ### 2\. Test certificate Test your custom (modern) certificate by sending `curl` requests to the IP addresses listed on the [**Staging Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/staging-certificates) page: ``` curl --resolve :: https:// -iv ``` You should confirm whether: * TLS termination is successful. * The right certificate is being served at the edge. * Any clients are pinning the old certificate. ### 3\. Push certificate to production Assuming there are no issues, push your custom (modern) certificate to your production environment: 1. In the Cloudflare dashboard, go to the **Staging Certificates** page. [ Go to **Staging Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/staging-certificates) 2. Select a custom certificate. 3. Select **Push to Production**. If there were issues with your certificate, you can keep it in your staging environment or select **Deactivate** on the certificate itself. ### 4\. (Optional) Push certificate back to staging If you roll out a custom (modern) certificate to production and encounter issues, you can deactivate that certificate to delete the certificate from the edge and then push the certificate back to your staging environment for additional testing: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Select a custom certificate. 3. Select **Deactivate**. 4. Select **Push to Staging**. --- ## Limitations ### Access Currently, staging environments are only available to Enterprise customers participating in an open beta. To get access to the beta, contact your Account team. ### Functionality At the moment, staging environments have limited functionality: * Only custom (modern) certificates * Only accessed via the dashboard ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/staging-environment/","name":"Staging environment"}}]} ``` --- --- title: Universal SSL description: By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/universal-ssl/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Universal SSL By default, Cloudflare issues — and [renews](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/#universal-ssl) — free, unshared, publicly trusted SSL certificates to all domains [added to](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) and [activated on](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) Cloudflare. Universal certificates are [Domain Validated (DV)](https://developers.cloudflare.com/ssl/concepts/#validation-level). For setup details, refer to [Enable Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/). Note If your website or application requires an SSL certificate prior to migrating traffic to Cloudflare, or if you need to [customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/), refer to [Advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) or [Custom](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) certificates. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Related resources * [Backup certificates](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/) * [Validity period and renewal](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/#universal-ssl) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/universal-ssl/","name":"Universal SSL"}}]} ``` --- --- title: Alerts description: You can configure alerts to receive notifications for changes in your certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/universal-ssl/alerts.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Alerts You can configure alerts to receive notifications for changes in your certificates. Universal SSL Alert **Who is it for?** Customers with universal certificates who want to receive a notification on validation, issuance, renewal, and expiration notices. **Other options / filters** None. **Included with** All Cloudflare plans. **What should you do if you receive one?** You only need to take action if you are notified that you have a certificate that failed. You can find the reasons why a certificate is not being issued in [Troubleshooting SSL errors](https://developers.cloudflare.com/ssl/troubleshooting/general-ssl-errors/). Refer to [Cloudflare Notifications](https://developers.cloudflare.com/notifications/get-started/) for more information on how to set up an alert. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/universal-ssl/","name":"Universal SSL"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/universal-ssl/alerts/","name":"Alerts"}}]} ``` --- --- title: Disable Universal SSL certificates description: Some customers may need to manage their own SSL certificates or rely on specific Certificate Authorities. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/universal-ssl/disable-universal-ssl.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Disable Universal SSL certificates Some customers may need to manage their own SSL certificates or rely on specific Certificate Authorities. If you disable your domain's Universal SSL certificate, Cloudflare removes that certificate from our network and will not order or renew any additional Universal SSL certificates. Disabling Universal SSL will not cause any interruption to ongoing TLS connections to your domain on Cloudflare's network, they will continue to be served according the the Universal SSL certificate used when they were first established. Eventually these connections will naturally end. New TLS connections are expected to succeed as long as you have another valid certificate active, such as a [custom](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/)) or [advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) certificate. New TLS connections will receive the highest priority certificate from our edge as per our [certificate and hostname priority](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/). If a valid certificate is not active before disabling, TLS connections will fail. For more information, refer to [Potential errors](#potential-errors) below. ## Potential errors To avoid errors with your domain, either [upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) or purchase [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) before disabling Universal SSL. If you disable Universal SSL, you may experience errors with the following scenarios: * **Enabled features**: * [HTTP Strict Transport Security (HSTS)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) * [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) * [Opportunistic Encryption](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/opportunistic-encryption/) * **Other setups**: * [Page Rules](https://developers.cloudflare.com/rules/page-rules/) that redirect traffic to HTTPS * HTTP to HTTPS redirects at your origin web server ## Disable Universal SSL certificate Before you disable Universal SSL/TLS, make sure you have [uploaded a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) or purchased [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) to protect your domain. * [ Dashboard ](#tab-panel-6565) * [ API ](#tab-panel-6566) To disable Universal SSL in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Disable Universal SSL**, select **Disable Universal SSL**. 3. Read the warnings in the **Acknowledgement**. 4. Select **I Understand** and select **Confirm**. To disable Universal SSL with the Cloudflare API, send a [PATCH](https://developers.cloudflare.com/api/resources/ssl/subresources/universal/subresources/settings/methods/edit/) request and include the `"enabled": false` parameter. ## Re-enable Universal SSL * [ Dashboard ](#tab-panel-6567) * [ API ](#tab-panel-6568) To re-enable Universal SSL in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Disable Universal SSL**, select **Enable Universal SSL**. To re-enable Universal SSL with the Cloudflare API, send a [PATCH](https://developers.cloudflare.com/api/resources/ssl/subresources/universal/subresources/settings/methods/edit/) request and include the `"enabled": true` parameter. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/universal-ssl/","name":"Universal SSL"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/universal-ssl/disable-universal-ssl/","name":"Disable Universal SSL certificates"}}]} ``` --- --- title: Enable Universal SSL certificates description: By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/universal-ssl/enable-universal-ssl.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable Universal SSL certificates By default, Cloudflare issues — and [renews](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/#universal-ssl) — free, unshared, publicly trusted SSL certificates to all domains [added to](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) and [activated on](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) Cloudflare. --- The process for activating a Universal SSL certificate depends on your domain's DNS setup. ## Full DNS setup For domains on a [primary setup (full)](https://developers.cloudflare.com/dns/zone-setups/full-setup/)[1](#user-content-fn-1), your domain should **automatically** receive its Universal SSL certificate within **15 minutes to 24 hours** of domain activation[2](#user-content-fn-2). This certificate will cover your zone apex (`example.com`) and all first-level subdomains (`subdomain.example.com`), and is provisioned even if your records are DNS only. However, the certificate will only be presented if your domain or subdomains are [proxied](https://developers.cloudflare.com/dns/proxy-status/). ## Footnotes 1. The most common Cloudflare setup that involves changing your authoritative nameservers. [↩](#user-content-fnref-1) 2. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA). [↩](#user-content-fnref-2) ### Minimize downtime If your website or application is already live and cannot be uncovered while the Universal certificate is provisioned, consider the following: * Order an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) before proxying traffic to Cloudflare. * Upload a [custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) prior to migrating and then delete the certificate after your [Universal certificate is active](#verify-your-certificate-is-active). * Keep DNS records [**unproxied**](https://developers.cloudflare.com/dns/proxy-status/) until your [certificate is active](#verify-your-certificate-is-active). Note If your domain is using a **partial setup**, you will need to add [Domain Control Validation (DCV) records](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) to your authoritative DNS. ## Partial DNS setup For non-authoritative or [partial domains](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), Universal SSL will be: * Provisioned once the DNS record is [proxied through Cloudflare](https://developers.cloudflare.com/dns/zone-setups/partial-setup/setup/#3-add-dns-records). * Validated: * Immediately if you add [Domain Control Validation (DCV)](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) records to your authoritative DNS. * After a brief period of downtime if you **do not** add DCV records (once your traffic is proxied). Unless you cover and validate multiple subdomains with an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/), you will need to proxy and validate new subdomains as they are added. --- ## Verify your certificate is active Once you enable Universal SSL, you can review the [activation status](https://developers.cloudflare.com/ssl/reference/certificate-statuses/) on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or via the API with a [GET request](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/list/). --- ## Universal SSL renewal For Universal certificates, Cloudflare controls the validity periods and certificate authorities (CAs), making sure that renewal always occur. Partial setup and DCV If you are on a [CNAME setup (partial)](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup), make sure [Domain control validation (DCV)](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) is configured correctly. Refer to [Troubleshooting DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/) for further help. Universal certificates have a 90-day validity period. The auto renewal period starts 30 days before expiration. For details, refer to [Validity periods and renewal](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/universal-ssl/","name":"Universal SSL"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/universal-ssl/enable-universal-ssl/","name":"Enable Universal SSL certificates"}}]} ``` --- --- title: Limitations description: Review the limitations of Universal certificates, such as hostname coverage, certificate authority choice, and compatibility with other products. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Limitations Universal SSL certificates present some limitations. ## Proxy status Cloudflare can only serve an SSL/TLS certificate for a DNS record when you set the record's [proxy status](https://developers.cloudflare.com/dns/proxy-status/) to **Proxied**. If you do not do this, the origin server your record points to will be responsible for supporting SSL/TLS connections. ## Hostname coverage ### Full setup When you rely only on Universal SSL in a full setup zone, coverage is limited to the root domain (for example, `example.com`) and first-level subdomains (for example, `www.example.com` or `blog.example.com`). Deeper subdomains — such as `dev.www.example.com` or `app3.dev.www.example.com` — are **not** covered and will not serve a valid certificate. To enable SSL for deeper subdomains, you can: * Purchase [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) — then turn on [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) for automatic certificate coverage of all proxied subdomains, or manually create advanced certificates for specific hostnames. * Upload a [custom SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) that includes the required subdomains as Subject Alternative Names (SANs). ### CNAME setup On a [CNAME setup zone](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), each subdomain (regardless of level) has its own Universal SSL certificate and does not require additional features or purchases. As long as the subdomains are proxied to Cloudflare, a universal certificate [will be provisioned](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup). ## Certificate authority For Universal SSL certificates, Cloudflare chooses the certificate authority (CA) used for your certificate. Cloudflare can change the [certificate authority](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) without prior notification, and will not send any notification as the change happens. If you want to choose the issuing certificate authority, [order an advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). ## Validity period For Universal certificates, Cloudflare controls the validity period. Refer to [validity periods and renewal](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/#universal-ssl) for details. ## TLS settings [Customizing cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) is only available with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) or within [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/). You can set up [minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) at the zone level, but, for per-hostname settings, you must have [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). ## Delegated DCV Delegated DCV allows zones with [partial DNS setups](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) to delegate the DCV process to Cloudflare. DCV delegation will not work with Universal SSL certificates and requires the use of an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). ## Spectrum Universal SSL is not compatible with [Cloudflare Spectrum](https://developers.cloudflare.com/spectrum/). If you are trying to use Spectrum, use either [an advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) or [a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/). ## Load balancing Due to internal limitations, Universal SSL certificates do not cover [load balancing hostnames](https://developers.cloudflare.com/load-balancing/load-balancers/dns-records/) by default. This behavior will be corrected in the future. ## Browser support For more on browser support, see [Browser compatibility](https://developers.cloudflare.com/ssl/reference/browser-compatibility/). ## SSL invalid brand check Some domains are not eligible for Universal SSL if they contain words that conflict with trademarked domains. To resolve this issue, you can: * Purchase an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). * Upload your own [custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/universal-ssl/","name":"Universal SSL"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/universal-ssl/limitations/","name":"Limitations"}}]} ``` --- --- title: Troubleshooting description: Review how to troubleshoot issues such as certificate timeouts when using Cloudflare Universal SSL. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/edge-certificates/universal-ssl/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting ## Resolve a timed out state If a certificate issuance times out, Cloudflare tells you where in the chain of issuance the timeout occurred: Initializing, Validation, Issuance, Deployment, or Deletion. To resolve timeout issues, try one or more of the following options: * Change the **Proxy status** of related DNS records to **DNS only** (gray-clouded) and wait at least a minute. Then, change the **Proxy status** back to **Proxied** (orange-clouded). * [Disable Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/disable-universal-ssl/) and wait at least a minute. Then, re-enable Universal SSL. * Send a PATCH request to the [validation endpoint](https://developers.cloudflare.com/api/resources/ssl/subresources/verification/methods/edit/) using the same [DCV method](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) (API only). Make sure that the `--data` field is not empty in your request. * Review your domain control validation (DCV). Changing the DCV method will restart certificate issuance. ## Delete certificates You can [use the API](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/delete/) to delete certificates that you no longer want listed on the Cloudflare dashboard. ## Other issues For additional troubleshooting help, refer to [Troubleshooting SSL errors](https://developers.cloudflare.com/ssl/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/edge-certificates/","name":"Edge certificates"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/edge-certificates/universal-ssl/","name":"Universal SSL"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/edge-certificates/universal-ssl/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Client certificates (mTLS) description: Use Cloudflare public key infrastructure (PKI) to create client certificates and enforce mutual Transport Layer Security (mTLS) encryption. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client certificates (mTLS) Use Cloudflare's public key infrastructure (PKI) to create client certificates, or [bring your own CA for mTLS](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/). [Mutual TLS (mTLS)](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) authentication is a common security practice that uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource. mTLS at Cloudflare For a broader overview, refer to the [mTLS at Cloudflare learning path](https://developers.cloudflare.com/learning-paths/mtls/concepts/). --- ## How it works Client certificates issued from a given CA are installed on client devices that should be granted access. Then, for any host that has [mTLS enabled](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/), Cloudflare - acting as the server in this case - requires a certificate from the client trying to access the hostname. If a certificate is presented, Cloudflare validates the client certificate against CAs set at account level. This means that these certificates can be used for validation across multiple zones/domains (`example.com`), as long as the zones are under the same Cloudflare account and mTLS has been enabled for the requested hosts (`host.example.com`). The account-level CAs can be: * The Cloudflare-managed CA: This is the default option. Certificates and hostname associations are listed on your [dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/). * [BYOCA](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/) certificates: This is an API-only option, available on Enterprise accounts. Certificates and hostname associations are **not** listed on your dashboard. Cloudflare then stores the validation result in a field called [cf.tls\_client\_auth.cert\_verified](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fverified/): * **Success**: `cf.tls_client_auth.cert_verified` is `true`, and you can find client certificate details in [specific mTLS fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/?search-term=cf.tls%5Fclient%5Fauth). * **Failure**: `cf.tls_client_auth.cert_verified` is `false`. --- ## Use cases As explained in the [mTLS learning path](https://developers.cloudflare.com/learning-paths/mtls/concepts/), there are different use cases and implementation options for mTLS. Consider the following links for specific guidance. * [Application security](https://developers.cloudflare.com/learning-paths/mtls/mtls-app-security/) * [mTLS for Zero Trust](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) (Cloudflare Access integration) * [mTLS with API Shield](https://developers.cloudflare.com/api-shield/security/mtls/configure/) * [mTLS Workers binding](https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/) Apart from the mTLS Workers binding, any of the above implementations can use your own CA instead of the Cloudflare-managed one. Refer to [Bring your own CA](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/). ### mTLS and Workers Use the [mTLS Workers binding](https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/) when you need your worker to present a client certificate to an external service. To authenticate requests from a client to your worker instead, refer to [SSL/TLS > Client certificates ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/) and the regular [mTLS for application security](https://developers.cloudflare.com/learning-paths/mtls/mtls-app-security/) implementation. flowchart LR accTitle: mTLS from client to worker versus mTLS from worker to external service accDescr: Diagram showing two different implementations that can be considered for mTLS with Cloudflare Workers. A[Client] <--App security mTLS--> B((Cloudflare))<--mTLS worker binding--> C[(External service)] --- ## Further resources * [ Create a client certificate ](https://developers.cloudflare.com/ssl/client-certificates/create-a-client-certificate/) * [ Enable mTLS ](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) * [ Bring your own CA for mTLS ](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/) * [ Forward certificate to server ](https://developers.cloudflare.com/ssl/client-certificates/forward-a-client-certificate/) * [ Label client certificates ](https://developers.cloudflare.com/ssl/client-certificates/label-client-certificate/) * [ Revoke a client certificate ](https://developers.cloudflare.com/ssl/client-certificates/revoke-client-certificate/) * [ Configure your mobile app or IoT device ](https://developers.cloudflare.com/ssl/client-certificates/configure-your-mobile-app-or-iot-device/) * [ Client certificate variables ](https://developers.cloudflare.com/ssl/client-certificates/client-certificate-variables/) * [ Troubleshooting ](https://developers.cloudflare.com/ssl/client-certificates/troubleshooting/) * [ mTLS for Zero Trust ](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}}]} ``` --- --- title: Bring your own CA for mTLS description: Cloudflare mTLS now supports client certificates that have not been issued by Cloudflare CA. Learn how you can bring your own CA and use it with Cloudflare mTLS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/byo-ca.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Bring your own CA for mTLS This page explains how you can manage client certificates that have not been issued by Cloudflare CA. For a broader overview, refer to the [mTLS at Cloudflare learning path](https://developers.cloudflare.com/learning-paths/mtls/concepts/). Bring your own CA (BYOCA) is especially useful if you already have mTLS implemented and [client certificates are already installed](https://developers.cloudflare.com/ssl/client-certificates/#how-it-works) on devices. ## Availability * Currently, you can only manage your uploaded CA via API, and the hostname associations are **not** reflected on the [dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates/). * This process is only available on Enterprise accounts. * Each Enterprise account can upload up to five CAs. This quota does not apply to CAs uploaded through [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/). ## CA certificate requirements When you upload your CA, Cloudflare validates the certificate according to certain requirements. * The CA certificate can be from a publicly trusted CA or self-signed. * In the certificate `Basic Constraints`, the attribute `CA` must be set to `TRUE`. * The certificate must use one of the signature algorithms listed below: Allowed signature algorithms `x509.SHA1WithRSA` `x509.SHA256WithRSA` `x509.SHA384WithRSA` `x509.SHA512WithRSA` `x509.ECDSAWithSHA1` `x509.ECDSAWithSHA256` `x509.ECDSAWithSHA384` `x509.ECDSAWithSHA512` Note Uploading the CA private key is only required if you wish to use [Zero Trust's block page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/user-side-certificates/custom-certificate/). For more context on how mTLS works, refer to our [Learning Center ↗](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/). ## Set up mTLS with your CA 1. Use the [Upload mTLS certificate endpoint](https://developers.cloudflare.com/api/resources/mtls%5Fcertificates/methods/create/) to upload the CA root certificate. * `ca` boolean required * Set to `true` to indicate that the certificate is a CA certificate. * `certificates` string required * Insert content from the `.pem` file associated with the CA certificate, formatted as a single string with `\n` replacing the line breaks. * `name` string optional * Indicate a unique name for your CA certificate. 1. Take note of the certificate ID (`id`) that is returned in the API response. 2. Use the [Replace Hostname Associations endpoint](https://developers.cloudflare.com/api/resources/certificate%5Fauthorities/subresources/hostname%5Fassociations/methods/update/) to enable mTLS in each hostname that should use the CA for mTLS validation. Use the following parameters: * `hostnames` array required * List the hostnames that will be using the CA for client certificate validation. Warning Submitting an empty array will remove all hostnames associations. * `mtls_certificate_id` string required * Indicate the certificate ID obtained from the previous step. Warning If no `mtls_certificate_id` is provided, the action will be performed against a Cloudflare Managed CA. 1. (Optional) Since this process is API-only, and hostnames that use your uploaded CA certificate **are not** listed on the dashboard, you can make a [GET request](#list-ca-hostname-associations) to confirm the CA hostname associations. 2. Create a custom rule to enforce client certificate validation. You can do this [via the dashboard](https://developers.cloudflare.com/api-shield/security/mtls/configure/) or [via API](https://developers.cloudflare.com/waf/custom-rules/create-api/). ``` "expression": "(http.host in {\"\" \"\"} and not cf.tls_client_auth.cert_verified)", "action": "block" ``` Note When using CNAME, enforce mTLS on the specific hostname where it should be checked. It is not enough to have it set on the CNAME target. ### Multiple CAs for one hostname There can be multiple CAs (Cloudflare-managed or BYOCA) associated with the same hostname. For BYOCA certificates, the most recently deployed certificate will be prioritized. If you wish to remove the association from the Cloudflare-managed certificate and only use your BYOCA certificate(s): * [ Dashboard ](#tab-panel-6527) * [ API ](#tab-panel-6528) 1. In the Cloudflare dashboard, go to the **Client Certificates** page. [ Go to **Client Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates) 2. On the **Hosts** section of the **Client Certificates** card, select **Edit**. 3. Select the cross next to the hostname you want to remove. The list of hostname associations will be updated. 4. Select **Save** to confirm. 1. [List the hostname associations](https://developers.cloudflare.com/api/resources/certificate%5Fauthorities/subresources/hostname%5Fassociations/methods/get/) **without** the `mtls_certificate_id` parameter. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` * `SSL and Certificates Read` List Hostname Associations ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/certificate_authorities/hostname_associations" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 1. Copy the `hostnames` array returned by the API and update it, removing the hostname that should no longer use the Cloudflare-managed CA. 2. Use the [Replace Hostname Associations endpoint](https://developers.cloudflare.com/api/resources/certificate%5Fauthorities/subresources/hostname%5Fassociations/methods/update/) **without** the `mtls_certificate_id` parameter to perform the action against the Cloudflare-managed CA. For `hostnames` use the list from the previous step. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Replace Hostname Associations ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/certificate_authorities/hostname_associations" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "hostnames": [ "" ] }' ``` ## Delete an uploaded CA If you want to remove a CA that you have previously uploaded, you must first remove any hostname associations that it has. 1. Make a request to the [Replace Hostname Associations endpoint](https://developers.cloudflare.com/api/resources/certificate%5Fauthorities/subresources/hostname%5Fassociations/methods/update/), with an empty array for `hostnames` and specifying your CA certificate ID in `mtls_certificate_id`: ``` "hostnames": [], "mtls_certificate_id": "" ``` 1. Use the [Delete mTLS certificate endpoint](https://developers.cloudflare.com/api/resources/mtls%5Fcertificates/methods/delete/) to delete the certificate. ## List CA hostname associations You can also use the [API](https://developers.cloudflare.com/api/resources/certificate%5Fauthorities/subresources/hostname%5Fassociations/methods/get/) to list the hostname associations. Make sure you include the query parameter `mtls_certificate_id`, where `mtls_certificate_id` is the certificate ID of the uploaded CA (step 2 above). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` * `SSL and Certificates Read` List Hostname Associations ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/certificate_authorities/hostname_associations?mtls_certificate_id=ID_FROM_STEP_2" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/byo-ca/","name":"Bring your own CA for mTLS"}}]} ``` --- --- title: Client certificate variables description: When a request includes a client certificate for mTLS authentication, Cloudflare exposes certificate details as variables in the Ruleset Engine and as properties on the Workers request.cf object. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/client-certificate-variables.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Client certificate variables When a request includes a client certificate for [mTLS authentication](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/), Cloudflare exposes certificate details as variables in the Ruleset Engine and as properties on the Workers `request.cf` object. ## Ruleset Engine fields Client certificate fields are available as [mTLS fields](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/?field-category=mTLS) in Ruleset Engine-based products such as [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [request header modification rules](https://developers.cloudflare.com/rules/transform/request-header-modification/). ## Workers variables These variables are also available as part of the [request.cf.tlsClientAuth](https://developers.cloudflare.com/workers/runtime-apis/request/#incomingrequestcfproperties) object via Cloudflare Workers. Refer to the linked Rules language field for the full definition. Note Some `tlsClientAuth` properties have a different type than their Rules language field equivalent. Those differences are called out in the following list. * [request.cf.tlsClientAuth.certRevoked](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frevoked/) — Indicates whether the mTLS client presented a valid but revoked client certificate. In Workers, this is a string (`"1"` for revoked, `"0"` for not revoked) rather than a boolean. * [request.cf.tlsClientAuth.certVerified](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fverified/) — Indicates whether the mTLS client presented a valid client certificate. In Workers, this is a string (`"SUCCESS"` when valid, `"NONE"` when not present) rather than a boolean. On failure, the string contains the error reason (for example, `"FAILED:unable to get local issuer certificate"`). * [request.cf.tlsClientAuth.certPresented](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fpresented/) — Indicates whether the mTLS client presented a certificate (valid or not). In Workers, this is a string (`"1"` when a certificate is presented, `"0"` otherwise) rather than a boolean. * [request.cf.tlsClientAuth.certIssuerDN](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fdn/) — The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate. * [request.cf.tlsClientAuth.certSubjectDN](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fsubject%5Fdn/) — The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate. * [request.cf.tlsClientAuth.certIssuerDNRFC2253](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fdn%5Frfc2253/) — The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate in [RFC 2253 ↗](https://www.rfc-editor.org/rfc/rfc2253) format. * [request.cf.tlsClientAuth.certSubjectDNRFC2253](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fsubject%5Fdn%5Frfc2253/) — The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate in [RFC 2253 ↗](https://www.rfc-editor.org/rfc/rfc2253) format. * [request.cf.tlsClientAuth.certIssuerDNLegacy](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fdn%5Flegacy/) — The Distinguished Name (DN) of the Certificate Authority (CA) that issued the mTLS client certificate in a legacy format. * [request.cf.tlsClientAuth.certSubjectDNLegacy](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fsubject%5Fdn%5Flegacy/) — The Distinguished Name (DN) of the owner (or requester) of the mTLS client certificate in a legacy format. * [request.cf.tlsClientAuth.certSerial](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fserial/) — Serial number of the mTLS client certificate. * [request.cf.tlsClientAuth.certIssuerSerial](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fserial/) — Serial number of the direct issuer of the mTLS client certificate. * [request.cf.tlsClientAuth.certFingerprintSHA256](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Ffingerprint%5Fsha256/) — The SHA-256 fingerprint of the mTLS client certificate. * [request.cf.tlsClientAuth.certFingerprintSHA1](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Ffingerprint%5Fsha1/) — The SHA-1 fingerprint of the mTLS client certificate. * [request.cf.tlsClientAuth.certNotBefore](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fnot%5Fbefore/) — The mTLS client certificate is not valid before this date. * [request.cf.tlsClientAuth.certNotAfter](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fnot%5Fafter/) — The mTLS client certificate is not valid after this date. * [request.cf.tlsClientAuth.certSKI](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fski/) — The Subject Key Identifier (SKI) of the mTLS client certificate. * [request.cf.tlsClientAuth.certIssuerSKI](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fissuer%5Fski/) — The Subject Key Identifier (SKI) of the direct issuer of the mTLS client certificate. * [request.cf.tlsClientAuth.certRFC9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440/) — The client leaf certificate encoded in [RFC 9440 ↗](https://www.rfc-editor.org/rfc/rfc9440) format (DER, Base64-encoded, colon-wrapped). * [request.cf.tlsClientAuth.certRFC9440TooLarge](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440%5Ftoo%5Flarge/) — `true` if the leaf certificate exceeded the 10 KiB encoding limit and was omitted from `certRFC9440`. * [request.cf.tlsClientAuth.certChainRFC9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440/) — The intermediate certificate chain in [RFC 9440 ↗](https://www.rfc-editor.org/rfc/rfc9440) format as a comma-separated list. * [request.cf.tlsClientAuth.certChainRFC9440TooLarge](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440%5Ftoo%5Flarge/) — `true` if the intermediate chain exceeded the 16 KiB encoding limit and was omitted from `certChainRFC9440`. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/client-certificate-variables/","name":"Client certificate variables"}}]} ``` --- --- title: Configure your mobile app or IoT device description: This tutorial demonstrates how to configure your Internet-of-things (IoT) device and mobile application to use client certificates with API Shield. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/configure-your-mobile-app-or-iot-device.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configure your mobile app or IoT device This tutorial demonstrates how to configure your Internet-of-things (IoT) device and mobile application to use client certificates with [API Shield](https://developers.cloudflare.com/api-shield/). ## Scenario details This walkthrough uses the example of a device that captures temperature readings and transmits them by sending a POST request to a Cloudflare-protected API. A mobile application built in Swift for iOS retrieves those readings and displays them. To keep this example simple, the API is implemented as a Cloudflare Worker (borrowing code from the [To-Do List tutorial on building a jamstack app](https://developers.cloudflare.com/workers/tutorials/build-a-jamstack-app/)). Temperatures are stored in [Workers KV](https://developers.cloudflare.com/kv/concepts/how-kv-works/) using the source IP address as a key, but you can easily use a [value from the client certificate](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/), such as the fingerprint. The example API code below saves a temperature and timestamp into KV when a POST is made and returns the most recent five temperatures when a GET request is made. JavaScript ``` const defaultData = { temperatures: [] }; const getCache = (key) => TEMPERATURES.get(key); const setCache = (key, data) => TEMPERATURES.put(key, data); async function addTemperature(request) { // Pull previously recorded temperatures for this client. const ip = request.headers.get("CF-Connecting-IP"); const cacheKey = `data-${ip}`; let data; const cache = await getCache(cacheKey); if (!cache) { await setCache(cacheKey, JSON.stringify(defaultData)); data = defaultData; } else { data = JSON.parse(cache); } // Append the recorded temperatures with the submitted reading (assuming it has both temperature and a timestamp). try { const body = await request.text(); const val = JSON.parse(body); if (val.temperature && val.time) { data.temperatures.push(val); await setCache(cacheKey, JSON.stringify(data)); return new Response("", { status: 201 }); } else { return new Response( "Unable to parse temperature and/or timestamp from JSON POST body", { status: 400 }, ); } } catch (err) { return new Response(err, { status: 500 }); } } function compareTimestamps(a, b) { return -1 * (Date.parse(a.time) - Date.parse(b.time)); } // Return the 5 most recent temperature measurements. async function getTemperatures(request) { const ip = request.headers.get("CF-Connecting-IP"); const cacheKey = `data-${ip}`; const cache = await getCache(cacheKey); if (!cache) { return new Response(JSON.stringify(defaultData), { status: 200, headers: { "content-type": "application/json" }, }); } else { data = JSON.parse(cache); const retval = JSON.stringify( data.temperatures.sort(compareTimestamps).splice(0, 5), ); return new Response(retval, { status: 200, headers: { "content-type": "application/json" }, }); } } export default { async fetch(request, env, ctx) { return request.method === "POST" ? addTemperature(request) : getTemperatures(request); }, }; ``` --- ## 1\. Validate API ### POST sample data to API To validate the API before adding mTLS authentication, POST a random temperature reading: Terminal window ``` $ TEMPERATURE=$(echo $((361 + RANDOM %11)) | awk '{printf("%.2f",$1/10.0)}') $ TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ") $ echo -e "$TEMPERATURE\n$TIMESTAMP" 36.70 2020-09-28T02:54:56Z $ curl --verbose --header "Content-Type: application/json" --data '{"temperature":'''$TEMPERATURE''', "time": "'''$TIMESTAMP'''"}' https://shield.upinatoms.com/temps 2>&1 | grep "< HTTP/2" < HTTP/2 201 ``` ### GET sample data from API A GET request to the `temps` endpoint returns the most recent readings, including the one submitted in the example above: Terminal window ``` $ curl --silent https://shield.upinatoms.com/temps | jq . [ { "temperature": 36.3, "time": "2020-09-28T02:57:49Z" }, { "temperature": 36.7, "time": "2020-09-28T02:54:56Z" }, { "temperature": 36.2, "time": "2020-09-28T02:33:08Z" } ] ``` --- ## 2\. Create Cloudflare-issued certificates Before you can use API Shield to protect your API or web application, create Cloudflare-issued client certificates. You can [create a client certificate in the Cloudflare dashboard](https://developers.cloudflare.com/ssl/client-certificates/create-a-client-certificate/). However, since most developers working at scale generate their own private keys and certificate signing requests via API, this example uses the Cloudflare API to create client certificates. To create a bootstrap certificate for the iOS application and the IoT device, this example uses [Cloudflare’s public key infrastructure toolkit, CFSSL ↗](https://github.com/cloudflare/cfssl): Terminal window ``` # Generate a private key and CSR for the iOS device. $ cat <<'EOF' | tee -a csr.json { "hosts": [ "ios-bootstrap.devices.upinatoms.com" ], "CN": "ios-bootstrap.devices.upinatoms.com", "key": { "algo": "rsa", "size": 2048 }, "names": [{ "C": "US", "L": "Austin", "O": "Temperature Testers, Inc.", "OU": "Tech Operations", "ST": "Texas" }] } EOF $ cfssl genkey csr.json | cfssljson -bare certificate 2020/09/27 21:28:46 [INFO] generate received request 2020/09/27 21:28:46 [INFO] received CSR 2020/09/27 21:28:46 [INFO] generating key: rsa-2048 2020/09/27 21:28:47 [INFO] encoded CSR $ mv certificate-key.pem ios-key.pem $ mv certificate.csr ios.csr # Do the same for the IoT sensor. $ sed -i.bak 's/ios-bootstrap/sensor-001/g' csr.json $ cfssl genkey csr.json | cfssljson -bare certificate ... $ mv certificate-key.pem sensor-key.pem $ mv certificate.csr sensor.csr # now ask that these CSRs be signed by the private CA issued for your zone # we need to replace actual newlines in the CSR with ‘\n’ before POST’ing $ CSR=$(cat ios.csr | perl -pe 's/\n/\\n/g') $ request_body=$(< <(cat <" \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data "$request_body" > response.json $ cat response.json | jq . { "success": true, "errors": [], "messages": [], "result": { "id": "7bf7f70c-7600-42e1-81c4-e4c0da9aa515", "certificate_authority": { "id": "8f5606d9-5133-4e53-b062-a2e5da51be5e", "name": "Cloudflare Managed CA for account 11cbe197c050c9e422aaa103cfe30ed8" }, "certificate": "-----BEGIN CERTIFICATE-----\nMIIEkzCCA...\n-----END CERTIFICATE-----\n", "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDITCCA...\n-----END CERTIFICATE REQUEST-----\n", "ski": "eb2a48a19802a705c0e8a39489a71bd586638fdf", "serial_number": "133270673305904147240315902291726509220894288063", "signature": "SHA256WithRSA", "common_name": "ios-bootstrap.devices.upinatoms.com", "organization": "Temperature Testers, Inc.", "organizational_unit": "Tech Operations", "country": "US", "state": "Texas", "location": "Austin", "expires_on": "2030-09-26T02:41:00Z", "issued_on": "2020-09-28T02:41:00Z", "fingerprint_sha256": "84b045d498f53a59bef53358441a3957de81261211fc9b6d46b0bf5880bdaf25", "validity_days": 3650 } } $ cat response.json | jq .result.certificate | perl -npe 's/\\n/\n/g; s/"//g' > ios.pem # Now ask that the second client certificate signing request be signed. $ CSR=$(cat sensor.csr | perl -pe 's/\n/\\n/g') $ request_body=$(< <(cat <" \ --header "X-Auth-Key: " \ --header "Content-Type: application/json" \ --data "$request_body" | perl -npe 's/\\n/\n/g; s/"//g' > sensor.pem ``` --- ## 3\. Embed the client certificate in your mobile app To configure the mobile app to securely request temperature data submitted by the IoT device, embed the client certificate in the mobile app. For simplicity, this example embeds a “bootstrap” certificate and key in the application bundle as a PKCS#12-formatted file: Terminal window ``` $ openssl pkcs12 -export -out bootstrap-cert.pfx -inkey ios-key.pem -in ios.pem Enter Export Password: Verifying - Enter Export Password: ``` In a real-world deployment, a bootstrap certificate should only be used in conjunction with users' credentials to authenticate with an API endpoint that can return a unique user certificate. Corporate users will want to use mobile device management (MDM) to distribute certificates. ### Embed the client certificate in an Android app The following is an example of how you may use a client certificate in an Android app to make HTTP calls. You need to add the following permission in `AndroidManifest.xml` to allow an Internet connection. ``` ``` For demonstration purposes, the certificate in this example is stored in `app/src/main/res/raw/cert.pem` and the private key is stored in `app/src/main/res/raw/key.pem`. You may also store these files in other secure manners. The following example uses an `OkHttpClient`, but you may also use other clients such as `HttpURLConnection` in similar ways. The key is to use the `SSLSocketFactory`. ``` private OkHttpClient setUpClient() { try { final String SECRET = "secret"; // You may also store this String somewhere more secure. CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); // Get private key InputStream privateKeyInputStream = getResources().openRawResource(R.raw.key); byte[] privateKeyByteArray = new byte[privateKeyInputStream.available()]; privateKeyInputStream.read(privateKeyByteArray); String privateKeyContent = new String(privateKeyByteArray, Charset.defaultCharset()) .replace("-----BEGIN PRIVATE KEY-----", "") .replaceAll(System.lineSeparator(), "") .replace("-----END PRIVATE KEY-----", ""); byte[] rawPrivateKeyByteArray = Base64.getDecoder().decode(privateKeyContent); KeyFactory keyFactory = KeyFactory.getInstance("RSA"); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(rawPrivateKeyByteArray); // Get certificate InputStream certificateInputStream = getResources().openRawResource(R.raw.cert); Certificate certificate = certificateFactory.generateCertificate(certificateInputStream); // Set up KeyStore KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, SECRET.toCharArray()); keyStore.setKeyEntry("client", keyFactory.generatePrivate(keySpec), SECRET.toCharArray(), new Certificate[]{certificate}); certificateInputStream.close(); // Set up Trust Managers TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore) null); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); // Set up Key Managers KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, SECRET.toCharArray()); KeyManager[] keyManagers = keyManagerFactory.getKeyManagers(); // Obtain SSL Socket Factory SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManagers, trustManagers, new SecureRandom()); SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); // Finally, return the client, which will then be used to make HTTP calls. OkHttpClient client = new OkHttpClient.Builder() .sslSocketFactory(sslSocketFactory, (X509TrustManager) trustManagers[0]) .build(); return client; } catch (CertificateException | IOException | NoSuchAlgorithmException | KeyStoreException | UnrecoverableKeyException | KeyManagementException | InvalidKeySpecException e) { e.printStackTrace(); return null; } } ``` The above function returns an `OkHttpClient` embedded with the client certificate. You can now use this client to make HTTP requests to your API endpoint protected with mTLS. --- ## 4\. Embed the client certificate on your IoT device To prepare the IoT device for secure communication with the API endpoint, embed the certificate on the device and configure the device to use the certificate when making POST requests. This example assumes the certificate and the private key are securely copied to `/etc/ssl/private/sensor-key.pem` and `/etc/ssl/certs/sensor.pem`. The sample script is modified to point to these files: Python ``` import requests import json from datetime import datetime def readSensor(): # Takes a reading from a temperature sensor and store it to temp_measurement dateTimeObj = datetime.now() timestampStr = dateTimeObj.strftime('%Y-%m-%dT%H:%M:%SZ') measurement = {'temperature':str(temp_measurement),'time':timestampStr} return measurement def main(): print("Cloudflare API Shield [IoT device demonstration]") temperature = readSensor() payload = json.dumps(temperature) url = 'https://shield.upinatoms.com/temps' json_headers = {'Content-Type': 'application/json'} cert_file = ('/etc/ssl/certs/sensor.pem', '/etc/ssl/private/sensor-key.pem') r = requests.post(url, headers = json_headers, data = payload, cert = cert_file) print("Request body: ", r.request.body) print("Response status code: %d" % r.status_code) ``` When the script attempts to connect to `https://shield.upinatoms.com/temps`, Cloudflare requests that a client certificate is sent and the script sends the contents of `/etc/ssl/certs/sensor.pem`. Then, as required to complete the SSL/TLS handshake, the script demonstrates it has possession of `/etc/ssl/private/sensor-key.pem`. Without the client certificate, the Cloudflare rejects the request: ``` Cloudflare API Shield [IoT device demonstration] Request body: {"temperature": "36.5", "time": "2020-09-28T15:52:19Z"} Response status code: 403 ``` When the IoT device presents a valid client certificate, the POST request succeeds and the temperature reading is recorded: ``` Cloudflare API Shield [IoT device demonstration] Request body: {"temperature": "36.5", "time": "2020-09-28T15:56:45Z"} Response status code: 201 ``` --- ## 5\. Enable mTLS After creating Cloudflare-issued certificates, the next step is to [enable mTLS](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) for the hosts you want to protect with API Shield. --- ## 6\. Configure API Shield to require client certificates To configure API Shield to require client certificates, [create a mTLS rule](https://developers.cloudflare.com/api-shield/security/mtls/configure/#create-an-mtls-rule). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/configure-your-mobile-app-or-iot-device/","name":"Configure your mobile app or IoT device"}}]} ``` --- --- title: Create a client certificate description: To create a client certificate on the Cloudflare dashboard: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/create-a-client-certificate.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Create a client certificate To create a client certificate on the Cloudflare dashboard: 1. In the Cloudflare dashboard, go to the **Client Certificates** page. [ Go to **Client Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates) 2. Select **Create Certificate** and fill in the required fields. You can choose one of the following options: * Generate a private key and Certificate Signing Request (CSR) with Cloudflare. * Use your own private key and CSR. This option allows you to also [label client certificates](https://developers.cloudflare.com/ssl/client-certificates/label-client-certificate/). Example OpenSSL command To generate and use your own CSR, you can run a command like the following: Terminal window ``` openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr -subj '/C=GB/ST=London/L=London/O=Organization/CN=CommonName' ``` Note Client certificates created on the dashboard are issued by a [Cloudflare-managed CA](https://developers.cloudflare.com/ssl/client-certificates/#how-it-works). If you need to use certificates issued by another CA, use the API to [bring your own CA](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/) instead. 1. Select a value for **Certificate Validity**, and choose **Create**. 2. Make sure to copy the certificate and private key as they will no longer be displayed after creation. 3. Select **OK** to confirm. ## Next steps After creating the client certificate, make sure it is installed on the client devices and [enable mTLS](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) for each hostname that should require a certificate from clients. Refer to our [mTLS at Cloudflare learning path](https://developers.cloudflare.com/learning-paths/mtls/concepts/) for further context. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/create-a-client-certificate/","name":"Create a client certificate"}}]} ``` --- --- title: Enable mTLS description: You can enable mutual Transport Layer Security (mTLS) for any hostname. For more information, refer to the Client certificates overview. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/enable-mtls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Enable mTLS You can enable mutual Transport Layer Security (mTLS) for any hostname. For more information, refer to the [Client certificates overview](https://developers.cloudflare.com/ssl/client-certificates/). To enable mTLS for a host from the Cloudflare dashboard: 1. In the Cloudflare dashboard, go to the **Client Certificates** page. [ Go to **Client Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates) 2. On the **Hosts** section of the **Client Certificates** card, select **Edit**. 3. Enter the name of a host in your current domain. Note The domain (`example.com`) is automatically appended for you. This means that, if you want to enable mTLS for `abc.example.com`, you only need to type `abc`. 1. Select **Save** to confirm. ## CAs in use As explained in the [Client certificates overview](https://developers.cloudflare.com/ssl/client-certificates/#how-it-works), Cloudflare validates client certificates against CAs set at account level. This means that these certificates can be used for validation across multiple zones/domains (`example.com`), as long as the zones are under the same Cloudflare account and you have enabled mTLS for the host. Bring your own CA If you need to use your own CA (instead of the Cloudflare Managed CA), refer to [BYOCA](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/). This is an API-only option, available on Enterprise accounts. In this case, certificates and hostname associations are **not** listed on your dashboard. ## Next steps After enabling mTLS for your host, you can: * Enforce mTLS with a WAF custom rule. Select **Create mTLS Rule** on the dashboard to use a template, or refer to our [mTLS at Cloudflare learning path](https://developers.cloudflare.com/learning-paths/mtls/mtls-app-security/#3-validate-the-client-certificate-in-the-waf) for further guidance. * Enforce mTLS with [API Shield](https://developers.cloudflare.com/api-shield/security/mtls/configure/). While API Shield is **not required** to use mTLS, many teams may use mTLS to protect their APIs. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/enable-mtls/","name":"Enable mTLS"}}]} ``` --- --- title: Forward certificate to server description: RFC 9440 defines the Client-Cert and Client-Cert-Chain HTTP header fields for passing client certificate information to origin servers. You can construct these headers using request header modification rules with the following Ruleset Engine fields: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/forward-a-client-certificate.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Forward certificate to server ## Add Client-Cert and Client-Cert-Chain headers (RFC 9440) [RFC 9440 ↗](https://datatracker.ietf.org/doc/html/rfc9440) defines the `Client-Cert` and `Client-Cert-Chain` HTTP header fields for passing client certificate information to origin servers. You can construct these headers using [request header modification rules](https://developers.cloudflare.com/rules/transform/request-header-modification/) with the following Ruleset Engine fields: * [cf.tls\_client\_auth.cert\_rfc9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440/) — The client leaf certificate encoded in RFC 9440 formatting (see reference). * [cf.tls\_client\_auth.cert\_chain\_rfc9440](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440/) — The certificate chain (excluding the leaf certificate) encoded in RFC 9440 formatting (see reference). As indicated in field definitions, the fields may be set to either an empty string or a valid RFC 9440 encoding. Proper usage depends on a couple of factors discussed in the following sections. ### Security considerations Important Before constructing `Client-Cert` or `Client-Cert-Chain` headers, you must address the following security concerns. Failing to do so can expose your origin server to forged or unverified certificate data. The `cert_rfc9440` and `cert_chain_rfc9440` fields are populated **regardless of the certificate validation result**. This means a client can present an invalid, expired, or self-signed certificate, and the fields will still contain the encoded certificate data. Always check the following fields before trusting the values: * [cf.tls\_client\_auth.cert\_verified](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fverified/) — Returns `true` when the client certificate is valid. * [cf.tls\_client\_auth.cert\_revoked](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frevoked/) — Returns `true` when the client certificate has been revoked. A client can also include its own `Client-Cert` or `Client-Cert-Chain` headers on a request to inject arbitrary values. As described in the [RFC 9440 security considerations ↗](https://datatracker.ietf.org/doc/html/rfc9440#name-security-considerations), you must unconditionally remove any existing `Client-Cert` and `Client-Cert-Chain` headers from incoming requests, regardless of certificate validity. This prevents a client from injecting forged certificate data that your origin would trust. See [Enable mTLS](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) for details on how to configure mTLS and certificate validation. ### Size limits The encoded leaf certificate is limited to 10 KiB and the encoded chain is limited to 16 KiB. If the encoded value exceeds the limit, the corresponding field contains an empty string. Use the following fields to check for this condition: * [cf.tls\_client\_auth.cert\_rfc9440\_too\_large](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Frfc9440%5Ftoo%5Flarge/) — Returns `true` when the encoded certificate exceeds 10 KiB. * [cf.tls\_client\_auth.cert\_chain\_rfc9440\_too\_large](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/cf.tls%5Fclient%5Fauth.cert%5Fchain%5Frfc9440%5Ftoo%5Flarge/) — Returns `true` when the encoded chain exceeds 16 KiB. ### Example Transform Rules Here we provide an example on how to securely use these fields to construct trusted `Client-Cert` and `Client-Cert-Chain` headers to be forwarded to your origin. The origin can then rely on the presence of the headers to be certain the client presented a valid certificate. Note: the `Client-Cert-Chain` header may be omitted when the client did not present any intermediates (only a leaf certificate). You need to create the following request header modification rules. The **Remove** rules must be placed before the **Set dynamic** rules so that client-injected headers are stripped on every request before the validated values are set. #### Rule 1 — Remove Client-Cert header This rule unconditionally removes any `Client-Cert` header sent by the client. Text in **Expression Editor**: ``` true ``` Selected operation under **Modify request header**: _Remove_ **Header name**: `Client-Cert` #### Rule 2 — Remove Client-Cert-Chain header This rule unconditionally removes any `Client-Cert-Chain` header sent by the client. Text in **Expression Editor**: ``` true ``` Selected operation under **Modify request header**: _Remove_ **Header name**: `Client-Cert-Chain` #### Rule 3 — Set Client-Cert header This rule sets the `Client-Cert` header only when the client presented a valid, non-revoked certificate that is within the size limit. Text in **Expression Editor**: ``` cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked and not cf.tls_client_auth.cert_rfc9440_too_large ``` Selected operation under **Modify request header**: _Set dynamic_ **Header name**: `Client-Cert` **Value**: `cf.tls_client_auth.cert_rfc9440` #### Rule 4 — Set Client-Cert-Chain header This rule sets the `Client-Cert-Chain` header only when the client presented a valid, non-revoked certificate and the chain is non-empty and within the size limit. Text in **Expression Editor**: ``` cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked and cf.tls_client_auth.cert_chain_rfc9440 ne "" and not cf.tls_client_auth.cert_chain_rfc9440_too_large ``` Selected operation under **Modify request header**: _Set dynamic_ **Header name**: `Client-Cert-Chain` **Value**: `cf.tls_client_auth.cert_chain_rfc9440` ### Cloudflare Workers You can also construct RFC 9440 headers in a [Cloudflare Worker](https://developers.cloudflare.com/workers/)using the [tlsClientAuth](https://developers.cloudflare.com/ssl/client-certificates/client-certificate-variables/#workers-variables)properties on the incoming request. The same security considerations mentioned above apply. ## Forward a client certificate (legacy) In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging. To avoid adding the certificate to every single request, the certificate is only forwarded on the first request of an mTLS connection. Warning This process is only available on accounts with [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/). ### Cloudflare API The most common approach to forwarding a certificate is to use the Cloudflare API to [update an mTLS certificate's hostname settings](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/access/subresources/certificates/subresources/settings/methods/update/). Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Access: Mutual TLS Certificates Write` Update an mTLS certificate's hostname settings ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/access/certificates/settings" \ --request PUT \ --header "X-Auth-Email: $CLOUDFLARE_EMAIL" \ --header "X-Auth-Key: $CLOUDFLARE_API_KEY" \ --json '{ "settings": [ { "hostname": "", "china_network": false, "client_certificate_forwarding": true } ] }' ``` Once `client_certificate_forwarding` is set to `true`, every request within an mTLS connection will now include the following headers: * `Cf-Client-Cert-Der-Base64` * `Cf-Client-Cert-Sha256` Note The `Cf-Client-Cert-Der-Base64` and `Cf-Client-Cert-Sha256` headers are a Cloudflare-proprietary mechanism. For a standardized approach, use [RFC 9440 Client-Cert and Client-Cert-Chain headers](https://developers.cloudflare.com/ssl/client-certificates/forward-a-client-certificate/#add-client-cert-and-client-cert-chain-headers-rfc-9440). ### Managed Transforms You can also [modify HTTP response headers](https://developers.cloudflare.com/rules/transform/response-header-modification/) using Managed Transforms to pass along **TLS client auth headers**. ### Cloudflare Workers Additionally, Workers can provide details around the [client certificate](https://developers.cloudflare.com/workers/runtime-apis/bindings/mtls/). JavaScript ``` const tlsHeaders = { "X-CERT-ISSUER-DN": request.cf.tlsClientAuth.certIssuerDN, "X-CERT-SUBJECT-DN": request.cf.tlsClientAuth.certSubjectDN, "X-CERT-ISSUER-DN-L": request.cf.tlsClientAuth.certIssuerDNLegacy, "X-CERT-SUBJECT-DN-L": request.cf.tlsClientAuth.certSubjectDNLegacy, "X-CERT-SERIAL": request.cf.tlsClientAuth.certSerial, "X-CERT-FINGER": request.cf.tlsClientAuth.certFingerprintSHA1, "X-CERT-VERIFY": request.cf.tlsClientAuth.certVerify, "X-CERT-NOTBE": request.cf.tlsClientAuth.certNotBefore, "X-CERT-NOTAF": request.cf.tlsClientAuth.certNotAfter, }; ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/forward-a-client-certificate/","name":"Forward certificate to server"}}]} ``` --- --- title: Label client certificates description: After creating client certificates at Cloudflare, it may be hard to differentiate the generated certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/label-client-certificate.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Label client certificates After [creating client certificates](https://developers.cloudflare.com/ssl/client-certificates/) at Cloudflare, it may be hard to differentiate the generated certificates. ## Root Cause The option to generate private key and CSR with Cloudflare is meant for simpler cases and the certificates will be generated with just "CN=Cloudflare, C=US". ## Solution If you need to differentiate client certificates for your clients on a per-organization basis, you can generate your own private key and CSR. When you generate the private key and CSR, you can then enter information that will be incorporated into your certificate request. For example, if you run the following command (with OpenSSL installed): Terminal window ``` openssl req -new -newkey rsa:2048 -nodes -keyout client1.key -out client1.csr ``` You can then specify: ``` Country Name (2 letter code) []: State or Province Name (full name) []: Locality Name (eg, city) []: Organization Name (eg, company) []: Organizational Unit Name (eg, section) []: Common Name (eg, fully qualified host name) []: Email Address []: ``` Usually, adding `Country Name` and `Organization Name` is enough, but you can provide as much information as you need or want. The additional information will be included in the **Certificate Subject**, allowing you to easily identify which certificate belongs to which client. This can also make it easier to revoke a specific certificate when needed. The following image displays an example of how a certificate with with `Country Name`, `Organization Name`, and `Organizational Unit Name` will look like on the Cloudflare dashboard: ![](https://developers.cloudflare.com/_astro/chrome_mQRJVOpkTQ.BiKeZMXO_sl7oA.webp) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/label-client-certificate/","name":"Label client certificates"}}]} ``` --- --- title: Revoke a client certificate description: You can revoke a client certificate you previously generated with the default Cloudflare Managed CA. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/revoke-client-certificate.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Revoke a client certificate You can revoke a client certificate you previously generated with the default [Cloudflare Managed CA](https://developers.cloudflare.com/ssl/client-certificates/). It is not possible to permanently delete client certificates generated with the default Cloudflare Managed CA. Once revoked, these client certificates will still be listed on the [**Client Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates) page, and can be restored at any time. ## Steps 1. In the Cloudflare dashboard, go to the **Client Certificates** page. [ Go to **Client Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/client-certificates) 2. Select the certificate you want to revoke. 3. Select **Revoke** and confirm the operation. Important After revoking a certificate, you must update any mTLS rules that check for the presence of a client certificate so that they block all requests that include a revoked certificate. For more information, refer to [Check for revoked certificates](https://developers.cloudflare.com/api-shield/security/mtls/configure/#check-for-revoked-certificates). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/revoke-client-certificate/","name":"Revoke a client certificate"}}]} ``` --- --- title: Troubleshooting description: Troubleshoot issues with client certificates image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting If your query returns an error even after configuring and embedding a client SSL certificate, check the following settings. Note Before troubleshooting, disable VPNs and proxies. These can interfere with the mTLS handshake. --- ## Check SSL/TLS handshake On your terminal, use the following command to check whether an SSL/TLS connection can be established successfully between the client and the API endpoint. Terminal window ``` curl --verbose --cert /path/to/certificate.pem --key /path/to/key.pem https://your-api-endpoint.com ``` If the SSL/TLS handshake cannot be completed, check whether the certificate and the private key are correct. If the handshake completes but requests are still blocked, confirm that Cloudflare is verifying the client certificate. --- ## Check mTLS hosts Check whether [mTLS has been enabled](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/) for the correct host. The host should match the API endpoint that you want to protect. --- ## Review mTLS rules To review mTLS rules, consider the steps below. For further guidance refer to [Custom rules](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/). 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. On a specific rule, select **Edit**. 3. On that rule, check whether: * The Expression Preview is correct. * The hostname, if defined, matches your API endpoint. For example, for the API endpoint `api.trackers.ninja/time`, the rule should look like: ``` (http.host in {"api.trackers.ninja"} and not cf.tls_client_auth.cert_verified) ``` 4. To edit the rule, either use the user interface or select **Edit expression**. --- ## Advanced debugging You can use [Cloudflare Workers](https://developers.cloudflare.com/workers/) to debug client certificate validation failures. 1. Create a Worker to debug print [cf.properties](https://developers.cloudflare.com/workers/runtime-apis/request/#incomingrequestcfproperties): JavaScript ``` export default { async fetch(request, env, ctx) { console.info({ message: JSON.stringify(request.cf, null, 2) }); return new Response(JSON.stringify(request.cf, null, 2)) } }; ``` 2. Associate the Worker with the hostname where mTLS is enabled using a [Worker route](https://developers.cloudflare.com/workers/configuration/routing/routes/) or a [Custom Domain](https://developers.cloudflare.com/workers/configuration/routing/custom-domains/). 3. Make requests to the hostname and/or path configured, with and without sending the mTLS client certificate. 4. View your logs on the [Observability](https://developers.cloudflare.com/workers/observability/) dashboard and compare the responses against the expected values listed below. [ Go to **Observability** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages/observability) * Valid certificate ``` "tlsClientAuth": { "certPresented": "1", "certVerified": "SUCCESS", }, ``` * Invalid certificate (for example, self-signed certificates) ``` "tlsClientAuth": { "certPresented": "1", "certVerified": "FAILED:self signed certificate", }, ``` * No certificate ``` "tlsClientAuth": { "certPresented": "0", "certVerified": "NONE", }, ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: mTLS for Zero Trust image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/client-certificates/zero-trust-mtls.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # mTLS for Zero Trust ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/client-certificates/","name":"Client certificates (mTLS)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/client-certificates/zero-trust-mtls/","name":"mTLS for Zero Trust"}}]} ``` --- --- title: Cloudflare for SaaS image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/saas.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare for SaaS ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/saas/","name":"Cloudflare for SaaS"}}]} ``` --- --- title: Keyless SSL description: Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Keyless SSL Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys. Before configuring Keyless SSL, you should read our [technical background ↗](https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/) on how the technology works and where your infrastructure sits within the scope of the TLS handshake. The source code for our key server (what you will run) and keyless client (what our servers will contact your key server with) can be [found on GitHub ↗](https://github.com/cloudflare/gokeyless). --- ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | ----------- | | Availability | No | No | No | Paid add-on | Keyless SSL is only available to Enterprise customers that maintain their own SSL certificate purchased from a valid Certificate Authority. Cloudflare does not supply any certificates for use with Keyless SSL. --- ## Limitations TLS 1.3 is not supported for Keyless SSL. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}}]} ``` --- --- title: Cloudflare Tunnel description: Through an integration with Cloudflare Tunnel, you can send traffic to a key server through a secure channel and avoid exposing your key server to the public Internet. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/configuration/cloudflare-tunnel.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare Tunnel Through an integration with [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), you can send traffic to a key server through a secure channel and avoid exposing your key server to the public Internet. --- ## Before you begin ### Supported platforms Keyless has been tested on `amd64` and `arm` architectures. The key server binary will likely run on all architectures that Go supports. Code support may exist for other CPUs too, but these other architectures have not been tested. In addition to running on bare metal, the key server should run without issue in a virtualized or containerized environment. Care will need to be taken to configure ingress access to the appropriate TCP port and file system access to private keys (if using filesystem storage). ### Supported operating systems You will need to have a supported operating system (OS) to run Keyless. Supported operating systems include: * Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 22.10 * Debian 8, 9, 10, 11, 12 * RHEL and CentOS 6, 7, 8, 9 * Amazon Linux 1, 2 We strongly recommend that you use an operating system still supported by the vendor (still receiving security updates) as your key server will have access to your private keys. --- ## 1\. Install `cloudflared` on key server First, install `cloudflared` on your key server. This process differs depending on whether you are using the [command line](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/) or the [Cloudflare dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). ## 2\. Create a Tunnel Then, create a Cloudflare Tunnel. This process differs depending on whether you are using the [command line](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/create-local-tunnel/) or the [Cloudflare dashboard](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/). In these steps, you should choose the option to **Connect a network** and use the private IP address of your key server. After you create the Tunnel, use the Cloudflare API to [List tunnel routes](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/list/), saving the following values for a future step: * `"virtual_network_id"` * `"network"` ## 3\. Upload Keyless SSL Certificates Before your key servers can be configured, you must next upload the corresponding SSL certificates to Cloudflare’s edge. During TLS termination, Cloudflare will present these certificates to connecting browsers and then (for non-resumed sessions) communicate with the specified key server to complete the handshake. Upload certificates to Cloudflare with only SANs that you wish to use with Cloudflare Keyless SSL. All Keyless SSL hostnames must be [proxied](https://developers.cloudflare.com/dns/proxy-status/). You will have to upload each certificate used with Keyless SSL. To upload a Keyless certificate with the API, send a [POST](https://developers.cloudflare.com/api/resources/keyless%5Fcertificates/methods/create/) request that includes a `"tunnel"` object. ``` "tunnel": { "vnet_id": "", "private_ip": "" } ``` Note When you receive the `network` value from the Tunnel route API, it will include a subnet mask, such as `10.0.0.1/32`. Remove the subnet mask and use the IP address (`10.0.0.1`). ## 4\. Set up and activate key server Finally, you need to install the key server on your infrastructure, populate it with the SSL keys of the certificates you wish to use to terminate TLS at Cloudflare’s edge, and activate the key server so it can be mutually authenticated. Note If you plan to run Keyless SSL in a [high availability setup](https://developers.cloudflare.com/ssl/keyless-ssl/reference/high-availability/), you may need to set up additional infrastructure (load balancing and health checks). ### Install These steps are also at the [Cloudflare package repository ↗](https://pkg.cloudflare.com/). #### Debian/Ubuntu packages Debian or Ubuntu ``` sudo mkdir -p --mode=0755 /usr/share/keyrings curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null # Add this repo to your apt repositories echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list # install gokeyless sudo apt-get update && sudo apt-get install gokeyless ``` #### RHEL/CentOS packages Use either of the following examples to install the `gokeyless` package for RHEL or CentOS. **Option 1** RHEL or CentOS (version lower than 8) ``` sudo yum makecache sudo yum-config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo && sudo yum-config-manager --setopt=gokeyless-stable.gpgkey=https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg --save sudo yum install gokeyless ``` **Option 2** RHEL or CentOS (version 8 or higher) ``` sudo dnf install dnf-plugins-core && dnf clean all sudo dnf config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo sudo dnf install gokeyless ``` Note Amazon Linux customers may need to update their final installation command to be something similar to `sudo yum install rsyslog shadow-utils && sudo yum install gokeyless`. ### Configure Add your Cloudflare account details to the configuration file located at `/etc/keyless/gokeyless.yaml`: 1. Set the hostname of the key server, for example, `keyserver.keyless.example.com`. This is also the value you entered when you uploaded your keyless certificate and is the hostname of your key server that holds the key for this certificate. 2. Set the Zone ID (found on **Overview** tab of the Cloudflare dashboard). 3. [Set the Origin CA API key](https://developers.cloudflare.com/fundamentals/api/get-started/ca-keys). ### Populate keys Install your private keys in `/etc/keyless/keys/` and set the user and group to keyless with 400 permissions. Keys must be in PEM or DER format and have an extension of `.key`: Terminal window ``` ls -l /etc/keyless/keys ``` ``` -r-------- 1 keyless keyless 1675 Nov 18 16:44 example.com.key ``` When running multiple key servers, make sure all required keys are distributed to each key server. Customers typically will either use a configuration management tool such as Salt or Puppet to distribute keys or mount `/etc/keyless/keys` to a network location accessible only by your key servers. Keys are read on boot into memory, so a network path must be accessible during the gokeyless process start/restart. ### Activate To activate, restart your keyless instance: * systemd: `sudo service gokeyless restart` * upstart/sysvinit: `sudo /etc/init.d/gokeyless restart` If this command fails, try troubleshooting by [checking the logs](https://developers.cloudflare.com/ssl/keyless-ssl/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/configuration/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/configuration/cloudflare-tunnel/","name":"Cloudflare Tunnel"}}]} ``` --- --- title: Public DNS description: If you cannot use a Cloudflare Tunnel setup, you can also create a public DNS record for your key server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Public DNS If you cannot use a [Cloudflare Tunnel setup](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/cloudflare-tunnel/), you can also create a public DNS record for your key server. This setup option is not ideal as the DNS record cannot be [proxied](https://developers.cloudflare.com/dns/proxy-status/) and - as a result - will expose the origin IP address of your key server. --- ## Before you begin ### Supported platforms Keyless has been tested on `amd64` and `arm` architectures. The key server binary will likely run on all architectures that Go supports. Code support may exist for other CPUs too, but these other architectures have not been tested. In addition to running on bare metal, the key server should run without issue in a virtualized or containerized environment. Care will need to be taken to configure ingress access to the appropriate TCP port and file system access to private keys (if using filesystem storage). ### Supported operating systems You will need to have a supported operating system (OS) to run Keyless. Supported operating systems include: * Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 22.10 * Debian 8, 9, 10, 11, 12 * RHEL and CentOS 6, 7, 8, 9 * Amazon Linux 1, 2 We strongly recommend that you use an operating system still supported by the vendor (still receiving security updates) as your key server will have access to your private keys. --- ## 1\. Create public DNS record 1. Open a Terminal and run `openssl rand -hex 24` to generate a long, random hostname such as `11aa40b4a5db06d4889e48e2f738950ddfa50b7349d09b5f.example.com`. 2. Add this record via your DNS provider’s interface as an **A** or **AAAA** record pointing to the IP address of your Keyless SSL server. 3. Use this hostname as the server hostname during initialization of your Keyless SSL server. Warning As a security measure, you should hide the hostname of your key server. --- ## 2\. Upload Keyless SSL Certificates Before your key servers can be configured, you must next upload the corresponding SSL certificates to Cloudflare’s edge. During TLS termination, Cloudflare will present these certificates to connecting browsers and then (for non-resumed sessions) communicate with the specified key server to complete the handshake. Upload certificates to Cloudflare with only SANs that you wish to use with Cloudflare Keyless SSL. All Keyless SSL hostnames must be [proxied](https://developers.cloudflare.com/dns/proxy-status/). You will have to upload each certificate used with Keyless SSL. * [ Dashboard ](#tab-panel-6569) * [ API ](#tab-panel-6570) To create a Keyless certificate in the dashboard: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Select **Upload Keyless SSL Certificate**. 3. Fill in the upload modal with the certificate and other details and select **Add**. | Label | Description | Example Values | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | | Key server label | Any unique identifier for your key server. | “test-keyless”, “production-keyless-1” | | Key server hostname | The hostname of your key server that holds the key for this certificate (such as the random hostname generated earlier). | 11aa40b4a5db06d4889e48e2f738950ddfa50b7349d09b5f.example.com | | Key server port | Set to 2407 unless you have changed this on the key server. | 2407 | | SSL Certificate | The valid X509v3 SSL certificate (in PEM form) for which you hold the private key. | (PEM bytes) | | Bundle method | This should almost always be **Compatible**. Refer to [Uploading Custom Certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/) for more details. | Compatible | To create a Keyless certificate with the API, send a [POST](https://developers.cloudflare.com/api/resources/keyless%5Fcertificates/methods/create/) request. --- ## 3\. Set up and activate key server Finally, you need to install the key server on your infrastructure, populate it with the SSL keys of the certificates you wish to use to terminate TLS at Cloudflare’s edge, and activate the key server so it can be mutually authenticated. Note If you plan to run Keyless SSL in a [high availability setup](https://developers.cloudflare.com/ssl/keyless-ssl/reference/high-availability/), you may need to set up additional infrastructure (load balancing and health checks). ### Install These steps are also at the [Cloudflare package repository ↗](https://pkg.cloudflare.com/). #### Debian/Ubuntu packages Debian or Ubuntu ``` sudo mkdir -p --mode=0755 /usr/share/keyrings curl -fsSL https://pkg.cloudflare.com/cloudflare-main.gpg | sudo tee /usr/share/keyrings/cloudflare-main.gpg >/dev/null # Add this repo to your apt repositories echo 'deb [signed-by=/usr/share/keyrings/cloudflare-main.gpg] https://pkg.cloudflare.com/gokeyless buster main' | sudo tee /etc/apt/sources.list.d/cloudflare.list # install gokeyless sudo apt-get update && sudo apt-get install gokeyless ``` #### RHEL/CentOS packages Use either of the following examples to install the `gokeyless` package for RHEL or CentOS. **Option 1** RHEL or CentOS (version lower than 8) ``` sudo yum makecache sudo yum-config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo && sudo yum-config-manager --setopt=gokeyless-stable.gpgkey=https://pkg.cloudflare.com/cloudflare-ascii-pubkey.gpg --save sudo yum install gokeyless ``` **Option 2** RHEL or CentOS (version 8 or higher) ``` sudo dnf install dnf-plugins-core && dnf clean all sudo dnf config-manager --add-repo https://pkg.cloudflare.com/gokeyless.repo sudo dnf install gokeyless ``` Note Amazon Linux customers may need to update their final installation command to be something similar to `sudo yum install rsyslog shadow-utils && sudo yum install gokeyless`. ### Configure Add your Cloudflare account details to the configuration file located at `/etc/keyless/gokeyless.yaml`: 1. Set the hostname of the key server, for example, `11aa40b4a5db06d4889e48e2f.example.com`. This is also the value you entered when you uploaded your keyless certificate and is the hostname of your key server that holds the key for this certificate. 2. Set the Zone ID (found on **Overview** tab of the Cloudflare dashboard). 3. [Set the Origin CA API key](https://developers.cloudflare.com/fundamentals/api/get-started/ca-keys). ### Populate keys Install your private keys in `/etc/keyless/keys/` and set the user and group to keyless with 400 permissions. Keys must be in PEM or DER format and have an extension of `.key`: Terminal window ``` ls -l /etc/keyless/keys ``` ``` -r-------- 1 keyless keyless 1675 Nov 18 16:44 example.com.key ``` When running multiple key servers, make sure all required keys are distributed to each key server. Customers typically will either use a configuration management tool such as Salt or Puppet to distribute keys or mount `/etc/keyless/keys` to a network location accessible only by your key servers. Keys are read on boot into memory, so a network path must be accessible during the gokeyless process start/restart. ### Activate To activate, restart your keyless instance: * systemd: `sudo service gokeyless restart` * upstart/sysvinit: `sudo /etc/init.d/gokeyless restart` If this command fails, try troubleshooting by [checking the logs](https://developers.cloudflare.com/ssl/keyless-ssl/troubleshooting/). ### Allow incoming connections from Cloudflare During TLS handshakes, Cloudflare's keyless client will initiate connections to the key server hostname or IP address you specify during certificate upload. By default, the keyless client will use a destination TCP port of 2407, but this can be changed during certificate upload or by editing the certificate details after upload. Create WAF custom rules that allow your key server to accept connections from only Cloudflare. You can get Cloudflare's IPv4 and IPv6 addresses via the [IP details API endpoint](https://developers.cloudflare.com/api/resources/ips/methods/list/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/configuration/","name":"Get started"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/configuration/public-dns/","name":"Public DNS"}}]} ``` --- --- title: Glossary description: Learn more about the common terms related to Keyless SSL. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/glossary.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Glossary ## Cloudflare Keyless SSL key server (“key server”) The key server is a daemon that you run on your own infrastructure. The key server receives inbound requests from Cloudflare's keyless client on TCP port `2407` (by default) so you must make sure that your firewall and other access control lists permit these requests from [Cloudflare's IP ranges ↗](https://www.cloudflare.com/ips/). Your key servers are contacted by Cloudflare during the TLS handshake process and must be online to terminate new TLS connections. Existing sessions can be resumed using unexpired TLS session tickets without needing to contact the key server. ## Cloudflare Keyless SSL client (“keyless client”) The keyless client is a process that runs on Cloudflare's infrastructure. The keyless client makes outbound requests to your key server on TCP port `2407` for assistance in establishing new TLS sessions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/glossary/","name":"Glossary"}}]} ``` --- --- title: Hardware security modules description: In addition to private keys stored on disk, Keyless SSL supports keys stored in a Hardware Security Module (HSM) via the PKCS#11 standard. Keyless uses PKCS#11 for signing and decrypting payloads without having direct access to the private keys. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Hardware security modules In addition to private keys stored on disk, Keyless SSL supports keys stored in a Hardware Security Module (HSM) via the PKCS#11 standard. Keyless uses PKCS#11 for signing and decrypting payloads without having direct access to the private keys. --- ## Why use Keyless SSL with an HSM? Hardware Security Modules (HSMs) facilitate a higher level of protection for your private keys over storing them directly on your key server. The primary responsibility of an HSM is safeguarding private keys and performing operations such as signing or encryption internally. In addition to access control, that means the physical device must offer some degree of tamper-resistance in order to be compliant with government or [industry regulations such as FIPS 140 ↗](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf). Moreover, many HSMs are also capable of generating keys and producing cryptographically secure randomness. Some are purpose-built to perform cryptographic computations more efficiently. --- ## Communicating using PKCS#11 The key server communicates with HSMs via PKCS#11, so any HSM supporting the standard can be used with Keyless SSL. ### Initial configuration For more details on initializing your PKCS#11 token, refer to [Configuration](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/configuration/). ### Compatibility Keyless SSL has interoperability with the following modules: * [Entrust nShield Connect ↗](https://www.entrust.com/digital-security/hsm) * [Gemalto SafeNet Luna ↗](https://cpl.thalesgroup.com/compliance/fips-common-criteria-validations) * [SoftHSMv2 ↗](https://github.com/opendnssec/SoftHSMv2) * [YubiKey Neo ↗](https://www.yubico.com/product/yubikey-neo/) Also, the following cloud HSM offerings have been tested with Keyless SSL: * [AWS CloudHSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/aws-cloud-hsm/) * [Azure Dedicated HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/azure-dedicated-hsm/) * [Azure Managed HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/azure-managed-hsm/) * [Fortanix DSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/fortanix-dsm/) * [IBM Cloud HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/ibm-cloud-hsm/) * [Google Cloud HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/google-cloud-hsm/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}}]} ``` --- --- title: AWS cloud HSM description: Learn how to use Keyless SSL with AWS CloudHSM. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/aws-cloud-hsm.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # AWS cloud HSM Note This example imports an existing key pair, but you may prefer to [generate your key on the HSM ↗](https://docs.aws.amazon.com/cloudhsm/latest/userguide/manage-keys.html). --- ## Before you start Make sure you have: * Provisioned an [AWS CloudHSM cluster ↗](https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) . * Installed the [appropriate software library for PKCS#11 ↗](https://docs.aws.amazon.com/cloudhsm/latest/userguide/pkcs11-library-install.html). --- ## 1\. Import the public and private key to the HSM Before importing the public key, extract it from the certificate provided by your CA. Place the contents of your private key in `privkey.pem` and then run the following (replacing certificate.pem with your actual certificate) to populate `pubkey.pm`. ``` keyserver$ openssl x509 -pubkey -noout -in certificate.pem > pubkey.pem ``` Log in to the CloudHSM using a previously created [crypto user ↗](https://docs.aws.amazon.com/cloudhsm/latest/userguide/hsm-users.html#crypto-user) (CU) account and generate a key encryption key that will be used to import your private key. ``` keyserver$ /opt/cloudhsm/bin/key_mgmt_util Command: loginHSM -u CU -s patrick -p donahue Command: genSymKey -t 31 -s 16 -sess -l import-wrapping-key ... Symmetric Key Created. Key Handle: 658 ... ``` Referencing the key handle returned above, import the private and public key and then log out of the HSM: ``` Command: importPrivateKey -f privkey.pem -l mykey -id 1 -w 658 ... Cfm3WrapHostKey returned: 0x00 : HSM Return: SUCCESS Cfm3CreateUnwrapTemplate returned: 0x00 : HSM Return: SUCCESS Cfm3UnWrapKey returned: 0x00 : HSM Return: SUCCESS ... Private Key Unwrapped. Key Handle: 658 Command: importPubKey -f pubkey.pem -l mykey -id 1 Cfm3CreatePublicKey returned: 0x00 : HSM Return: SUCCESS ... Public Key Handle: 941 Command: logoutHSM Command: exit ``` --- ## 2\. Modify the gokeyless config file and restart the service Now that the keys are in place, we need to modify the configuration file that the key server will read on startup. Change the `object=mykey` and `pin-value=username:password` values to match the key label you provided and CU user you created. Open `/etc/keyless/gokeyless.yaml` and immediately after: ``` private_key_stores: - dir: /etc/keyless/keys ``` add: ``` - uri: pkcs11:token=cavium;object=mykey?module-path=/opt/cloudhsm/lib/libcloudhsm_pkcs11_standard.so&pin-value=patrick:donahue&max-sessions=1 ``` With the config file saved, restart `gokeyless` and verify it started successfully. Terminal window ``` sudo systemctl restart gokeyless.service sudo systemctl status gokeyless.service -l ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/aws-cloud-hsm/","name":"AWS cloud HSM"}}]} ``` --- --- title: Azure Dedicated HSM description: Learn how to use Keyless SSL with Azure Dedicated HSM. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/azure-dedicated-hsm.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Azure Dedicated HSM This tutorial uses [Azure Dedicated HSM ↗](https://azure.microsoft.com/en-us/services/azure-dedicated-hsm/) — a FIPS 140-2 Level 3 certified implementation based on the Gemalto SafeNet Luna a790. --- ## Before you start Make sure you have: * Followed Microsoft's [tutorial ↗](https://docs.microsoft.com/en-us/azure/dedicated-hsm/tutorial-deploy-hsm-powershell) for deploying HSMs into an existing virtual network using PowerShell * Installed the [SafeNet client software ↗](https://cpl.thalesgroup.com/node/11350) --- ## 1\. Create, assign, and initialize a new partition The first step is creating an HSM partition, which can be thought of as an independent logical HSM within your Azure Dedicated HSM device. ``` vm$ ssh tenantadmin@hsm [local_host] lunash:>hsm login Please enter the HSM Administrators' password: > ******** 'hsm login' successful. Command Result : 0 (Success) [local_host] lunash:>partition create -partition KeylessSSL Type 'proceed' to create the partition, or 'quit' to quit now. > proceed 'partition create' successful. Command Result : 0 (Success) ``` Next, the partition needs to be assigned to the client, in this case your key server. Terminal window ``` [local_host] lunash:>client assignpartition -client azure-keyless -partition KeylessSSL 'client assignPartition' successful. Command Result : 0 (Success) ``` After the partition has been assigned, run `lunacm` from your virtual server and initialize the partition. ``` vm$ lunacm lunacm (64-bit) v7.2.0-220. Copyright (c) 2018 SafeNet. All rights reserved. Available HSMs: Slot Id -> 0 Label -> Serial Number -> XXXXXXXXXXXXX Model -> LunaSA 7.2.0 Firmware Version -> 7.0.3 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Current Slot Id: 0 lunacm:>partition init -label KeylessSSL -domain cloudflare Enter password for Partition SO: ******** Re-enter password for Partition SO: ******** You are about to initialize the partition. All contents of the partition will be destroyed. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Command Result : No Error ``` --- ## 2\. Generate a RSA key pair and certificate signing request (CSR) Before running the commands below, check with your information security and/or cryptography team to confirm the approved key creation procedures for your organization. ``` # cmu generatekeypair -keyType=RSA -modulusBits=2048 -publicExponent=65537 -sign=1 -verify=1 -labelpublic=myrsakey -labelprivate=myrsakey -keygenmech=1 Please enter password for token in slot 0 : ******** # cmu list Please enter password for token in slot 0 : ******** handle=51 label=myrsakey handle=48 label=myrsakey ``` Using the key created in the previous step, generate a CSR that can be sent to a publicly trusted Certificate Authority (CA) for signing. ``` # cmu requestCertificate -c="US" -o="Example, Inc." -cn="azure-dedicatedhsm.example.com" -s="California" -l="San Francisco" -publichandle=48 -privatehandle=51 -outputfile="rsa.csr" -sha256withrsa Please enter password for token in slot 0 : ******** Using "CKM_SHA256_RSA_PKCS" Mechanism ``` --- ## 3\. Obtain and upload a signed certificate from your Certificate Authority (CA) Provide the CSR created in the previous step to your organization's preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in [Upload Keyless SSL Certificates](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/cloudflare-tunnel/#3-upload-keyless-ssl-certificates). --- ## 4\. Modify your gokeyless config file and restart the service Lastly, we need to modify the configuration file that the key server will read on startup. Be sure to change the `object=mykey` and `pin-value=username:password` values to match the key label you provided and CU user you created. Open `/etc/keyless/gokeyless.yaml` and immediately after: ``` private_key_stores: - dir: /etc/keyless/keys ``` add: ``` - uri: pkcs11:token=KeylessSSL;object=myrsakey?module-path=/usr/safenet/lunaclient/lib/libCryptoki2_64.so&pin-value=password&max-sessions=1 ``` With the config file saved, restart `gokeyless` and verify it started successfully. Terminal window ``` sudo systemctl restart gokeyless.service sudo systemctl status gokeyless.service -l ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/azure-dedicated-hsm/","name":"Azure Dedicated HSM"}}]} ``` --- --- title: Azure Managed HSM description: This tutorial uses Microsoft Azure’s Managed HSM to deploy a VM with the Keyless SSL daemon. Follow these instructions to deploy your keyless server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/azure-managed-hsm.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Azure Managed HSM This tutorial uses [Microsoft Azure’s Managed HSM ↗](https://azure.microsoft.com/en-us/updates/akv-managed-hsm-public-preview/) — a FIPS 140-2 Level 3 certified implementation — to deploy a VM with the Keyless SSL daemon. --- ## Before you start Make sure you have: * Followed Microsoft's [tutorial ↗](https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-cli) for provisioning and activating the managed HSM * Set up a VM for your key server --- ## 1\. Create a VM Create a VM where you will deploy the keyless daemon. --- ## 2\. Deploy the keyless server Follow [these instructions](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/cloudflare-tunnel/#4-set-up-and-activate-key-server) to deploy your keyless server. --- ## 3\. Set up the Azure CLI Set up the Azure CLI (used to access the private key). For example, if you were using macOS: ``` brew install azure-cli ``` --- ## 4\. Set up the Managed HSM 1. Log in through the Azure CLI and create a resource group for the Managed HSM in one of the supported regions: Terminal window ``` az login az group create --name HSMgroup --location southcentralus ``` Note For a list of supported regions, see the [Microsoft documentation ↗](https://azure.microsoft.com/en-us/global-infrastructure/services/?products=key-vault). 2. [Create, provision, and activate ↗](https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/quick-create-cli) the HSM. 3. Add your private key to the `keyvault`, which returns the URI you need for **Step 4**: ``` az keyvault key import --hsm-name "KeylessHSM" --name "hsm-pub-keyless" --pem-file server.key ``` 4. If the key server is running in an Azure VM in the same account, use **Managed services** for authorization: 1. Enable managed services on the VM in the UI. 2. Give your service user (associated with your VM) HSM sign permissions ``` az keyvault role assignment create --hsm-name KeylessHSM --assignee $(az vm identity show --name "hsmtestvm" --resource-group "HSMgroup" --query principalId -o tsv) --scope / --role "Managed HSM Crypto User" ``` 5. In the `gokeyless` YAML file, add the URI from **Step 2** under `private_key_stores`. See our [README ↗](https://github.com/cloudflare/gokeyless/blob/master/README.md) for an example. ## 5\. Restart gokeyless Once you save the config file, restart `gokeyless` and verify that it started successfully: ``` sudo systemctl restart gokeyless.service sudo systemctl status gokeyless.service -l ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/azure-managed-hsm/","name":"Azure Managed HSM"}}]} ``` --- --- title: Configuration description: To get started with your PKCS#11 token you will need to initialize it with a private key, PIN, and token label. The instructions to do this will be specific to each hardware device, and you should follow the instructions provided by your vendor. You will also need to find the path to your module, a shared object file (.so). Having initialized your device, you can query it to check your token label with: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/configuration.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Configuration Important Carefully review the manufacturer documentation for your HSM and properly restrict access to the key server. To get started with your PKCS#11 token you will need to initialize it with a private key, PIN, and token label. The instructions to do this will be specific to each hardware device, and you should follow the instructions provided by your vendor. You will also need to find the path to your `module`, a shared object file (`.so`). Having initialized your device, you can query it to check your token label with: Terminal window ``` pkcs11-tool --module --list-token-slots ``` You will also want to check the label of the private key you imported (or generated). Run the following command and look for a `Private Key Object`: Terminal window ``` pkcs11-tool --module --pin \ --list-token-slots --login --list-objects ``` You now have all the information you need to use your PKCS#11 token with the Keyless server, by adding to the `private_key_stores` section in the configuration file. You can specify the key pairs that you want Keyless to have access to in the [configuration file using the PKCS#11 URI ↗](https://tools.ietf.org/html/rfc7512) format. ## PKCS#11 URI A PKCS#11 URI is a sequence of attribute value pairs separated by a semicolon that form a one-level path component, optionally followed by a query. The general form represented is: ``` pkcs11:path-component[?query-component] ``` The URI path component contains attributes that identify a resource. The query component can contain a few attributes that may be needed to retrieve the resource identified by the URI path component. Attributes in the path component are delimited by the `;` character, and attributes in the query component use `&` as a delimiter. All attributes are URL-encoded. Keyless requires the following three attributes be specified: * **Module**: use `module-path` to locate the PKCS#11 module library. * **Token**: use `serial`, `slot-id`, or `token` to specify the PKCS#11 token. * **Slot**: use `id` or `object` to specify the PKCS#11 key pair. For certain modules, a query attribute `max-sessions` is required in order to prevent opening too many sessions to the module. Certain additional attributes, such as `pin-value`, may be necessary depending on the situation. Refer to the documentation for your PKCS#11 module for more details. ## Examples Here are some examples of PKCS#11 URIs for keys stored on various modules: ``` private_key_stores: - uri: pkcs11:token=SoftHSM2%20RSA%20Token;id=%03?module-path=/usr/lib64/libsofthsm2.so&pin-value=1234 - uri: pkcs11:token=accelerator;object=thaleskey?module-path=/opt/nfast/toolkits/pkcs11/libcknfast.so - uri: pkcs11:token=YubiKey%20PIV;id=%00?module-path=/usr/lib64/libykcs11.so&pin-value=123456&max-sessions=1 - uri: pkcs11:token=elab2parN;id=%04?module-path=/usr/lib/libCryptoki2_64.so&pin-value=crypto1 ``` ## Limitations For now, only one PKCS#11 module can be used at a time, so if you have keys on multiple HSMs, we recommend [using p11-glue to consolidate access through one module ↗](https://p11-glue.github.io/p11-glue/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/configuration/","name":"Configuration"}}]} ``` --- --- title: Entrust nShield Connect description: Learn how to use Keyless SSL with Entrust nShield Connect. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/entrust-nshield-connect.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Entrust nShield Connect Note This example assumes you have already configured the nShield Connect device and generated or imported your private keys. Since the keys are already in place, we merely need to build the configuration file that the key server will read on startup. In this example the device contains a single RSA key pair. We ask `pkcs11-tool` (provided by the `opensc` package) to display the objects stored in the token: ``` pkcs11-tool --module /opt/nfast/toolkits/pkcs11/libcknfast.so -O ``` ``` Using slot 0 with a present token (0x1d622495) Private Key Object; RSA label: rsa-privkey ID: 105013281578de42ea45f5bfac46d302fb006687 Usage: decrypt, sign, unwrap warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12) Public Key Object; RSA 2048 bits label: rsa-privkey ID: 105013281578de42ea45f5bfac46d302fb006687 Usage: encrypt, verify, wrap ``` The key piece of information is the label of the object, `rsa-privkey`. Open up `/etc/keyless/gokeyless.yaml` and immediately after ``` private_key_stores: - dir: /etc/keyless/keys ``` add ``` - uri: pkcs11:token=accelerator;object=rsa-privkey?module-path=/opt/nfast/toolkits/pkcs11/libcknfast.so&max-sessions=4 ``` Save the config file, restart `gokeyless`, and verify it started successfully. Terminal window ``` sudo systemctl restart gokeyless.service sudo systemctl status gokeyless.service -l ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/entrust-nshield-connect/","name":"Entrust nShield Connect"}}]} ``` --- --- title: Fortanix Data Security Manager description: You can use Cloudflare Keyless SSL with Fortanix Data Security Manager (DSM), a FIPS 140-2 Level 3 certified implementation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/fortanix-dsm.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Fortanix Data Security Manager You can use Cloudflare Keyless SSL with [Fortanix Data Security Manager (DSM) ↗](https://www.fortanix.com/platform/data-security-manager), a FIPS 140-2 Level 3 certified implementation. You must have a [Data Security Manager Enterprise Tier ↗](https://www.fortanix.com/start-your-free-trial) and set up a group and an application assigned to the group. For detailed guidance, follow the tutorial in the [Fortanix documentation ↗](https://support.fortanix.com/docs/fortanix-data-security-manager-with-cloudflare-integration#50-configure-fortanix-dsm). This guide is based on the Keyless SSL [public DNS](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/public-dns/) option and has been tested using a virtual machine (VM) deployed to Azure running Ubuntu 22.04.3 LTS. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/fortanix-dsm/","name":"Fortanix Data Security Manager"}}]} ``` --- --- title: Google Cloud HSM description: Learn how to use Keyless SSL with Google Cloud HSM. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/google-cloud-hsm.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Google Cloud HSM This tutorial uses [Google Cloud HSM ↗](https://cloud.google.com/kms/docs/hsm) — a FIPS 140-2 Level 3 certified implementation. --- ## Before you start Make sure that you have: * Set up your [Google Cloud project ↗](https://cloud.google.com/kms/docs/quickstart#before-you-begin) --- ## 1\. Create a key ring To set up the Google Cloud HSM, [create a key ring ↗](https://cloud.google.com/kms/docs/hsm#kms-create-key-hsm-web) and indicate its location. Note: Only [certain locations ↗](https://cloud.google.com/kms/docs/locations#hsm-regions) support Google Cloud HSM. --- ## 2\. Create a key Create a key, including the following information: | Field | Value | | ---------------- | -------------------------------------- | | Key ring | The key ring you created in **Step 2** | | Protection level | HSM | | Purpose | Asymmetric Encrypt | --- ## 3\. Import the private key After creating a key ring and key, [import the private key ↗](https://cloud.google.com/kms/docs/importing-a-key). Note: You need to [convert your key ↗](https://cloud.google.com/kms/docs/formatting-keys-for-import#formatting%5Fasymmetric%5Fkeys) from a PEM to DER format. --- ## 4\. Modify your gokeyless config file and restart the service Once you’ve imported the key, copy the **Resource name** from the UI. Then, add this value to the `gokeyless` YAML file under `private_key_stores`. With the config file saved, restart `gokeyless` and verify it started successfully. Terminal window ``` sudo systemctl restart gokeyless.service sudo systemctl status gokeyless.service -l ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/google-cloud-hsm/","name":"Google Cloud HSM"}}]} ``` --- --- title: IBM Cloud HSM description: Learn how to use Keyless SSL with IBM Cloud HSM. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/ibm-cloud-hsm.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # IBM Cloud HSM The example below was tested using [IBM Cloud HSM 7.0 ↗](https://console.bluemix.net/docs/infrastructure/hardware-security-modules/about.html#about-ibm-cloud-hsm), a FIPS 140-2 Level 3 certified implementation based on the Gemalto SafeNet Luna a750. --- ## Before you start Make sure that you have: * Initialized [your device ↗](https://console.bluemix.net/docs/infrastructure/hardware-security-modules/initialize%5Fhsm.html#initializing-the-ibm-cloud-hsm) * Installed the [SafeNet client software ↗](https://cpl.thalesgroup.com/node/11350) --- ## 1\. Create, assign, and initialize a new partition The first step is creating an HSM partition, which can be thought of as an independent logical HSM within your IBM Cloud HSM device. ``` vm$ ssh admin@hsm [cloudflare-hsm.softlayer.com] lunash:>partition create -partition KeylessSSL Type 'proceed' to create the partition, or 'quit' to quit now. > proceed 'partition create' successful. Command Result : 0 (Success) ``` Next, the partition needs to be assigned to the client, in this case your key server. Terminal window ``` [cloudflare-hsm.softlayer.com] lunash:>client assignpartition -client cloudflare-vm.softlayer.com -partition KeylessSSL 'client assignPartition' successful. Command Result : 0 (Success) ``` After the partition has been assigned, run `lunacm` from your virtual server and initialize the partition. ``` vm$ lunacm LunaCM v7.1.0-379. Copyright (c) 2006-2017 SafeNet. Available HSMs: Slot Id -> 0 Label -> Serial Number -> XXXXXXXXXXXXX Model -> LunaSA 7.0.0 Firmware Version -> 7.0.1 Configuration -> Luna User Partition With SO (PW) Signing With Cloning Mode Slot Description -> Net Token Slot Current Slot Id: 0 lunacm:>partition init -label KeylessSSL -domain cloudflare Enter password for Partition SO: ******** Re-enter password for Partition SO: ******** You are about to initialize the partition. All contents of the partition will be destroyed. Are you sure you wish to continue? Type 'proceed' to continue, or 'quit' to quit now ->proceed Command Result : No Error ``` --- ## 2\. Generate RSA and ECDSA key pairs and certificate signing requests (CSRs) Before running the commands below, check with your information security and/or cryptography team to confirm the approved key creation procedures for your organization. When you perform this operation, you need define the ID field for the newly generated keys. It must be set to a big-endian hexadecimal integer value. ``` vm$ cmu generatekeypair -keyType=RSA -modulusBits=2048 -publicExponent=65537 -sign=1 -verify=1 -labelpublic=myrsakey -labelprivate=myrsakey -keygenmech=1 -id=a000 Please enter password for token in slot 0 : ******** # cmu generatekeypair -keyType=ECDSA -curvetype=3 -sign=1 -verify=1 -labelpublic=myecdsakey -labelprivate=myecdsakey -id=a001 Please enter password for token in slot 0 : ******** # cmu list Please enter password for token in slot 0 : ******** handle=61 label=myecdsakey handle=60 label=myecdsakey handle=48 label=myrsakey handle=45 label=myrsakey ``` Using the keys created in the previous step, generate CSRs that can be sent to a publicly trusted Certificate Authority (CA) for signing. ``` # cmu requestCertificate -c="US" -o="Example, Inc." -cn="ibm-cloudhsm.example.com" -s="California" -l="San Francisco" -publichandle=45 -privatehandle=48 -outputfile="rsa.csr" -sha256withrsa Please enter password for token in slot 0 : ******** Using "CKM_SHA256_RSA_PKCS" Mechanism # cmu requestCertificate -c="US" -o="Example, Inc." -cn="ibm-cloudhsm.example.com" -s="California" -l="San Francisco" -publichandle=60 -privatehandle=61 -outputfile="ecdsa.csr" -sha256withecdsa Please enter password for token in slot 0 : ******** Using "CKM_ECDSA_SHA256" Mechanism ``` --- ## 3\. Obtain and upload signed certificates from your Certificate Authority (CA) Provide the CSRs created in the previous step to your organization's preferred CA, demonstrate control of your domain as requested, and then download the signed SSL certificates. Follow the instructions provided in [Upload Keyless SSL Certificates](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/cloudflare-tunnel/#3-upload-keyless-ssl-certificates). --- ## 4\. Modify your gokeyless config file and restart the service Lastly, we need to modify the configuration file that the key server will read on startup. Change the `object=mykey` and `pin-value=username:password` values to match the key label you provided and CU user you created. Open `/etc/keyless/gokeyless.yaml` and immediately after: ``` private_key_stores: - dir: /etc/keyless/keys ``` add: ``` - uri: pkcs11:token=KeylessSSL;object=myrsakeyid=a000??module-path=/usr/safenet/lunaclient/lib/libCryptoki2_64.so&pin-value=password&max-sessions=1 - uri: pkcs11:token=KeylessSSL;object=myecdsakeyid=a001??module-path=/usr/safenet/lunaclient/lib/libCryptoki2_64.so&pin-value=password&max-sessions=1 ``` With the config file saved, restart `gokeyless` and verify it started successfully. Terminal window ``` sudo systemctl restart gokeyless.service sudo systemctl status gokeyless.service -l ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/","name":"Hardware security modules"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/keyless-ssl/hardware-security-modules/ibm-cloud-hsm/","name":"IBM Cloud HSM"}}]} ``` --- --- title: SoftHSMv2 description: Learn how to use Keyless SSL with SoftHSMv2. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/hardware-security-modules/softhsmv2.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SoftHSMv2 Important SoftHSMv2 should not be considered any more secure than storing private keys directly on disk. No attempt is made below to secure this installation; it is provided simply for demonstration purposes. --- ## 1\. Install and configure SoftHSMv2 First, we install SoftHSMv2 and configure it to store tokens in the default location `/var/lib/softhsm/tokens`. We also need to give the `softhsm` group permission to this directory as this is how the `keyless` user will access this directory. Terminal window ``` sudo apt-get install -y softhsm2 opensc #... cat < -s 0 -w keyless-$(date +%s).pcap port 2407` ## Clients are connecting, but immediately aborting If you run `gokeyless` with debug logging enabled, and you see logs like this: ``` [DEBUG] connection 162.158.57.220:37490: reading half closed by client [DEBUG] connection 162.158.57.220:37490: server closing connection [DEBUG] connection 162.158.57.220:37490 removed [DEBUG] spawning new connection: 162.158.57.220:37862 [DEBUG] connection 162.158.57.220:37862: reading half closed by client [DEBUG] connection 162.158.57.220:37862: server closing connection [DEBUG] connection 162.158.57.220:37862 removed ``` These logs likely indicate that the key server is not using an appropriate server or .`PEM` file and the client is aborting the connection after the certificate exchange. The certificate must be signed by the keyless CA and the SANs must include the hostname of the keyless server. Here is a valid example for a keyless server located at `11aa40b4a5db06d4889e48e2f.example.com` (note the Subject Alternative Name and Authority Key Identifier): Terminal window ``` openssl x509 -in server.pem -noout -text -certopt no_subject,no_header,no_version,no_serial,no_signame,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_aux | sed -e 's/^ //' ``` ``` X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: DD:24:97:F1:A9:F1:4C:73:D9:1B:44:EC:A1:C3:10:E9:F0:41:98:BB X509v3 Authority Key Identifier: keyid:29:CE:8F:F1:9D:4C:BA:DE:55:78:D7:A6:29:E9:C5:FD:1D:9D:21:48 X509v3 Subject Alternative Name: DNS:11aa40b4a5db06d4889e48e2f.example.com X509v3 CRL Distribution Points: Full Name: URI:http://ca.cfdata.org/api/v1/crl/key_server ``` ## The gokeyless binary cannot load the CA file Ensure permissions are correct on all keys and certificates installed on the server. ## Keyless is affecting to unanticipated hosts You will need to either provide a certificate for only those hosts or change the priority of the certificate in the **SSL/TLS** app of your Cloudflare dashboard. ## Key servers on Windows Cloudflare currently only provide packages for the supported GNU/Linux distributions as per the [Cloudflare package repository ↗](https://pkg.cloudflare.com/). However, the key server is open source so you may attempt to build and deploy a binary, but running on Windows is not a supported configuration so you may experience problems that Cloudflare will not be able to help with. ## Key server multi-domain support You can use the same key server for multiple domains. However, if you do, you will need to add the hostname and the Zone ID of the new domain to the `gokeyless.yaml` file. ## Additional questions Contact your account team or [Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: Upgrade your key server description: Periodically, you may need to update your key server when using Cloudflare's Keyless SSL. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/keyless-ssl/upgrading-your-key-server.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Upgrade your key server Periodically, you may need to update your key server when using Cloudflare's Keyless SSL. To upgrade your key server: 1. Back up the contents of `/etc/keyless`. 2. Update your OS’ package listings, for example, `apt-get update` or `yum update`. 3. Upgrade the gokeyless server: 4. Debian/Ubuntu: `apt-get upgrade gokeyless` 5. RHEL/CentOS: `yum install gokeyless` 6. Restart the keyless instance: 7. systemd: `service gokeyless restart` 8. upstart/sysvinit: `/etc/init.d/gokeyless restart` 9. Confirm that HTTPS connections are working as expected. Warning If you are running a [high availability configuration](https://developers.cloudflare.com/ssl/keyless-ssl/reference/high-availability/), upgrade one server at a time as new TLS connections will fail to terminate at Cloudflare's global network without a functioning key server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/keyless-ssl/","name":"Keyless SSL"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/keyless-ssl/upgrading-your-key-server/","name":"Upgrade your key server"}}]} ``` --- --- title: Post-quantum cryptography (PQC) description: Get an overview of how Cloudflare is deploying post-quantum cryptography to protect you against harvest now, decrypt later. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/post-quantum-cryptography/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Post-quantum cryptography (PQC) Post-quantum cryptography (PQC) refers to cryptographic algorithms that have been designed to resist attacks from [quantum computers ↗](https://www.cloudflare.com/learning/ssl/quantum/what-is-quantum-computing/). Cloudflare has been researching and [writing about post-quantum ↗](https://blog.cloudflare.com/tag/post-quantum/) since 2017. To protect you against the risk of [harvest now, decrypt later attacks ↗](https://en.wikipedia.org/wiki/Harvest%5Fnow,%5Fdecrypt%5Flater), and considering all the [connections](#three-connections-in-the-life-of-a-request) that take place when your website or application is on Cloudflare, we have deployed and are actively expanding the use of [post-quantum hybrid key agreement](#hybrid-key-agreement). Refer to [Cloudflare Radar ↗](https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption-adoption) for current statistics on the adoption of PQ encryption in requests to Cloudflare, and visit [pq.cloudflareresearch.com ↗](https://pq.cloudflareresearch.com) to check if your connection is secured using PQ key agreement. TLS 1.3 Cloudflare post-quantum key agreements are only supported in protocols based on TLS 1.3 (including HTTP/3) and are disabled for websites in [FIPS mode](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#fips-compliance). ## Three building blocks of TLS Before TLS can protect your communications, three cryptographic algorithms have to be agreed on during the [TLS handshake ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/): * **Symmetric ciphers:** Algorithms used to encrypt and decrypt data, ensuring confidentiality and integrity (such as `CHACHA20-POLY1305`). * **Key agreement:** A cryptographic protocol that allows client and server to safely agree on a shared key (such as `ECDH`). * **Signature algorithms:** Cryptographic algorithms used to generate the digital signatures in TLS certificates (such as `RSA` and `ECDSA`). As explained in our [blog post ↗](https://blog.cloudflare.com/pq-2025/#already-post-quantum-secure-symmetric-cryptography), symmetric ciphers are already post-quantum secure, which means there are two migrations left to occur. ### Hybrid key agreement With TLS 1.3, [X25519 ↗](https://en.wikipedia.org/wiki/Curve25519) \- an Elliptic Curve Diffie-Hellman (ECDH) protocol - is the most commonly used algorithm in key agreement. However, its security can be broken by quantum computers using [Shor's algorithm ↗](https://en.wikipedia.org/wiki/Shor%27s%5Falgorithm). It is urgent to migrate key agreement to post-quantum algorithms as soon as possible. The objective is to protect against an adversary capable of harvesting today's encrypted communications and storing it until some time in the future when they can gain access to a sufficiently powerful quantum computer to decrypt it. In response to this, Cloudflare is an early adopter of ML-KEM, the post-quantum key agreement selected by the US National Institute of Standards and Technology (NIST). For a detailed timeline and more background information refer to [State of the post-quantum Internet in 2025 ↗](https://blog.cloudflare.com/pq-2025/). Cloudflare has deployed the following hybrid key agreements: * [X25519MLKEM768 ↗](https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/) (Recommended) * TLS identifier: `0x11ec` * [X25519Kyber768Draft00 ↗](https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/) (Obsolete) * TLS identifier: `0x6399` A hybrid key agreement lays the groundwork as more and more [clients](#1-visitor-to-cloudflare) adopt post-quantum cryptography, while also maintaining the current security provided by X25519\. It is a safer path in case of an unexpected breakthrough that renders all variants of ML-KEM insecure. ### Post-quantum signatures The migration to post-quantum signatures is less urgent and more involved. Cloudflare is closely following the developments of new standards, testing their performance, and working together with browsers to understand user impact. For details refer to [A look at the latest post-quantum signature standardization candidates ↗](https://blog.cloudflare.com/another-look-at-pq-signatures/). ## Three connections in the life of a request flowchart LR accTitle: Three connections - from visitor to Cloudflare to origin server accDescr: Diagram showing connections for an uncached request. A[Visitor] subgraph Cloudflare X[(Cloudflare
service A)] B[(Cloudflare
service B)] end C[(Origin server)] A --1--> X X --2--> B B --3--> C ### 1\. Visitor to Cloudflare As of [October 2022 ↗](https://blog.cloudflare.com/post-quantum-for-all/), all websites and APIs served through Cloudflare over TLS 1.3 support post-quantum hybrid key agreement. However, the connection is only post-quantum secured if the client also supports PQC. Refer to [Post-quantum cryptography support](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/) for a list of browsers and other clients that are compatible with hybrid key agreements. ### 2\. Internal connections As announced in [September 2023 ↗](https://blog.cloudflare.com/post-quantum-cryptography-ga/), most internal connections for Cloudflare's products and systems have been upgraded to use PQC. ### 3\. Cloudflare to your origin Finally, Cloudflare also supports [hybrid key agreements](#hybrid-key-agreement) when connecting to origins. In this case, post-quantum secured connections will depend on the origin servers also supporting PQC. Customers can also configure connections to origin servers via [PQ Cloudflare Tunnel](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-and-zero-trust/). Refer to [Post-quantum cryptography between Cloudflare and origin servers](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-to-origin/) for details. ## Protect corporate network traffic With [Zero Trust](https://developers.cloudflare.com/cloudflare-one/), Cloudflare allows organizations to upgrade their sensitive network traffic to PQC without the hassle of individually upgrading each and every corporate application, system, or network connection. Refer to [Post-quantum cryptography in Cloudflare's Zero Trust platform](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-and-zero-trust/) for details. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/post-quantum-cryptography/","name":"Post-quantum cryptography (PQC)"}}]} ``` --- --- title: Post-quantum cryptography in Cloudflare One description: Cloudflare One replaces legacy corporate security perimeters with Cloudflare's global network, making access to the Internet and to corporate resources faster and safer for teams around the world. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Post-quantum cryptography in Cloudflare One [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/) replaces legacy corporate security perimeters with Cloudflare's global network, making access to the Internet and to corporate resources faster and safer for teams around the world. Organizations can obtain end-to-end post-quantum encryption of their private network traffic by sending it over Cloudflare One's post-quantum on-ramps and off-ramps. This protects traffic with post-quantum encryption to prevent [harvest-now, decrypt-later ↗](https://en.wikipedia.org/wiki/Harvest%5Fnow,%5Fdecrypt%5Flater) attacks, even if the individual applications are not yet upgraded to post-quantum encryption. In a harvest-now, decrypt-later attack, an adversary harvests data now and decrypts it in the future, when more powerful quantum computers come online. Post-quantum encryption is offered in all major Cloudflare One network configurations, including the following on-ramps: * Clientless (browser-only) * [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (on the end-user device) * [Cloudflare IPsec](https://developers.cloudflare.com/cloudflare-wan/reference/gre-ipsec-tunnels/) on-ramp And off-ramps: * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) off-ramp (using `cloudflared`) * Cloudflare IPsec off-ramp For traffic that egresses to the public Internet, [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) also provides post-quantum encryption as a Secure Web Gateway (SWG). All of these network configurations use the post-quantum key agreement algorithm ML-KEM-768 deployed alongside classical Elliptic Curve Diffie-Hellman (ECDH), where the symmetric key used to encrypt network traffic is derived by mixing the results of the ML-KEM key agreement and the ECDH key agreement. This is also known as hybrid ML-KEM. In this hybrid approach, ML-KEM provides protection against quantum harvest-now, decrypt-later attacks, while ECDH provides protection against non-quantum adversaries. ![Overview diagram of post-quantum Cloudflare One network configurations showing on-ramps and off-ramps](https://developers.cloudflare.com/_astro/pqc-cloudflare-one-overview.CrgyHBvK_1Roi0u.webp) The following sections describe a few network configurations in detail. ## Agentless Cloudflare Access You can use [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) [self-hosted applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](https://developers.cloudflare.com/learning-paths/clientless-access/initial-setup/) for detailed guidance. Even if the applications themselves have not yet migrated to post-quantum (PQ) cryptography, they will be protected against quantum threats. ![Diagram of how post-quantum cryptography works in clientless connections to Access applications](https://developers.cloudflare.com/_astro/pqc-clientless-access.DXk-bG1f_V78if.webp) Here is how it works today: **1\. PQ connection via browser** As long as the end-user uses a modern web browser that supports post-quantum key agreement (for example, Chrome, Edge, or Firefox), the connection from the device to Cloudflare's network is secured via TLS 1.3 with post-quantum key agreement. **2\. PQ within Cloudflare's global network** If the user and origin server are geographically distant, then the user's traffic will enter Cloudflare's global network in one geographic location (such as Frankfurt), and exit at another (such as San Francisco). As this traffic moves from one data center to another inside Cloudflare's global network, these hops through the network are secured via TLS 1.3 with post-quantum key agreement. **3\. PQ Cloudflare Tunnel** Customers establish a [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) from their data center or public cloud — where their corporate web application is hosted — to Cloudflare's network. This tunnel is secured using TLS 1.3 with post-quantum key agreement, safeguarding it from [harvest now, decrypt later attacks ↗](https://en.wikipedia.org/wiki/Harvest%5Fnow,%5Fdecrypt%5Flater). Putting it together, Cloudflare Access can provide end-to-end quantum safety for accessing corporate HTTPS applications, without requiring customers to upgrade the security of corporate web applications. ## Cloudflare One Client [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) (formerly WARP) tunnels traffic over a post-quantum (PQ) MASQUE tunnel using TLS 1.3 with hybrid ML-KEM from the end-user device to Cloudflare's global network. The following is an example network configuration with a Cloudflare One Client on-ramp and a Cloudflare Tunnel off-ramp. ![Diagram of post-quantum network configuration using Cloudflare One Client on-ramp and Cloudflare Tunnel off-ramp](https://developers.cloudflare.com/_astro/pqc-cloudflare-one-client.pe3Q9Nr9_24LYKc.webp) _Note: Labels in this image may reflect a previous product name._ **1\. PQ connection via Cloudflare One Client** The Cloudflare One Client uses the MASQUE protocol to connect from the device to Cloudflare's global network, using TLS 1.3 with hybrid ML-KEM. **2\. PQ within Cloudflare's global network** If the user and origin server are geographically distant, then the user's traffic will enter Cloudflare's global network in one geographic location (such as Frankfurt), and exit at another (such as San Francisco). As this traffic moves from one data center to another inside Cloudflare's global network, these hops through the network are secured via TLS 1.3 with post-quantum key agreement. **3\. PQ Cloudflare Tunnel** [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) already supports post-quantum key agreement. With this network configuration, traffic is encapsulated in quantum-encrypted tunnels, effectively mitigating the risk of harvest-now, decrypt-later attacks without requiring individual upgrades of networks or applications. This provides comprehensive protection for any protocol that can be sent through these tunnels, not just for HTTPS. ## Cloudflare IPsec The following is a sample network configuration that uses the Cloudflare One Client on-ramp to connect an end-user device to a server behind a [Cloudflare One Appliance](https://developers.cloudflare.com/cloudflare-wan/configuration/appliance/) off-ramp. Traffic to the server is protected by post-quantum cryptography as it travels over the public Internet, even if the server itself does not support post-quantum cryptography. ![Diagram of post-quantum network configuration using Cloudflare One Client on-ramp to Cloudflare One Appliance off-ramp](https://developers.cloudflare.com/_astro/pqc-cloudflare-ipsec.5IiyHdoZ_Z94W71.webp) **1\. PQ connection via Cloudflare One Client** The Cloudflare One Client uses the MASQUE protocol to connect from the device to Cloudflare's global network, using TLS 1.3 with hybrid ML-KEM. **2\. PQ within Cloudflare's global network** The traffic then travels across Cloudflare's global network over TLS 1.3 with hybrid ML-KEM. **3\. PQ Cloudflare IPsec with Cloudflare One Appliance** Traffic leaves the Cloudflare network over a post-quantum Cloudflare IPsec link that is terminated at a Cloudflare One Appliance. The Cloudflare One Appliance uses a non-IKE keying protocol built into the control plane, secured with TLS, that establishes the keys used to encrypt dataplane traffic in the IPsec ESP protocol. From Appliance version 2026.2.0, the control plane establishes keys over TLS 1.3 protected with hybrid ML-KEM. ## Secure Web Gateway A [secure web gateway (SWG) ↗](https://www.cloudflare.com/learning/access-management/what-is-a-secure-web-gateway/) is used to secure access to third-party websites on the public Internet by intercepting and inspecting TLS traffic. [Cloudflare Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) is now a [quantum-safe SWG for HTTPS traffic](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/tls-decryption/#post-quantum-support). As long as the third-party website that is being inspected supports post-quantum key agreement, then Cloudflare's SWG also supports post-quantum key agreement. This is true regardless of the on-ramp that you use to get to Cloudflare's network, and only requires the use of a browser that supports post-quantum key agreement. ![Diagram of how post-quantum cryptography works with Cloudflare's Secure Web Gateway](https://developers.cloudflare.com/_astro/pqc-secure-web-gateway.Br-ATUfe_146I1p.webp) Cloudflare Gateway's HTTPS filtering feature involves two post-quantum TLS connections, as follows: **1\. PQ connection via browsers** A TLS connection is initiated from the user's browser to a data center in Cloudflare's network that performs the TLS inspection. As long as the end-user uses a modern web browser that supports post-quantum key agreement (for example, Chrome, Edge, or Firefox), this connection is secured by TLS 1.3 with post-quantum key agreement. Any traffic that on-ramps to the SWG via the Cloudflare One Client is protected with hybrid ML-KEM, even if the web browser itself does not yet support post-quantum cryptography. This is due to the post-quantum MASQUE tunnel that the Cloudflare One Client establishes to Cloudflare's global network. The same is true of traffic that on-ramps to the SWG using the Cloudflare One Appliance, which establishes a Cloudflare IPsec tunnel protected by post-quantum encryption. **2\. PQ connection to the origin server** A TLS connection is initiated from a data center in Cloudflare's network to the origin server, which is typically controlled by a third party. The connection from Cloudflare's SWG currently supports post-quantum key agreement, as long as the third-party's origin server also already supports post-quantum key agreement. You can test this out by using [https://pq.cloudflareresearch.com/ ↗](https://pq.cloudflareresearch.com/) as your third-party origin server. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/post-quantum-cryptography/","name":"Post-quantum cryptography (PQC)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/post-quantum-cryptography/pqc-and-zero-trust/","name":"Post-quantum cryptography in Cloudflare One"}}]} ``` --- --- title: PQC support description: Consider information about post-quantum cryptography at Cloudflare - deployed key agreements and software support. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/post-quantum-cryptography/pqc-support.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PQC support Cloudflare's deployment of post-quantum [hybrid key agreements](https://developers.cloudflare.com/ssl/post-quantum-cryptography/#hybrid-key-agreement) is supported by different software as listed below. [Contributions](https://developers.cloudflare.com/style-guide/contributions/) to keep the listing up-to-date are welcome. Warning The list below is for reference only. Responsibility for third-party software lies with their respective maintainers. Use them at your own discretion. ## X25519MLKEM768 * Default for [Firefox 132+ ↗](https://www.mozilla.org/firefox/) (Desktop) and Firefox 145+ (Android) * For QUIC/HTTP3, use Firefox 135+ (Desktop) * Default for [Chrome 131+ ↗](https://www.google.com/chrome/) * Default for [Safari 26+ ↗](https://www.apple.com/safari/) * System-wide support in iOS 26, macOS Tahoe 26, and other [Apple operating systems ↗](https://support.apple.com/122756) * Default for [Edge 131+ ↗](https://microsoft.com/edge/) * Default for recent [Opera ↗](https://opera.com) and [Brave ↗](https://brave.com) * Default for [Tor Browser 15.0+ ↗](https://www.torproject.org/) * Cloudflare's [fork of Go ↗](https://github.com/cloudflare/go) * Default for [Go 1.24+ ↗](https://go.dev/doc/go1.24#cryptotlspkgcryptotls) * Default for [OpenSSL 3.5.0+ ↗](https://www.openssl.org/) * Default for [Node 24.5.0+ ↗](https://nodejs.org/) and 22.20.0+ ([backported ↗](https://nodejs.org/en/blog/release/v22.20.0#openssl-updated-to-352)) * [BoringSSL ↗](https://boringssl.googlesource.com/boringssl/) * [GnuTLS ↗](https://www.gnutls.org) * 3.8.9+ compiled with leancrypto 1.2.0+ * 3.8.8-3.8.9 compiled with liboqs 0.11.0+ * [rustls 0.23.22+ ↗](https://crates.io/crates/rustls) * Default for [rpxy 0.9.4+ ↗](https://github.com/junkurihara/rust-rpxy) * Default for [NGINX ↗](https://github.com/nginx/nginx) compiled with OpenSSL 3.5+ ([instructions ↗](https://github.com/nginx/nginx/issues/288)) * [Open Quantum Safe ↗](https://openquantumsafe.org/) * C library: liboqs 0.10.0+ * OpenSSL provider: oqs-provider 0.7.0+ * [Zig 0.14.0+ ↗](https://ziglang.org/) (client) * Default for [Caddy HTTP server 2.10.0+ ↗](https://caddyserver.com/) * [Traefik ↗](https://traefik.io/traefik/) * Default for 3.4.2+, 2.11.26+ ([commit ↗](https://github.com/traefik/traefik/commit/cd16321dd9c25bb47a2e9417b2a4a75959be63d0)) * Configurable with `curvePreferences` in [3.5.0-rc.1+ ↗](https://github.com/traefik/traefik/releases/tag/v3.5.0-rc1) * [Botan C++ library 3.7.0+ ↗](https://botan.randombit.net/) ## X25519Kyber768Draft00 * Default for [Chrome 124-130 ↗](https://www.google.com/chrome/) on Desktop * For older Chrome or on mobile, toggle _TLS 1.3 hybridized Kyber support_ (`enable-tls13-kyber`) in `chrome://flags`. * Default for [Edge 124-130 ↗](https://microsoft.com/edge/) * [Firefox 124-131 ↗](https://www.mozilla.org/firefox) if you turn on `security.tls.enable_kyber` in `about:config` * For QUIC/HTTP3, use Firefox 128+ with `network.http.http3.enable_kyber`. * Cloudflare's [fork of Go ↗](https://github.com/cloudflare/go) * Default for [Go 1.23 ↗](https://github.com/golang/go/issues/67061) * [BoringSSL ↗](https://boringssl.googlesource.com/boringssl/) * [GnuTLS ↗](https://www.gnutls.org) * 3.8.8-3.8.9 compiled with liboqs 0.11.0+ * 3.8.7 compiled with liboqs 0.10.1+ * Cloudflare's [fork of QUIC-go ↗](https://github.com/cloudflare/qtls-pq) * Goutam Tamvada's [fork of Firefox ↗](https://github.com/xvzcf/firefox-pq-demos) * [Open Quantum Safe ↗](https://openquantumsafe.org/) * C library: liboqs 0.5.0+ * OpenSSL provider: oqs-provider 0.5.0-0.8.0 * [Zig 0.11.0-0.13.0 ↗](https://ziglang.org/) (client) * [nginx ↗](https://www.nginx.org/) when [compiled with BoringSSL ↗](https://mailman.nginx.org/pipermail/nginx/2023-August/NOISOYU3QTB2DGIYUBGF7CAMQHDI2QLT.html) ([guide ↗](https://blog.centminmod.com/2023/10/03/2860/how-to-enable-cloudflare-post-quantum-x25519kyber768-key-exchange-support-in-centmin-mod-nginx/)) * [Botan C++ library 3.2.0+ ↗](https://botan.randombit.net/) ([instructions ↗](https://github.com/randombit/botan/discussions/3747)) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/post-quantum-cryptography/","name":"Post-quantum cryptography (PQC)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/post-quantum-cryptography/pqc-support/","name":"PQC support"}}]} ``` --- --- title: Post-quantum between Cloudflare and origin servers description: Learn about post-quantum cryptography in connections from Cloudflare to your origin servers. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/post-quantum-cryptography/pqc-to-origin.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Post-quantum between Cloudflare and origin servers As explained in [About PQC](https://developers.cloudflare.com/ssl/post-quantum-cryptography/), Cloudflare has deployed support for hybrid key agreements, which includes both the most common key agreement for TLS 1.3, X25519, and the post-quantum secure ML-KEM. With X25519, the [ClientHello ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/) almost always fits within one network packet. However, with the addition of ML-KEM, the ClientHello is typically split across two packets. This poses a question of how the origin servers - as well as other middleboxes (routers, load balancers, etc) - will handle this change in behavior. Although allowed by the TLS 1.3 standard ([RFC 8446 ↗](https://www.rfc-editor.org/rfc/rfc8446.html)), a split ClientHello risks not being handled well due to [protocol ossification ↗](https://en.wikipedia.org/wiki/Protocol%5Fossification) and implementation bugs. Refer to our [blog post ↗](https://blog.cloudflare.com/post-quantum-to-origins/) for details. Customers can also configure connections to origin servers via [PQ Cloudflare Tunnel](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-and-zero-trust/). ## ClientHello from Cloudflare To reduce the risk of any issues when connecting to servers that are not ready for hybrid key agreements, Cloudflare leverages HelloRetryRequest. This means that, instead of sending [X25519MLKEM768](https://developers.cloudflare.com/ssl/post-quantum-cryptography/#hybrid-key-agreement) immediately as a keyshare [1](#user-content-fn-1), Cloudflare will by default only advertise support for it. If the origin supports post-quantum hybrid key agreement, it can use HelloRetryRequest to request it from Cloudflare. ## Set up ### Cloudflare zone settings The method described above is the one Cloudflare uses to support post-quantum to all outbound connections. However, if your origin server supports PQC and prefers it, you can use the [API](https://developers.cloudflare.com/api/resources/origin%5Fpost%5Fquantum%5Fencryption/methods/update/) to adjust your Cloudflare zone settings and avoid the extra round trip. It is also possible to opt out of PQC using the same API endpoint. Note This setting affects all outbound connections from the zone you specify in the API call, including `fetch()` requests made by [Workers](https://developers.cloudflare.com/workers/) on your zone. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` * `Zone Write` Change Origin Post-Quantum Encryption setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/cache/origin_post_quantum_encryption" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": "" }' ``` The possible values are: * `supported` (most compatible): Advertise support for post-quantum key agreement, but send a classical keyshare in the first ClientHello. * `preferred` (most performant): Send a post-quantum keyshare in the first ClientHello. Cloudflare continues to advertise support for classical keyshares as well. * `off`: Do not send nor advertise support for post-quantum key agreement to the origin. ### Origin server To make sure that your origin server prefers the post-quantum key agreement, use the `bssl` tool of [BoringSSL ↗](https://github.com/google/boringssl): Terminal window ``` $ bssl client -connect (your server):443 -curves X25519MLKEM768 ``` Verify that the `ECDHE curve` in the handshake output indicates `X25519MLKEM768`. ## Footnotes 1. When, to remove a round trip, a client makes a guess of what the server supports. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/post-quantum-cryptography/","name":"Post-quantum cryptography (PQC)"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/post-quantum-cryptography/pqc-to-origin/","name":"Post-quantum between Cloudflare and origin servers"}}]} ``` --- --- title: Troubleshooting description: For FAQs and other troubleshooting information, refer to the following resources: image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/troubleshooting/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting For FAQs and other troubleshooting information, refer to the following resources: Filter resources... [Troubleshooting client certificates](https://developers.cloudflare.com/ssl/client-certificates/troubleshooting/)[Troubleshooting - Cipher suites — Edge certificates](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/)[Total TLS error messages](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/error-messages/)[Troubleshooting Domain Control Validation](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/)[Troubleshooting | Custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/troubleshooting/)[Troubleshooting Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/troubleshooting/)[SSL/TLS FAQ](https://developers.cloudflare.com/ssl/faq/)[Troubleshooting Keyless SSL](https://developers.cloudflare.com/ssl/keyless-ssl/troubleshooting/)[Troubleshooting Cloudflare origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/troubleshooting/)[Cloudflare and CVE-2019-1559](https://developers.cloudflare.com/ssl/reference/cloudflare-and-cve-2019-1559/)[General SSL errors](https://developers.cloudflare.com/ssl/troubleshooting/general-ssl-errors/)[Mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/)[ERR\_TOO\_MANY\_REDIRECTS](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/)[Fix VERSION\_OR\_CIPHER\_MISMATCH](https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/troubleshooting/","name":"Troubleshooting"}}]} ``` --- --- title: General SSL errors description: Learn how to troubleshoot various SSL/TLS errors with Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/troubleshooting/general-ssl-errors.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # General SSL errors ## Let's Encrypt chain update ### Symptom Starting September 9, 2024, visitors that try to connect to your website using older devices - for example, Android 7.0 and earlier - have access problems or reach security warnings. ### Resolution The fastest way to resolve this issue is to change your certificate to use [Google Trust Services](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#google-trust-services) as the certificate authority. ## Outdated browsers ### Symptom Until Cloudflare provides an SSL certificate for your domain, the following errors may appear in various browsers for HTTPS traffic: * **Firefox**: `_ssl_error_bad_cert_domain` / `This connection is untrusted` * **Chrome**: `Your connection is not private` * **Safari**: `Safari can't verify the identity of the website` * **Edge / Internet Explorer**: `There is a problem with this website's security certificate` ### Resolution Even with a Cloudflare SSL certificate provisioned for your domain, older browsers display errors about untrusted SSL certificates because they do not [support the Server Name Indication (SNI) protocol ↗](https://en.wikipedia.org/wiki/Server%5FName%5FIndication#Support) used by Cloudflare Universal SSL certificates. To solve, [determine if the browser supports SNI ↗](https://caniuse.com/#feat=sni). If not, upgrade your browser. Note It is possible for [Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) to enable non-SNI support for paid plans using any certificate. --- ## Only some of your subdomains return SSL errors ### Symptom [Cloudflare Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl) only cover the apex domain (`example.com`) and one level of subdomains (`blog.example.com`). If visitors to your domain observe errors accessing a second level of subdomains in their browser (such as `dev.www.example.com`) but not the first level of subdomains, resolve the issue using one of the following methods below. ### Resolution * Purchase an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager) that covers `dev.www.example.com`. * Upload a [Custom SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates) that covers `dev.www.example.com`. * Enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls). * If you have a valid certificate for the second level subdomains at your origin web server, change the DNS record for `dev.www` to [DNS Only (grey cloud)](https://developers.cloudflare.com/dns/proxy-status/). --- ## Your Cloudflare Universal SSL certificate is not active ### Symptom All active Cloudflare domains are provided a [Universal SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl). If you observe SSL errors and do not have a certificate of **Type** _Universal_ within the **Edge Certificates** tab of the Cloudflare **SSL/TLS** app for your domain, the Universal SSL certificate has not yet provisioned. Our SSL vendors verify each SSL certificate request before Cloudflare can issue a certificate for a domain name. This process may take anywhere from 15 minutes to 24 hours. Our SSL certificate vendors sometimes flag a domain name for additional review. ### Resolution #### No Universal certificate If your Cloudflare SSL certificate is not issued within 24 hours of Cloudflare domain activation: * If your origin web server has a valid SSL certificate, [temporarily pause Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/), and * [Contact Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) and provide a screenshot of the errors. Temporarily pausing Cloudflare will allow the HTTPS traffic to be served properly from your origin web server while the support team investigates the issue. #### Full DNS setup If your domain is on a [full setup](https://developers.cloudflare.com/dns/zone-setups/full-setup/), review your DNS records. Cloudflare SSL/TLS certificates only apply for traffic [proxied through Cloudflare](https://developers.cloudflare.com/dns/proxy-status/). If SSL errors only occur for hostnames not proxied to Cloudflare, proxy those hostnames through Cloudflare. #### Partial DNS setup If your domain is on a [CNAME setup (partial)](https://developers.cloudflare.com/dns/zone-setups/partial-setup/), confirm whether you have CAA DNS records enabled at your current hosting provider. If so, ensure you [specify the Certificate Authorities that Cloudflare uses](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/) to provision certificates for your domain. --- ## OCSP response error ### Symptom Visitors to your site observe an OCSP response error. ### Resolution This error is either caused by the browser version or an issue requiring attention by one of Cloudflare’s SSL vendors. In order to properly diagnose, [contact Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) with the following information provided by the visitor that observes the browser error: 1. The output from [https://aboutmybrowser.com/ ↗](https://aboutmybrowser.com/) . 2. The output of `https:///cdn-cgi/trace` from the visitor’s browser. --- ## Incorrect HSTS headers ### Symptom The HSTS headers (`Strict-Transport-Security` and `X-Content-Type-Options`) in the response do not match the configuration settings defined in your [HSTS settings](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/). ### Resolution You may have configured [Response Header Transform Rules](https://developers.cloudflare.com/rules/transform/response-header-modification) that are overriding the HSTS header values defined in the **SSL/TLS** app. 1. In the Cloudflare dashboard, go to the Rules **Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/rules/overview) 2. Under **Response Header Transform Rules**, search for a rule setting the value of one of the HSTS headers (`Strict-Transport-Security` or `X-Content-Type-Options`). 3. Delete (or edit) the rule so that the HSTS configuration settings defined in the **SSL/TLS** app are applied. 4. Repeat this procedure for the other HSTS header. --- ## Other errors ### Symptom You are getting the error `NET::ERR_CERT_COMMON_NAME_INVALID` in your browser. ### Resolution * Make sure that you are using a browser that supports [SNI (Server Name Indication) ↗](https://www.cloudflare.com/learning/ssl/what-is-sni/). Refer to [Browser compatibility](https://developers.cloudflare.com/ssl/reference/browser-compatibility/) for more details. * Ensure that the hostname you are accessing is set to [proxied (orange cloud)](https://developers.cloudflare.com/dns/proxy-status/) in the DNS tab of your Cloudflare Dashboard. * If the hostname you are accessing is a second level subdomain (such as `dev.www.example.com`), you'll need to either: * Purchase an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager) that covers `dev.www.example.com`. * Upload a [Custom SSL certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates) that covers `dev.www.example.com`. * Enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls) Note The following [openssl ↗](https://www.openssl.org/) command might help troubleshooting TLS handshake between the client and the Cloudflare network edge: Terminal window ``` openssl s_client -connect example.com:443 -servername example.com version ``` --- ## Kaspersky Antivirus To avoid SSL errors with the Cloudflare dashboard when using Kaspersky Antivirus, allow `dash.cloudflare.com` in Kaspersky. --- ## Certificate Approval renewal email ### Symptom When clicking `Approve Certificate` on a Certificate Approval renewal email, you get the following error message: `An error occurred while attempting to validate your domain. Please try again later or contact support for assistance.` ### Resolution Check the status of the certificate on the [Cloudflare dashboard ↗](https://dash.cloudflare.com?to=/:account/:zone/ssl-tls). If the status is `Active`, you can disregard this email and the error message. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/troubleshooting/general-ssl-errors/","name":"General SSL errors"}}]} ``` --- --- title: Mixed content errors description: Domains added to Cloudflare receive SSL certificates and can serve traffic over HTTPS. However, after starting to use Cloudflare, some customers notice missing content or page rendering issues when they first serve HTTPS traffic. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/troubleshooting/mixed-content-errors.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Mixed content errors Domains added to Cloudflare receive SSL certificates and can serve traffic over HTTPS. However, after starting to use Cloudflare, some customers notice missing content or page rendering issues when they first serve HTTPS traffic. Typically, the problem is due to a request for HTTP resources from a web page served over HTTPS. For example, you type `https://example.com` in a browser and the page contains an image reference via HTTP in the HTML to ``. Normally, if your website loads all resources securely over HTTPS, visitors observe a lock icon in the address bar of their browser. This indicates your site has a working SSL certificate and all resources loaded by the site are loaded over HTTPS. The green lock assures visitors that their connection is safe. One of the [symptoms of mixed content](#symptoms-of-mixed-content-occurrence) is that different icons appear instead of the green lock icon. --- ## Symptoms of mixed content occurrence Most modern browsers block HTTP requests on secure HTTPS pages. Blocked content can include images, JavaScript, CSS, or other content that affects how the page looks or behaves. ### Browser indications Each web browser uses different methods to warn visitors about mixed content on a website, potentially including: * A yellow triangle or information symbol beside the URL bar * Messages mentioning "secure content" ### **Console logs** For mixed content warnings, the web browser loads the resources but users do not see the lock icon in the URL. Warning messages appear within the browser’s debug tools: ![Screenshot of mixed content warnings displayed in a browser console.](https://developers.cloudflare.com/_astro/hc-import-mixed_content_warning.WfgcvXqC_Z29obV7.webp) For mixed content errors, the browser refuses to load the resources over an insecure connection: ![Screenshot of mixed content errors displayed in a browser console.](https://developers.cloudflare.com/_astro/hc-import-mixed_content_error.C3G5mm9r_129MlR.webp) Information on using the browser’s debug tools to locate these issues are found in the documentation for [Chrome ↗](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content) and [Firefox ↗](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed%5Fcontent). Alternatively, you can view your page source and find specific references of _http://_ for paths to other resources. --- ## Resolution ### General advice There are two methods to resolve mixed content errors. 1. Load all resources via your HTML source without specifying the HTTP or HTTPS protocols. For example, using `/domain.com/path/to.file` instead of `http://domain.com/path/to.file`. 2. Depending on your Content Management System, check for plugins that automatically rewrite HTTP resources to HTTPS. Cloudflare provides such a service via [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites). ### WordPress users Cloudflare recommends WordPress users to install the [Cloudflare WordPress plugin ↗](https://wordpress.org/plugins/cloudflare/) and enable the _Automatic HTTPS rewrites_ option within the plugin. --- ## Related resources * [Debugging mixed content in Chrome ↗](https://developers.google.com/web/fundamentals/security/prevent-mixed-content/fixing-mixed-content) * [Debugging mixed content in Firefox ↗](https://developer.mozilla.org/en-US/docs/Web/Security/Mixed%5Fcontent) * [Community Tip - Fixing mixed content errors ↗](https://community.cloudflare.com/t/community-tip-fixing-mixed-content-errors/42476) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/troubleshooting/mixed-content-errors/","name":"Mixed content errors"}}]} ``` --- --- title: ERR_TOO_MANY_REDIRECTS description: Learn how to troubleshoot ERR_TOO_MANY_REDIRECTS when using Cloudflare SSL/TLS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/troubleshooting/too-many-redirects.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # ERR\_TOO\_MANY\_REDIRECTS After you [add a new domain](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) to Cloudflare, your visitors' browsers might display `ERR_TOO_MANY_REDIRECTS` or `The page isn’t redirecting properly` errors. This error occurs when visitors get stuck in a redirect loop. flowchart LR accTitle: Redirect loops illustration A[Request for http://example.com] --> B[Redirect to https://example.com] B --> C[Redirect to http://example.com] C --> B subgraph Redirect Loop B C end This error is commonly caused by: * A misconfiguration of your [SSL/TLS Encryption mode](#encryption-mode-misconfigurations). * Various settings on the [**Edge Certificates**](#edge-certificate-settings) page. * A misconfigured [redirect rule](#redirect-rules). Note For assistance determining if your origin web server is responding with redirects, contact your hosting provider or site administrator. --- ## Encryption mode misconfigurations Your domain's [SSL/TLS Encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) controls how Cloudflare connects to your origin server and how SSL certificates presented by your origin will be validated. This setting can cause redirect loops when the value you set in Cloudflare conflicts with the settings at your origin web server. ### Flexible encryption mode If your domain's encryption mode is set to [**Flexible**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/flexible/), Cloudflare sends unencrypted requests to your origin server over HTTP. Redirect loops will occur if your origin server automatically redirects all HTTP requests to HTTPS. flowchart TD accTitle: Redirect loops illustration for Flexible mode A[Request for https://example.com] --> B[Encryption mode redirects to http://example.com] B --> C[Origin server redirects to https://example.com] C --> B subgraph Cloudflare B end subgraph Origin server C end To solve this issue, either remove HTTPS redirects from your origin server or update your SSL/TLS Encryption Mode to be [**Full**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or higher (requires an SSL certificate configured at your origin server). ### Full or Full (strict) encryption mode If your domain's encryption mode is set to [**Full**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or [**Full (strict)**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/), Cloudflare sends encrypted requests to your origin server over HTTPS. Redirect loops will occur if your origin server automatically redirects all HTTPS requests to HTTP. flowchart TD accTitle: Redirect loops illustration for Full or Full (strict) mode A[Request for http://example.com] --> B[Encryption mode redirects to https://example.com] B --> C[Origin server redirects to http://example.com] C --> B subgraph Cloudflare B end subgraph Origin server C end To solve this issue, remove HTTP redirects from your origin server. --- ## Edge certificate settings ### Always use HTTPS If you have [**Always Use HTTPS**](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) enabled for your domain, Cloudflare redirects all `http` requests to `https` for all subdomains and hosts in your application. Redirect loops will occur if your origin server automatically redirects all HTTPS requests to HTTP. flowchart TD accTitle: Redirect loops illustration for Always Use HTTPS A[Request for http://example.com] --> B[Always Use HTTPS redirects to https://example.com] B --> C[Origin server redirects to http://example.com] C --> B subgraph Cloudflare B end subgraph Origin server C end To solve this issue, remove HTTPS redirects from your origin server or [disable **Always Use HTTPS**](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/). ### HSTS If you have [**HTTP Strict Transport Security (HSTS)**](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) enabled for your domain, Cloudflare directs compliant web browsers to transform `http` links to `https` links. Redirect loops will occur if your origin server automatically redirects all HTTPS requests to HTTP or if you have your domain's encryption mode set to [**Off**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/). flowchart TD accTitle: Redirect loops illustration for HTTP Strict Transport Security A[Request for https://example.com] --> B[Encryption mode redirects to http://example.com] B --> C[HSTS redirects to https://example.com] C --> B C --> D[Origin server redirects to http://example.com] D --> C subgraph Cloudflare B C end subgraph Origin server D end To solve this issue, remove HTTPS redirects from your origin server and make sure your domain's encryption mode is [**Flexible**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/flexible/) or higher. Alternatively, [disable **HTTP Strict Transport Security (HSTS)**](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/). --- ## Redirect rules Redirect loops can also occur if you have conflicting URL redirects. flowchart TD accTitle: Redirect loops illustration for redirect rules A[Request for https://a.example.com] --> B[Redirect to http://b.example.com] B --> C[Redirect to https://a.example.com] C --> B subgraph Cloudflare B C end To solve this issue, review your various [redirect rules](https://developers.cloudflare.com/rules/url-forwarding/) and [Page Rules](https://developers.cloudflare.com/rules/page-rules/) to make sure no rules are not in conflict with each other. Note To reduce the potential for redirect loops and [mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/), Cloudflare recommends WordPress users to install the [Cloudflare WordPress plugin ↗](https://wordpress.org/plugins/cloudflare/) at their origin web server and enable the _Automatic HTTPS rewrites_ option within the plugin. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/troubleshooting/too-many-redirects/","name":"ERR_TOO_MANY_REDIRECTS"}}]} ``` --- --- title: ERR_SSL_VERSION_OR_CIPHER_MISMATCH description: Learn how to troubleshoot ERR_SSL_VERSION_OR_CIPHER_MISMATCH when using Cloudflare SSL/TLS. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/troubleshooting/version-cipher-mismatch.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # ERR\_SSL\_VERSION\_OR\_CIPHER\_MISMATCH After you [add a new domain](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) to Cloudflare, your visitors' browsers might display one of the following errors: * `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` (Chrome) * `Unsupported protocol The client and server don’t support a common SSL protocol version or cipher suite` (Chrome) * `SSL_ERROR_NO_CYPHER_OVERLAP` (Firefox) This error occurs when your domain or subdomain is not covered by an SSL/TLS certificate, which is usually caused by: * A [delay in certificate activation](#certificate-activation). * An [unproxied domain or subdomain DNS record](#proxied-dns-records). * An [expired Custom certificate](#certificate-expiration). * A [multi-level subdomain](#multi-level-subdomains) (`test.dev.example.com`). ## Decision tree flowchart TD accTitle: Troubleshooting ERR_SSL_VERSION_OR_CIPHER_MISMATCH decision tree A>Is your certificate active?] -- Yes --> B>Is the DNS record proxied?] A -- No --> C[Wait for certificate to activate or pause Cloudflare] B -- No --> D[Proxy the DNS record] B -- Yes --> E>Are you using a custom certificate?] E -- Yes --> F[Custom certificate may be expired] E -- No --> G>Are you accessing a multi-level subdomain?] G -- Yes --> H[Get an advanced or custom certificate] --- ## Certificate activation For domains on a [primary setup (full)](https://developers.cloudflare.com/dns/zone-setups/full-setup/)[1](#user-content-fn-1), your domain should **automatically** receive its Universal SSL certificate within **15 minutes to 24 hours** of domain activation[2](#user-content-fn-2). This certificate will cover your zone apex (`example.com`) and all first-level subdomains (`subdomain.example.com`), and is provisioned even if your records are DNS only. However, the certificate will only be presented if your domain or subdomains are [proxied](https://developers.cloudflare.com/dns/proxy-status/). ## Footnotes 1. The most common Cloudflare setup that involves changing your authoritative nameservers. [↩](#user-content-fnref-1) 2. Provisioning time depends on certain security checks and other requirements mandated by Certificate Authorities (CA). [↩](#user-content-fnref-2) ### Potential issues If your visitors experience `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` (Chrome) or `SSL_ERROR_NO_CYPHER_OVERLAP` (Firefox), check the status of your Universal certificate: 1. Log into the [Cloudflare dashboard ↗](https://dash.cloudflare.com). 2. Choose your account and domain. 3. Go to the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. 4. Find the certificate with the **Type** of **Universal**. 5. Make sure the **Status** is **Active**. If the **Status** is anything other than **Active**, you can either wait a bit longer for certificate activation or take immediate action. ### Solutions If you need to immediately resolve this error, [temporarily pause Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/). Since Universal certificates can take up to 24 hours to be issued, wait and [monitor the certificate's status](https://developers.cloudflare.com/ssl/reference/certificate-statuses/#ssltls). Once your certificate becomes **Active**, unpause Cloudflare using whichever method you used previously. If your certificate is still not **Active** after 24 hours, try the various troubleshooting steps used to [resolve timeout issues](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/troubleshooting/#resolve-a-timed-out-state). If these methods are successful (and your certificate becomes **Active**), unpause Cloudflare using whichever method you used previously. --- ## Proxied DNS records Cloudflare Universal and Advanced certificates only cover the domains and subdomains you have [proxied through Cloudflare](https://developers.cloudflare.com/dns/proxy-status/). If the **Proxy status** of `A`, `AAAA`, or `CNAME` records for a hostname are **DNS-only**, you will need to change it to **Proxied**. ![Proxy status affects how Cloudflare treats traffic intended for specific DNS records](https://developers.cloudflare.com/_astro/proxy-status-screenshot.uxgurbGi_2igVHO.webp) --- ## Certificate expiration If you have a [Custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) and visitors experience `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` (Chrome) or `SSL_ERROR_NO_CYPHER_OVERLAP` (Firefox), [check its status](https://developers.cloudflare.com/ssl/reference/certificate-statuses/#ssltls) to make sure it is not expired. If it is expired, [upload a replacement certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/renewing/). --- ## Multi-level subdomains By default, Cloudflare [Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) only cover your apex domain and one level of subdomain. | Hostname | Covered by Universal certificate? | | ------------------------ | --------------------------------- | | example.com | Yes | | www.example.com | Yes | | docs.example.com | Yes | | dev.docs.example.com | No | | test.dev.api.example.com | No | This means that you might experience `ERR_SSL_VERSION_OR_CIPHER_MISMATCH` (Chrome) or `SSL_ERROR_NO_CYPHER_OVERLAP` (Firefox) on multi-level subdomains. To prevent insecure connections on a multi-level subdomain, do one of the following: * Enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/), which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate. * Order an [Advanced Certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) covering the subdomain. * Upload a [Custom Certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) covering the subdomain. If none of these solutions work, you could also remove the multi-level subdomain. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/troubleshooting/","name":"Troubleshooting"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/troubleshooting/version-cipher-mismatch/","name":"ERR_SSL_VERSION_OR_CIPHER_MISMATCH"}}]} ``` --- --- title: SSL/TLS FAQ description: Get answers to commonly asked questions about the certificates you can obtain through Cloudflare and the CAs that Cloudflare partners with. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/faq.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SSL/TLS FAQ Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with. --- ## General ### Does Cloudflare issue both RSA and ECDSA certificates? Yes. Cloudflare can issue both RSA and ECDSA certificates. ### Are Cloudflare SSL certificates shared? No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers. ### If I have multiple Cloudflare certificates, which one is used? Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type. For more details, refer to [Certificate and hostname priority](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/). ### Why do I see a Cloudflare certificate when an SSL certificate is installed at my website? Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain's [encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/). --- ## Certificate authorities (CAs) ### Which certificate authorities does Cloudflare use? Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, and Sectigo. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](https://developers.cloudflare.com/ssl/reference/certificate-authorities/). Sectigo is only used for [backup certificates](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/). ### Are there any CA limitations I should know about? Refer to the [certificate authorities reference page](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) for a list of limitations for every CA in our pipeline. There you can also find information about device and browser compatibility. ### I do not want to use the CAs that Cloudflare partners with. What can I do? If you are on a Business or Enterprise plan, you can [upload a certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice. ### I am missing the CAs that Cloudflare uses in my trust store. What should I do? You can use [CFSSL trust store ↗](https://github.com/cloudflare/cfssl%5Ftrust), which includes all of the CAs that are used by Cloudflare managed certificates. --- ## CAA records ### What is CAA and how can I create one? A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization. For more details, refer to [Add CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/). ### How does Cloudflare evaluate CAA records? CAA records are evaluated by a CA, not by Cloudflare. For details, refer to [RFC 8659 ↗](https://www.rfc-editor.org/rfc/rfc8659.html#name-relevant-resource-record-se). Setting a CAA record to specify one or more particular CAs does not affect which CA Cloudflare uses to issue universal or advanced certificates for your domain. If you wish, you can specify CAs associated with Cloudflare certificates when [ordering an advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/). ### What are the dangers of setting CAA records? If you are part of a large organization or one where multiple parties are tasked with obtaining SSL certificates, [include CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/) that allow issuance for all CAs applicable for your organization. Failure to do so can inadvertently block SSL issuance for other parts of your organization. ### What CAA records do I need to allow issuance from Cloudflare CAs? You can find CAA records associated with every Cloudflare CA in the [certificate authorities reference page](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#caa-records). If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf. --- ## Universal SSL ### I am using Universal SSL and I would like to use a different CA. How can I do that? To be able to specify a CA, you must purchase [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/). Through Advanced Certificate Manager, you can choose the certificate authority when ordering an advanced certificate or you can choose a default CA when using [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/). If you are on a Business or Enterprise plan, you can [upload a certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) from the CA of your choice. In this case, certificate issuance and renewal will have to be managed by you. ### Does Cloudflare issue both RSA and ECDSA certificates for Universal certificates? Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/faq/","name":"SSL/TLS FAQ"}}]} ``` --- --- title: Changelog description: Cloudflare Secrets Store is now integrated with AI Gateway, allowing you to store, manage, and deploy your AI provider keys in a secure and seamless configuration through Bring Your Own Key. Instead of passing your AI provider keys directly in every request header, you can centrally manage each key with Secrets Store and deploy in your gateway configuration using only a reference, rather than passing the value in plain text. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/changelog.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Changelog [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/ssl.xml) ## 2025-08-25 **Manage and deploy your AI provider keys through Bring Your Own Key (BYOK) with AI Gateway, now powered by Cloudflare Secrets Store** Cloudflare Secrets Store is now integrated with AI Gateway, allowing you to store, manage, and deploy your AI provider keys in a secure and seamless configuration through [Bring Your Own Key ↗](https://developers.cloudflare.com/ai-gateway/configuration/bring-your-own-keys/). Instead of passing your AI provider keys directly in every request header, you can centrally manage each key with Secrets Store and deploy in your gateway configuration using only a reference, rather than passing the value in plain text. You can now create a secret directly from your AI Gateway [in the dashboard ↗](http://dash.cloudflare.com/?to=/:account/ai-gateway) by navigating into your gateway -> **Provider Keys** \-> **Add**. ![Import repo or choose template](https://developers.cloudflare.com/_astro/add-secret-ai-gateway.B-SIPr6s_jJjDD.webp) You can also create your secret with the newly available **ai\_gateway** scope via [wrangler ↗](https://developers.cloudflare.com/workers/wrangler/commands/), the [Secrets Store dashboard ↗](http://dash.cloudflare.com/?to=/:account/secrets-store), or the [API ↗](https://developers.cloudflare.com/api/resources/secrets%5Fstore/). Then, pass the key in the request header using its Secrets Store reference: ``` curl -X POST https://gateway.ai.cloudflare.com/v1//my-gateway/anthropic/v1/messages \ --header 'cf-aig-authorization: ANTHROPIC_KEY_1 \ --header 'anthropic-version: 2023-06-01' \ --header 'Content-Type: application/json' \ --data '{"model": "claude-3-opus-20240229", "messages": [{"role": "user", "content": "What is Cloudflare?"}]}' ``` Or, using Javascript: ``` import Anthropic from '@anthropic-ai/sdk'; const anthropic = new Anthropic({ apiKey: "ANTHROPIC_KEY_1", baseURL: "https://gateway.ai.cloudflare.com/v1//my-gateway/anthropic", }); const message = await anthropic.messages.create({ model: 'claude-3-opus-20240229', messages: [{role: "user", content: "What is Cloudflare?"}], max_tokens: 1024 }); ``` For more information, check out the [blog ↗](https://blog.cloudflare.com/ai-gateway-aug-2025-refresh)! ## 2025-05-27 **Increased limits for Cloudflare for SaaS and Secrets Store free and pay-as-you-go plans** With upgraded limits to [all free and paid plans ↗](https://www.cloudflare.com/plans/), you can now scale more easily with [Cloudflare for SaaS ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) and [Secrets Store ↗](https://developers.cloudflare.com/secrets-store/). [Cloudflare for SaaS ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) allows you to extend the benefits of Cloudflare to your customers via their own custom or vanity domains. Now, the [limit for custom hostnames ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/plans/) on a Cloudflare for SaaS pay-as-you-go plan has been **raised from 5,000 custom hostnames to 50,000 custom hostnames.** With custom origin server -- previously an enterprise-only feature -- you can route traffic from one or more custom hostnames somewhere other than your default proxy fallback. [Custom origin server ↗](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/) is now available to Cloudflare for SaaS customers on Free, Pro, and Business plans. You can enable custom origin server on a per-custom hostname basis [via the API ↗](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/edit/) or the UI: ![Import repo or choose template](https://developers.cloudflare.com/_astro/custom-origin-server.B-BXcG-1_ZUd9i6.webp) Currently [in beta with a Workers integration ↗](https://blog.cloudflare.com/secrets-store-beta/), [Cloudflare Secrets Store ↗](https://developers.cloudflare.com/secrets-store/) allows you to store, manage, and deploy account level secrets from a secure, centralized platform your [Cloudflare Workers ↗](https://developers.cloudflare.com/workers/). Now, you can create and deploy **100 secrets per account**. Try it out [in the dashboard ↗](http://dash.cloudflare.com/?to=/:account/secrets-store), with [Wrangler ↗](https://developers.cloudflare.com/secrets-store/integrations/workers/), or [via the API ↗](https://developers.cloudflare.com/api/resources/secrets%5Fstore/) today. ## 2025-04-09 **Cloudflare Secrets Store now available in Beta** Cloudflare Secrets Store is available today in Beta. You can now store, manage, and deploy account level secrets from a secure, centralized platform to your Workers. ![Import repo or choose template](https://developers.cloudflare.com/_astro/secrets-store-landing-page.BQoEWsq8_ZUrGq1.webp) To spin up your Cloudflare Secrets Store, simply click the new Secrets Store tab [in the dashboard ↗](http://dash.cloudflare.com/?to=/:account/secrets-store) or use this Wrangler command: Terminal window ``` wrangler secrets-store store create --remote ``` The following are supported in the Secrets Store beta: * Secrets Store UI & API: create your store & create, duplicate, update, scope, and delete a secret * Workers UI: bind a new or existing account level secret to a Worker and deploy in code * Wrangler: create your store & create, duplicate, update, scope, and delete a secret * Account Management UI & API: assign Secrets Store permissions roles & view audit logs for actions taken in Secrets Store core platform For instructions on how to get started, visit our [developer documentation](https://developers.cloudflare.com/secrets-store/). ## 2025-02-14 **Upload a certificate bundle with an RSA and ECDSA certificate per custom hostname** Cloudflare has supported both RSA and ECDSA certificates across our platform for a number of years. Both certificates offer the same security, but ECDSA is more performant due to a smaller key size. However, RSA is more widely adopted and ensures compatibility with legacy clients. Instead of choosing between them, you may want both – that way, ECDSA is used when clients support it, but RSA is available if not. Now, you can upload both an RSA and ECDSA certificate on a custom hostname via the API. ``` curl -X POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/custom_hostnames \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '{ "hostname": "hostname", "ssl": { "custom_cert_bundle": [ { "custom_certificate": "RSA Cert", "custom_key": "RSA Key" }, { "custom_certificate": "ECDSA Cert", "custom_key": "ECDSA Key" } ], "bundle_method": "force", "wildcard": false, "settings": { "min_tls_version": "1.0" } } }’ ``` You can also: * [Upload](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/create/) an RSA or ECDSA certificate to a custom hostname with an existing ECDSA or RSA certificate, respectively. * [Replace](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/subresources/certificate%5Fpack/subresources/certificates/methods/update/) the RSA or ECDSA certificate with a certificate of its same type. * [Delete](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/subresources/certificate%5Fpack/subresources/certificates/methods/delete/) the RSA or ECDSA certificate (if the custom hostname has both an RSA and ECDSA uploaded). This feature is available for Business and Enterprise customers who have purchased custom certificates. ## 2024-10-18 **New cloudflare\_branding flag allows hostnames with over 64 characters for all CAs** To order certificates for hostnames longer than 64 characters, customers can now use the `cloudflare_branding` flag when ordering a certificate via [API ↗](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/create/). Setting `cloudflare_branding` to `true` will cause `sni.cloudflaressl.com` to be used as the common name, while the long hostname is added as part of the subject alternative name (SAN). ## 2024-09-19 **SSL.com available with ACM and SSL for SaaS** SSL.com is one of the [certificate authorities](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) that Cloudflare partners with. SSL.com is now available as an option to customers with Advanced Certificate Manager (ACM) or SSL for SaaS. Consider our [reference documentation](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#sslcom) for details. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/changelog/","name":"Changelog"}}]} ``` --- --- title: Authenticated Origin Pulls (mTLS) description: Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Authenticated Origin Pulls (mTLS) Authenticated Origin Pulls (AOP) helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes. This authentication becomes particularly important with the [Cloudflare Web Application Firewall (WAF)](https://developers.cloudflare.com/waf/). Together with the WAF, you can make sure that **all traffic** is evaluated before receiving a response from your origin server. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Aspects to consider Although Cloudflare provides you a certificate to easily [configure zone-level authenticated origin pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/), this certificate is not exclusive to your account and only guarantees that a request is coming from the Cloudflare network. If you want more strict security, you should consider [additional security measures for your origin](https://developers.cloudflare.com/fundamentals/security/protect-your-origin-server/) and upload your own certificate when setting up Authenticated Origin Pulls. Using a custom certificate is possible with both [zone-level](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls and is required if you need your domain to be [FIPS ↗](https://en.wikipedia.org/wiki/Federal%5FInformation%5FProcessing%5FStandards) compliant. Note [Zone-level AOP](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) and [per-hostname AOP](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) are two separate configurations. Disabling one does not disable the other. ## Limitations Authenticated Origin Pulls does not apply when your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**. ## Related topics * [SSL/TLS Encryption Modes](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) * [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/","name":"Authenticated Origin Pulls (mTLS)"}}]} ``` --- --- title: AWS integration description: Learn how to set up Cloudflare Authenticated Origin Pulls with the AWS Application Load Balancer. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # AWS integration This guide will walk you through how to set up [per-hostname](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/) authenticated origin pulls to securely connect to an AWS Application Load Balancer using [mutual TLS verify ↗](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html). ## Before you begin * You should already have your AWS account and [EC2 ↗](https://docs.aws.amazon.com/ec2/?icmpid=docs%5Fhomepage%5Ffeaturedsvcs) configured. * Note that this tutorial uses command-line interface (CLI) to generate a custom certificate, and [API calls](https://developers.cloudflare.com/fundamentals/api/get-started/) to configure Cloudflare Authenticated Origin Pulls. * For the most up-to-date documentation on how to set up AWS, refer to the [AWS documentation ↗](https://docs.aws.amazon.com/). ## 1\. Generate a custom certificate 1. Run the following command to generate a 4096-bit RSA private key, using AES-256 encryption. Enter a passphrase when prompted. Terminal window ``` openssl genrsa -aes256 -out rootca.key 4096 ``` 1. Create the CA root certificate. When prompted, fill in the information to be included in the certificate. For the `Common Name` field, use the domain name as value, not the hostname. Terminal window ``` openssl req -x509 -new -nodes -key rootca.key -sha256 -days 1826 -out rootca.crt ``` 1. Create a Certificate Signing Request (CSR). When prompted, fill in the information to be included in the request. For the `Common Name` field, use the hostname as value. Terminal window ``` openssl req -new -nodes -out cert.csr -newkey rsa:4096 -keyout cert.key ``` 1. Sign the certificate using the `rootca.key` and `rootca.crt` created in previous steps. Terminal window ``` openssl x509 -req -in cert.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out cert.crt -days 730 -sha256 -extfile ./cert.v3.ext ``` 1. Make sure the certificate extensions file `cert.v3.ext` specifies the following: ``` basicConstraints=CA:FALSE ``` ## 2\. Configure AWS Application Load Balancer 1. Upload the `rootca.cert` to an [S3 bucket ↗](https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingBucket.html). 2. [Create a trust store ↗](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/mutual-authentication.html#create-trust-store) at your EC2 console, indicating the **S3 URI** where you uploaded the certificate. 3. Create an EC2 instance and install an HTTPD daemon. Choose an [instance type ↗](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html) according to your needs - it can be a minimal instance eligible to [AWS Free Tier ↗](https://aws.amazon.com/free/). This tutorial was based on an example using t2.micro and [Amazon Linux 2023 ↗](https://docs.aws.amazon.com/linux/al2023/ug/what-is-amazon-linux.html). Terminal window ``` sudo yum install -y httpd sudo systemctl start httpd ``` 1. Create a [target group ↗](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-target-group) for your Application Load Balancer. * Choose **Instances** as target type. * Specify port `HTTP/80`. 2. After you finish configuring the target group, confirm that the target group is [healthy ↗](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/target-group-health-checks.html). 3. [Configure a load balancer and a listener ↗](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-application-load-balancer.html#configure-load-balancer). * Choose the **Internet-facing** scheme. * Switch the listener to port `443` so that the **mTLS** option is available, and select the target group created in previous steps. * For **Default SSL/TLS server certificate**, choose **Import certificate** \> **Import to ACM**, and add the certificate private key and body. * Under **Client certificate handling**, select **Verify with trust store**. 4. Save your settings. 5. (Optional) Run the following commands to confirm that the Application Load Balancing is asking for the client certificate. Terminal window ``` openssl s_client -verify 5 -connect :443 -quiet -state ``` Since you have not yet uploaded the certificate to Cloudflare, the connection should fail (`read:errno=54`, for example). You can also run `curl --verbose` and confirm `Request CERT (13)` is present within the SSL/TLS handshake: Terminal window ``` curl --verbose https:// ... * TLSv1.2 (IN), TLS handshake, Request CERT (13): ... ``` ## 3\. Configure Cloudflare 1. [Upload the certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) you created in [Step 1](#1-generate-a-custom-certificate) to Cloudflare. You should use the leaf certificate, not the root CA. Terminal window ``` MYCERT="$(cat cert.crt|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')" MYKEY="$(cat cert.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')" request_body=$(< <(cat <", "hostname": "" } ] }' ``` 1. [Enable the Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/#3-enable-authenticated-origin-pulls-globally) feature on your zone. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/tls_client_auth" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": "on" }' ``` Note Make sure your [encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is set to **Full** or higher. If you only want to adjust this setting for a specific hostname, use [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/settings/#ssl). --- ## Roll back the Cloudflare configuration 1. Use a [PUT request](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostnames/methods/update/) to disable Authenticated Origin Pulls on the hostname. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Enable or Disable a Hostname for Client Authentication ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "config": [ { "enabled": false, "cert_id": "", "hostname": "" } ] }' ``` 2. (Optional) Use a [GET request](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` * `SSL and Certificates Read` List Certificates ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames/certificates" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 3. Use the [Delete hostname client certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/delete/) endpoint to remove the certificate you had uploaded. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Delete Hostname Client Certificate ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames/certificates/$CERTIFICATE_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/","name":"Authenticated Origin Pulls (mTLS)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration/","name":"AWS integration"}}]} ``` --- --- title: About description: When visitors request content from your domain, Cloudflare first attempts to serve content from the cache. If this attempt fails, Cloudflare sends a request — or an origin pull — back to your origin web server to get the content. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/explanation.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # About ## Simple explanation When visitors request content from your domain, Cloudflare first attempts to serve content from the cache. If this attempt fails, Cloudflare sends a request — or an `origin pull` — back to your origin web server to get the content. Authenticated Origin Pulls makes sure that all of these `origin pulls` come from Cloudflare. Put another way, Authenticated Origin Pulls ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin. This block also applies for requests to [unproxied DNS records](https://developers.cloudflare.com/dns/proxy-status/#dns-only-records) in Cloudflare. Warning Note that the certificate Cloudflare provides for you to [set up Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) is not exclusive to your account, only guaranteeing that a request is coming from the Cloudflare network. For more strict security, you should set up Authenticated Origin Pulls with your own certificate and consider [other security measures for your origin](https://developers.cloudflare.com/fundamentals/security/protect-your-origin-server/). ## Detailed explanation Cloudflare enforces authenticated origin pulls by adding an extra layer of TLS client certificate authentication when establishing a connection between Cloudflare and the origin web server. For more details, refer to the [introductory blog post ↗](https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/). --- ### Types of handshakes For more details, refer to [What is a TLS handshake? ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). **Standard TLS handshake** ![Diagram showing the Standard TLS handshake](https://developers.cloudflare.com/_astro/client-auth-tls-standard.DZBqll1L_xiYbX.webp) **Client authenticated TLS handshake** ![Diagram showing the client authenticated TLS handshake](https://developers.cloudflare.com/_astro/client-auth-tls-handshake.B9OeA94c_Z2s8D3v.webp) ### Comparison diagrams Without Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes between a client device and Cloudflare and Cloudflare and your origin. This is true even if you have [**Full**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or [**Full (strict)**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes enabled. flowchart TD accTitle: Connection diagram without Authenticated Origin Pulls A[End user query for example.com] --Standard TLS Handshake--> B[Cloudflare network] B --Standard TLS Handshake--> C[Origin server] D[External device] --Standard TLS Handshake ----> C This lack of authentication means that - even if your origin is [protected behind Cloudflare](https://developers.cloudflare.com/fundamentals/concepts/how-cloudflare-works/) \- attackers with your origin's IP address will still receive a response from your origin for HTTPS requests. With Authenticated Origin Pulls, Cloudflare performs standard TLS handshakes between a client device and Cloudflare, but a client-authenticated TLS handshake between Cloudflare and your origin. flowchart TD accTitle: Connection diagram with Authenticated Origin Pulls A[End user query for example.com] --Standard TLS Handshake--> B[Cloudflare network] B --Client authenticated TLS Handshake--> C[Origin server] D[External device] --Standard TLS Handshake -----x C This additional layer of authentication ensures that any HTTPS requests outside of Cloudflare will not receive a response from your origin. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/","name":"Authenticated Origin Pulls (mTLS)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/explanation/","name":"About"}}]} ``` --- --- title: Manage certificates description: Refer to the following sections to learn how to manage certificates used with the different Authenticated Origin Pulls setups. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Manage certificates Refer to the following sections to learn how to manage certificates used with the different Authenticated Origin Pulls setups. --- ## Expired certificates Cloudflare does not delete client certificates upon expiration unless you send a delete request to the Cloudflare API for the relevant certificate ([Delete a zone-level certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/zone%5Fcertificates/methods/delete/) or [Delete a hostname-level certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/delete/)). If your origin only accepts a valid client certificate, it will drop requests when the certificate expires. Make sure you have [notifications](https://developers.cloudflare.com/notifications/notification-available/#ssltls) set up to get alerts 30 days and 14 days before an AOP certificate expires. --- ## Use specialized certificates To apply different client certificates simultaneously at both the zone and hostname level, you can combine zone-level and per-hostname custom certificates. First, set up [zone-level pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/) using a certificate. Then, upload multiple, specialized certificates for [individual hostnames](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/). Since per-hostname certificates are more specific, they take precedence over zone certificates. --- ## Replace a certificate without downtime No automatic removal Cloudflare does not delete client certificates upon expiration unless you send a delete request to the Cloudflare API for the relevant certificate ([Delete a zone-level certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/zone%5Fcertificates/methods/delete/) or [Delete a hostname-level certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/delete/)). ### Per-hostname 1. [Upload the new certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/create/). 2. [List your certificates](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/list/) and note the ID for the certificate you uploaded. 3. [Enable Authenticated Origin Pulls for the specific hostname](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostnames/methods/update/), using the ID obtained in step 2 to specify the certificate you want to use: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Enable or Disable a Hostname for Client Authentication ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames" \ --request PUT \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "config": [ { "enabled": true, "hostname": "", "cert_id": "" } ] }' ``` Note If you keep both certificates, the API will state `active` for both but the most recently deployed certificate will be the one enabled and used. ### Zone-level 1. [Upload the new certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/zone%5Fcertificates/methods/create/). 2. [Check whether new certificate is Active](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/zone%5Fcertificates/methods/get/). 3. Once certificate is active, [delete the previous certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/zone%5Fcertificates/methods/delete/). Note If you keep both certificates, the API will state `active` for both but the most recently deployed certificate will be the one enabled and used. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/","name":"Authenticated Origin Pulls (mTLS)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/set-up/","name":"Setup"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/","name":"Manage certificates"}}]} ``` --- --- title: Per-hostname description: When you enable Authenticated Origin Pulls per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. You can use client certificates from your Private PKI to authenticate connections from Cloudflare. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Per-hostname When you enable Authenticated Origin Pulls per hostname, all proxied traffic to the specified hostname is authenticated at the origin web server. You can use client certificates from your Private PKI to authenticate connections from Cloudflare. ## Before you begin Warning It is not possible to set up per-hostname authenticated origin pulls with the [Cloudflare certificate](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/#aspects-to-consider). Refer to the steps below for an example of how to generate a custom certificate using OpenSSL. The CA root certificate that you use to issue the custom certificate should be the same CA that you will [upload to your origin](#2-configure-origin-to-accept-client-certificates). OpenSSL example 1. Run the following command to generate a 4096-bit RSA private key, using AES-256 encryption. Enter a passphrase when prompted. Terminal window ``` openssl genrsa -aes256 -out rootca.key 4096 ``` 1. Create the CA root certificate. When prompted, fill in the information to be included in the certificate. For the `Common Name` field, use the domain name as value, not the hostname. Terminal window ``` openssl req -x509 -new -nodes -key rootca.key -sha256 -days 1826 -out rootca.crt ``` 1. Create a Certificate Signing Request (CSR). When prompted, fill in the information to be included in the request. For the `Common Name` field, use the hostname as value. Terminal window ``` openssl req -new -nodes -out cert.csr -newkey rsa:4096 -keyout cert.key ``` 1. Sign the certificate using the `rootca.key` and `rootca.crt` created in previous steps. Terminal window ``` openssl x509 -req -in cert.csr -CA rootca.crt -CAkey rootca.key -CAcreateserial -out cert.crt -days 730 -sha256 -extfile ./cert.v3.ext ``` 1. Make sure the certificate extensions file `cert.v3.ext` specifies the following: ``` basicConstraints=CA:FALSE ``` ## 1\. Upload custom certificate Use the [Upload A Hostname Client Certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/create/) endpoint to upload your custom certificate. Note You must upload a [leaf certificate](https://developers.cloudflare.com/ssl/concepts/#chain-of-trust). If you upload a root CA instead, the API will return a `missing leaf certificate` error. Terminal window ``` MYCERT="$(cat cert.crt|perl -pe 's/\r?\n/\\n/'|sed -e 's/..$//')" MYKEY="$(cat cert.key|perl -pe 's/\r?\n/\\n/'|sed -e's/..$//')" request_body=$(< <(cat <", "hostname": "" } ] }' ``` 2. (Optional) Use a [GET request](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/list/) to obtain a list of the client certificate IDs. You will need the ID of the certificate you want to remove for the following step. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` * `SSL and Certificates Read` List Certificates ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames/certificates" \ --request GET \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` 3. Use the [Delete hostname client certificate](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/hostname%5Fcertificates/methods/delete/) endpoint to remove the certificate you had uploaded. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `SSL and Certificates Write` Delete Hostname Client Certificate ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/origin_tls_client_auth/hostnames/certificates/$CERTIFICATE_ID" \ --request DELETE \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/","name":"Authenticated Origin Pulls (mTLS)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/set-up/","name":"Setup"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/","name":"Roll back per-hostname AOP"}}]} ``` --- --- title: Zone-level description: When you enable Authenticated Origin Pulls (AOP) for a zone, all proxied traffic to your zone is authenticated at the origin web server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Zone-level When you enable Authenticated Origin Pulls (AOP) for a zone, all proxied traffic to your zone is authenticated at the origin web server. ## Before you begin Make sure your zone is using an [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) of **Full** or higher. Warning Zone-level AOP certificates are also applied to [custom hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) configured on a Cloudflare for SaaS zone. If you need a different AOP certificate to apply to different custom hostnames, use [Per-hostname AOP](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/). ## 1\. Upload certificate to origin First, upload a certificate to your origin. To use a Cloudflare certificate (which uses a specific CA), [download the .PEM file](https://developers.cloudflare.com/ssl/static/authenticated%5Forigin%5Fpull%5Fca.pem) and upload it to your origin. This certificate is **not** the same as the [Cloudflare origin CA certificate](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) and will not appear on your Dashboard. To use a custom certificate, follow the API instructions to [upload a custom certificate to Cloudflare](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate), but use the [origin\_tls\_client\_auth endpoint](https://developers.cloudflare.com/api/resources/origin%5Ftls%5Fclient%5Fauth/subresources/zone%5Fcertificates/methods/create/). Then, upload the certificate to your origin. Warning Although Cloudflare provides you a certificate to easily configure zone-level authenticated origin pulls, this certificate is not exclusive to your account and only guarantees that a request is coming from the Cloudflare network. If you want more strict security, you should upload your own certificate. Using a custom certificate is required if you need your domain to be [FIPS ↗](https://en.wikipedia.org/wiki/Federal%5FInformation%5FProcessing%5FStandards) compliant. ## 2\. Configure origin to accept client certificates With the certificate installed, set up your origin web server to accept client certificates. Check the examples below for Apache and NGINX or refer to your origin web server documentation - e.g. [HAProxy ↗](https://www.haproxy.com/documentation/hapee/latest/security/authentication/client-certificate-authentication/), [Traefik ↗](https://doc.traefik.io/traefik/https/tls/#client-authentication-mtls), [Caddy ↗](https://caddyserver.com/docs/json/apps/http/servers/tls%5Fconnection%5Fpolicies/client%5Fauthentication/mode/). Apache example ``` SSLCACertificateFile /path/to/origin-pull-ca.pem ``` For this example, you would have saved your certificate to `/path/to/origin-pull-ca.pem`. To use the Cloudflare certificate, download it from step 1 above, rename the .PEM file, and then upload it to `/path/to/origin-pull-ca.pem` before applying the settings. NGINX example ``` ssl_verify_client optional; ssl_client_certificate /etc/nginx/certs/cloudflare.crt; ``` For this example, you would have saved your certificate to `/etc/nginx/certs/cloudflare.crt`. To use the Cloudflare certificate, download it from step 1 above, rename the .PEM file, and then upload it to `/etc/nginx/certs/cloudflare.crt` before applying the settings. At this point, you may also want to enable logging on your origin so that you can verify the configuration is working. ## 3\. Configure Cloudflare to use client certificate Then, enable the Authenticated Origin Pulls feature as an option for your Cloudflare zone. This step sets the TLS Client Auth to require Cloudflare to use a client certificate when connecting to your origin server. * [ Dashboard ](#tab-panel-6571) * [ API ](#tab-panel-6572) To enable **Authenticated Origin Pulls** in the dashboard: 1. In the Cloudflare dashboard, go to the **Origin Server** page. [ Go to **Origin Server** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin) 2. For **Authenticated Origin Pulls**, switch the toggle to **On**. Warning Note that this step means Authenticated Origin Pulls will be available, but you still have to go through the following steps to complete the configuration. To enable or disable **Authenticated Origin Pulls** with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `tls_client_auth` as the setting name in the URI path, and the `value` parameter set to your desired setting (`"on"` or `"off"`). Warning Note that this step means Authenticated Origin Pulls will be available, but you still have to go through the following steps to complete the configuration. ## 4\. Enforce validation check on your origin Once you can confirm everything is working as expected for your specific origin setup, configure your origin to enforce the authentication. Apache example ``` SSLVerifyClient require ``` NGINX example ``` ssl_verify_client on; ``` After completing the process, you can use `curl` to send requests directly to your origin IPs, verifying that the requests fail due to certificate validation being enforced. ## 5\. (Optional) Set up expiration alerts You can configure alerts to receive notifications before your AOP certificates expire. Zone-level Authenticated Origin Pulls Certificate Expiration Alert **Who is it for?** Customers that upload their own certificate to use with zone-level Authenticated Origin Pull (AOP) to secure connections from Cloudflare to their origin server. AOP certificate expiration notifications are sent 30 days and 14 days before the certificate expiry. **Other options / filters** None. **Included with** Authenticated Origin Pull. **What should you do if you receive one?** Upload a renewed certificate to use for [zone-level AOP](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/). Refer to [Cloudflare Notifications](https://developers.cloudflare.com/notifications/get-started/) for more information on how to set up an alert. ## Further options Refer to [Manage certificates](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/) for further options. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/","name":"Authenticated Origin Pulls (mTLS)"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/set-up/","name":"Setup"}},{"@type":"ListItem","position":6,"item":{"@id":"/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/","name":"Zone-level"}}]} ``` --- --- title: Cipher suites description: Review a list of cipher suites that Cloudflare presents to origins during an SSL/TLS handshake. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/cipher-suites.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cipher suites Refer to the following list to know what cipher suites Cloudflare presents to origin servers during an SSL/TLS handshake. Note Refer to [cipher suites supported at Cloudflare's global network](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/) to know what cipher suites Cloudflare presents to browsers and other user agents. The list order is based on how the cipher suites appear in the [ClientHello ↗](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/#:~:text=client%20hello), communicating Cloudflare's preference. ## Supported cipher suites by protocol | Cipher name | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | | ----------------------------------------------------- | ------- | ------- | ------- | ------- | | AEAD-AES128-GCM-SHA256 [1](#user-content-fn-1) | ❌ | ❌ | ❌ | ✅ | | AEAD-AES256-GCM-SHA384 [1](#user-content-fn-1) | ❌ | ❌ | ❌ | ✅ | | AEAD-CHACHA20-POLY1305-SHA256 [1](#user-content-fn-1) | ❌ | ❌ | ❌ | ✅ | | ECDHE-ECDSA-AES128-GCM-SHA256 | ❌ | ❌ | ✅ | ❌ | | ECDHE-RSA-AES128-GCM-SHA256 | ❌ | ❌ | ✅ | ❌ | | ECDHE-RSA-AES128-SHA | ✅ | ✅ | ✅ | ❌ | | AES128-GCM-SHA256 | ❌ | ❌ | ✅ | ❌ | | AES128-SHA | ✅ | ✅ | ✅ | ❌ | | ECDHE-ECDSA-AES256-GCM-SHA384 | ❌ | ❌ | ✅ | ❌ | | ECDHE-RSA-AES256-GCM-SHA384 | ❌ | ❌ | ✅ | ❌ | | ECDHE-RSA-AES256-SHA384 | ❌ | ❌ | ✅ | ❌ | | AES256-SHA | ✅ | ✅ | ✅ | ❌ | | DES-CBC3-SHA | ✅ | ❌ | ❌ | ❌ | ### TLS 1.3 cipher suites Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, only specifying the symmetric ciphers, and cannot be used for TLS 1.2 ([RFC 8446 ↗](https://www.rfc-editor.org/rfc/rfc8446.html)). Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3\. BoringSSL also hard-codes cipher preferences in the order above for TLS 1.3. Based on BoringSSL, Cloudflare system will return the names listed above. However, the corresponding names defined in [RFC 8446 ↗](https://www.rfc-editor.org/rfc/rfc8446.html) are the following: * `TLS_AES_128_GCM_SHA256` * `TLS_AES_256_GCM_SHA384` * `TLS_CHACHA20_POLY1305_SHA256` ## Match on origin Cloudflare will present the cipher suites to your origin and your server will select whichever cipher suite it prefers. However, if you want to ensure that your origin server supports the same cipher suites that Cloudflare supports at our global network and you use [NGINX ↗](https://en.wikipedia.org/wiki/Nginx) for TLS termination on your origin, you can apply the following configuration: ``` ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ecdh_curve X25519:P-256:P-384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES; ssl_prefer_server_ciphers on; ``` ## Footnotes 1. Refer to [TLS 1.3 cipher suites](#tls-13-cipher-suites) for details. [↩](#user-content-fnref-1) [↩2](#user-content-fnref-1-2) [↩3](#user-content-fnref-1-3) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/cipher-suites/","name":"Cipher suites"}}]} ``` --- --- title: Custom Origin Trust Store description: Custom Origin Trust Store allows you to upload certificate authorities (CAs) that Cloudflare will use to authenticate connections to your origin server. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/custom-origin-trust-store.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Custom Origin Trust Store By default, Cloudflare's global network maintains [a list of publicly trusted certificate authorities ↗](https://github.com/cloudflare/cfssl%5Ftrust). This means that when using [Full (strict) encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/), Cloudflare will only trust origin server certificates issued by a CA included in this trust store. Custom Origin Trust Store allows you to upload certificate authorities (CAs) that Cloudflare will use to authenticate connections to your origin server. Use this feature to override the default trust store with your preferred CA or CAs. When a CA has been uploaded to Custom Origin Trust Store, Cloudflare will ignore all default publicly trusted CAs and exclusively use the CA or CAs that have been uploaded to authenticate the origin server. ## Availability To get access to Custom Origin Trust Store, [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) must be enabled on the zone. ## How to To manage origin trust stores in the dashboard, go to the [**Origin Server** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin) page and use the **Custom Origin Trust Store** card. To manage origin trust stores using the API, refer to the [API commands](#api-commands). ## Limitations With [Full (strict) encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) enabled, if your uploaded CA expires and no alternative CAs are valid within the trust store, Cloudflare will not be able to properly authenticate connections to the origin server. ## API commands #### List Custom Origin Trust Store Details * API documentation: [List Custom Origin Trust Store Details](https://developers.cloudflare.com/api/resources/acm/subresources/custom%5Ftrust%5Fstore/methods/list/) * Method: `GET` * Endpoint: `/zones/$ZONE_ID/acm/custom_trust_store` #### Custom Origin Trust Store Details * API documentation: [Custom Origin Trust Store Details](https://developers.cloudflare.com/api/resources/acm/subresources/custom%5Ftrust%5Fstore/methods/get/) * Method: `GET` * Endpoint: `/zones/$ZONE_ID/acm/custom_trust_store/$CUSTOM_ORIGIN_TRUST_STORE_ID` Note The `$CUSTOM_ORIGIN_TRUST_STORE_ID` can be found via the [List command](#list-custom-origin-trust-store-details). #### Upload Custom Origin Trust Store * API documentation: [Upload Custom Origin Trust Store](https://developers.cloudflare.com/api/resources/acm/subresources/custom%5Ftrust%5Fstore/methods/create/) * Method: `POST` * Endpoint: `/zones/$ZONE_ID/acm/custom_trust_store` #### Delete Custom Origin Trust Store * API documentation: [Delete Custom Origin Trust Store](https://developers.cloudflare.com/api/resources/acm/subresources/custom%5Ftrust%5Fstore/methods/delete/) * Method: `DELETE` * Endpoint: `/zones/$ZONE_ID/acm/custom_trust_store/$CUSTOM_ORIGIN_TRUST_STORE_ID` Note The `$CUSTOM_ORIGIN_TRUST_STORE_ID` can be found via the [List command](#list-custom-origin-trust-store-details). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/custom-origin-trust-store/","name":"Custom Origin Trust Store"}}]} ``` --- --- title: Cloudflare origin CA description: Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/origin-ca/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare origin CA If your origin only receives traffic from proxied records, use Cloudflare origin CA certificates to encrypt traffic between Cloudflare and your origin web server and reduce bandwidth consumption. Once deployed, these certificates are compatible with [Strict SSL mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/). For more background information on origin CA certificates, refer to the [introductory blog post ↗](https://blog.cloudflare.com/cloudflare-ca-encryption-origin/). API Access required Users who do not have [**API Access** ↗](https://dash.cloudflare.com/?to=/:account/members) will receive an error while trying to create or revoke an origin CA certificate. Refer to [Troubleshooting](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/troubleshooting/#this-zone-is-either-not-part-of-your-account-or-you-do-not-have-access-to-it) for guidance. ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | Note Using Cloudflare origin CA certificates does not prevent you from using [delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). --- ## Deploy an Origin CA certificate ### 1\. Create an Origin CA certificate To create an Origin CA certificate in the dashboard: 1. In the Cloudflare dashboard, go to the **Origin Server** page. [ Go to **Origin Server** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin) 2. Select **Create Certificate**. 3. Choose either: * **Generate private key and CSR with Cloudflare**: Private key type can be RSA or ECC. * **Use my private key and CSR**: Paste the Certificate Signing Request into the text field. 4. List the [hostnames (including wildcards)](#hostname-and-wildcard-coverage) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default. 5. Choose a **Certificate Validity** period. 6. Select **Create**. 7. Choose the **Key Format**: * Servers using OpenSSL — like Apache and NGINX — generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files. * Servers using Windows and Apache Tomcat require PKCS#7 (a `.p7b` file). 8. Copy the signed **Origin Certificate** and **Private Key** into separate files. For security reasons, you cannot see the **Private Key** after you exit this screen. 9. Select **OK**. Note For details about working with certificates programmatically, refer to [API calls](#api-calls). ### 2\. Install Origin CA certificate on origin server To add an Origin CA certificate to your origin web server 1. Upload the Origin CA certificate (created in [Step 1](#1-create-an-origin-ca-certificate)) to your origin web server. 2. Update your web server configuration: * [Apache httpd ↗](https://www.digicert.com/kb/csr-ssl-installation/apache-openssl.htm) * [GoDaddy Hosting ↗](https://www.digitalcandy.agency/website-tips/cloudflare-origin-ca-free-ssl-installation-on-godaddy/) * [Microsoft IIS 7 ↗](https://www.digicert.com/csr-ssl-installation/iis-7.htm#ssl%5Fcertificate%5Finstall) * [Microsoft IIS 8 and 8.5 ↗](https://www.digicert.com/csr-ssl-installation/iis-8-and-8.5.htm#ssl%5Fcertificate%5Finstall) * [Microsoft IIS 10 ↗](https://www.digicert.com/kb/csr-creation-ssl-installation-iis-10.htm) * [NGINX ↗](https://www.digicert.com/kb/csr-ssl-installation/nginx-openssl.htm) * [Apache Tomcat ↗](https://www.digicert.com/csr-ssl-installation/tomcat-keytool.htm#ssl%5Fcertificate%5Finstall) * [Amazon Web Services ↗](https://www.digicert.com/ssl-certficate-installation-amazon-web-services.htm) * [Apache cPanel ↗](https://www.digicert.com/kb/ssl-certificate-installation-apache-cpanel.htm) * [Ubuntu Server with Apache2 ↗](https://www.digicert.com/kb/csr-ssl-installation/ubuntu-server-with-apache2-openssl.htm#ssl%5Fcertificate%5Finstall) Note If you do not see your server in the list above, search the [DigiCert documentation ↗](https://www.digicert.com/search-results) or contact your hosting provider, web admin, or server vendor. 1. (Required for some) Upload the [Cloudflare CA root certificate](#cloudflare-origin-ca-root-certificate) to your origin server. This can also be referred to as the certificate chain. 2. Enable SSL and port `443` at your origin web server. ### 3\. Change SSL/TLS mode After you have installed the Origin CA certificate on your origin web server, update the SSL/TLS encryption mode for your application. If all your origin hosts are protected by Origin CA certificates or publicly trusted certificates: 1. Go to **SSL/TLS**. 2. For **SSL/TLS encryption mode**, select **Full (strict)**. If you have origin hosts that are not protected by certificates, set the **SSL/TLS encryption** mode for a specific application to **Full (strict)** by using a [Page Rule](https://developers.cloudflare.com/rules/page-rules/). Warning Site visitors may see untrusted certificate errors if you [pause Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/) or disable proxying on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin. ## Revoke an Origin CA certificate If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process. To prevent visitors from seeing warnings about an insecure certificate, you may want to set your [SSL/TLS encryption](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) to **Full** or **Flexible** before revoking your certificate. Do this globally via the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) or for a specific hostname via a [Page Rule](https://developers.cloudflare.com/rules/page-rules/). To revoke a certificate: 1. In the Cloudflare dashboard, go to the **Origin Server** page. [ Go to **Origin Server** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin) 2. In **Origin Certificates**, choose a certificate. 3. Select **Revoke**. ## Additional details ### Cloudflare Origin CA root certificate Some origin web servers require upload of the Cloudflare Origin CA root certificate or certificate chain. Use the following links to download either an ECC or an RSA version and upload to your origin web server: * [Cloudflare Origin ECC PEM](https://developers.cloudflare.com/ssl/static/origin%5Fca%5Fecc%5Froot.pem) (do not use with Apache cPanel) * [Cloudflare Origin RSA PEM](https://developers.cloudflare.com/ssl/static/origin%5Fca%5Frsa%5Froot.pem) ### Hostname and wildcard coverage Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (`www.example.com`) or a wildcard (`*.example.com`). You cannot use IP addresses as SANs on Cloudflare origin CA certificates. Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, `*.example.com` and `*.secure.example.com` may co-exist). ## API calls To automate processes involving Origin CA certificates, use the following API calls. To authenticate, use an [API token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) with **Permissions** that include `Zone`\-`SSL and Certificates`\-`Edit`. | Operation | Method | Endpoint | | ---------------------------------------------------------------------------------------------------------------- | ------ | ---------------------------------- | | [List certificates](https://developers.cloudflare.com/api/resources/origin%5Fca%5Fcertificates/methods/list/) | GET | certificates?zone\_id=<> | | [Create certificate](https://developers.cloudflare.com/api/resources/origin%5Fca%5Fcertificates/methods/create/) | POST | certificates | | [Get certificate](https://developers.cloudflare.com/api/resources/origin%5Fca%5Fcertificates/methods/get/) | GET | certificates/<> | | [Revoke certificate](https://developers.cloudflare.com/api/resources/origin%5Fca%5Fcertificates/methods/delete/) | DELETE | certificates/<> | ## Troubleshooting If you find `NET::ERR_CERT_AUTHORITY_INVALID` or other issues after setting up Cloudflare origin CA, refer to [troubleshooting](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/troubleshooting/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/origin-ca/","name":"Cloudflare origin CA"}}]} ``` --- --- title: Troubleshooting Cloudflare origin CA description: Troubleshoot issues like NET::ERR_CERT_AUTHORITY_INVALID when using Cloudflare origin CA. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/origin-ca/troubleshooting.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Troubleshooting Cloudflare origin CA Consider the following common issues and troubleshooting steps when using [Cloudflare origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/). ## NET::ERR\_CERT\_AUTHORITY\_INVALID ### Cause Site visitors may see untrusted certificate errors if you [pause Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/pause-cloudflare/) or disable proxying on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin. This also means that SSL Labs or similar SSL validators are expected to flag the certificate as invalid. ### Solutions * Make sure the [proxy status](https://developers.cloudflare.com/dns/proxy-status/) of your DNS records and any [page rules](https://developers.cloudflare.com/rules/page-rules/) (if existing) are set up correctly. If so, you can try to turn proxying off and then on again and wait a few minutes. * If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a certificate authority (CA) of your choice. You can still use Full (strict) [encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/), as long as the CA is listed on the [Cloudflare trust store ↗](https://github.com/cloudflare/cfssl%5Ftrust). ## The issuer of this certificate could not be found ### Cause Some origin web servers require that you upload the Cloudflare origin CA root certificate or certificate chain. ### Solution Use the following links to download either an ECC or an RSA version and upload to your origin web server: * [Cloudflare Origin ECC PEM](https://developers.cloudflare.com/ssl/static/origin%5Fca%5Fecc%5Froot.pem) (do not use with Apache cPanel) * [Cloudflare Origin RSA PEM](https://developers.cloudflare.com/ssl/static/origin%5Fca%5Frsa%5Froot.pem) ## The certificate is not trusted in all web browsers ### Cause Apache cPanel requires that you upload the Cloudflare origin CA root certificate or certificate chain. ### Solution Use the following link to download an RSA version of the root certificate and upload it to your origin web server: * [Cloudflare Origin RSA PEM](https://developers.cloudflare.com/ssl/static/origin%5Fca%5Frsa%5Froot.pem) ## This zone is either not part of your account, or you do not have access to it When trying to generate an Origin CA on the dashboard, you find the error `Failed to validate requested hostname : This zone is either not part of your account, or you do not have access to it`. ### Cause This is a known issue where, whilst being created on the Cloudflare dashboard, Origin CA requires API access for the user creating the origin certificate. If the user does not have **API Access**, this error is returned. ### Solution Make sure that the user creating the certificate has access to the API. You can check in the account **Members** page. [ Go to **Members** ](https://dash.cloudflare.com/?to=/:account/members) * The default setting for the account is specified in the card **Enable API Access**. * Specific user API Access (which can override the default setting) is presented after selecting the user in the list of members. ## Origin Server page displays origin certificates for another zone in the account ### Cause This is a known issue where, when the Origin Server page is opened for different zones in sequence, it displays the certificates from the first zone. ### Solution Refresh the page in your browser to get the correct origin certificates list for current zone. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/origin-ca/","name":"Cloudflare origin CA"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/origin-ca/troubleshooting/","name":"Troubleshooting Cloudflare origin CA"}}]} ``` --- --- title: Encryption modes description: Encryption modes allow you to control how Cloudflare connects to your origin web server and how certificates presented by your origin are validated. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-modes/index.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Encryption modes Your zone's **SSL/TLS Encryption Mode** controls how Cloudflare manages two connections: one between your visitors and Cloudflare, and the other between Cloudflare and your origin server. flowchart LR accTitle: SSL/TLS Encryption mode A[Browser] <--Connection 1--> B((Cloudflare))<--Connection 2--> C[(Origin server)] If possible, Cloudflare strongly recommends using [**Full**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or [**Full (strict)**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) modes to prevent malicious connections to your origin. For more details on how encryption modes fit into the bigger picture of Cloudflare SSL/TLS protection, refer to [Concepts](https://developers.cloudflare.com/ssl/concepts/#ssltls-certificate). ## Available encryption modes [Automatic SSL/TLS](#automatic-ssltls-default) relies on the probes developed for the SSL/TLS Recommender to determine what encryption mode is the most secure and safest for a website to be set to. If there is a more secure option for your website (based on your origin certification or capabilities), Automatic SSL/TLS will find it and apply it for your domain. The other option, [Custom SSL/TLS](#custom-ssltls), will work exactly like the setting the encryption mode does today. Note We are gradually rolling out the new [Automated SSL/TLS feature](#automatic-ssltls-default). If your zone has not been migrated yet, you will only have [Custom SSL/TLS](#custom-ssltls) options in your dashboard. To understand how the various encryption modes affect your cache, refer to the section on [Impact of SSL setting on cache behavior](https://developers.cloudflare.com/cache/how-to/cache-keys/#impact-of-ssl-settings-on-cache-behavior). ### Automatic SSL/TLS (default) Automatic SSL/TLS leverages advanced methods developed by the SSL/TLS Recommender to select the most secure encryption mode for your website. The Recommender crawls your site using the Cloudflare-SSLDetector user agent, recognized as a trusted bot by Cloudflare, and bypasses `robots.txt` rules (except those that specifically target it) to ensure accuracy. It downloads content from your origin server over both HTTP and HTTPS, then applies a content similarity algorithm to assess consistency. By understanding your current SSL/TLS encryption mode and evaluating your origin's certification and capabilities, the Recommender can automatically adjust settings to maintain the highest security for your domain. Note Automatic SSL/TLS will not change your setting to a less secure encryption mode. For example, if your origin certificate expires, the encryption mode will not change from **Full (strict)** to **Full**. You must ensure the validity of your origin SSL/TLS configuration at all times. Automatic upgrades are applied gradually. Automatic SSL/TLS begins to upgrade the domain by starting with just 1% of its traffic. If no issues are found, the new SSL/TLS encryption mode is applied to traffic in 10% increments until 100% of traffic uses the recommended mode. If origin connectivity fails during this process, Cloudflare aborts the upgrade, immediately rolls traffic back to the previous mode, and logs the failure. Once 100% of traffic has been successfully upgraded with no TLS-related errors, the domain's SSL/TLS setting is permanently updated. Flexible → Full/Strict transitions are handled with extra caution since the origin scheme change (HTTP → HTTPS) alters cache keys. In this case, the ramp-up may proceed more slowly to allow cache warm-up before resuming standard increments. #### Additional details * **Scan frequency**: Automatic scans currently occur approximately once per month, though they may happen more frequently in some cases (for example, configuration changes or upgrades). Scans stop when: * The site is already using the most secure mode (for example, **Full (strict)**), or * You switch from auto mode to **Custom SSL/TLS**. * **Error checking before upgrades**: To prevent disruptions, Cloudflare checks for `5XX` errors (like `502` or `503`) and evaluates whether the HTTP and HTTPS content is consistent before upgrading a zone's encryption mode. * **Upgrade notifications**: Cloudflare sends weekly digest emails listing which zones have been upgraded. These emails are currently sent to Super Admins only. #### Opt out single zone If you want to opt a zone out via the API, you can make this API call on or before the grace period expiration date. Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone Settings Write` Edit zone setting ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ssl_automatic_mode" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": "custom" }' ``` #### Opt out multiple zones If you wanted to opt out multiple zones: 1. Create an API token with the following permissions: * `Zone - Zone - Read` * `Zone - Zone Settings - Read` * `Zone - Zone Settings - Edit` 2. Make a [GET request](https://developers.cloudflare.com/api/resources/zones/methods/list/) to get a list of zones (you can filter this list by `account.id`). Terminal window ``` curl 'https://api.cloudflare.com/client/v4/zones?account.id=' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' ``` 3. Create a list of zone IDs you want to opt-out with each zone ID on a separate line (newline separate), stored in a file such as `zones.txt`. 4. Create a bash script for `opt-out-multiple-zones.sh` and add the following. Add `zones.txt` to the same directory or update the path accordingly. opt-out-multiple-zones.sh ``` for zoneID in $(cat zone.txt); do printf "Opting out ${zoneID}:\n" curl --request PATCH \ --url https://api.cloudflare.com/client/v4/zones/$zoneID/settings/ssl_automatic_mode \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{"value":"custom"}' printf "\n\n" done ``` 5. Open your command line and run: Terminal window ``` bash opt-out-multiple-zones.sh ``` ### Custom SSL/TLS To use Custom SSL/TLS, select the custom option (if you prefer to manually set the encryption mode instead of using [Automatic SSL/TLS](#automatic-ssltls-default)): * [ Off (no encryption) ](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/) : No encryption is used for traffic between browsers and Cloudflare or between Cloudflare and origins. Everything is cleartext HTTP. * [ Flexible ](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/flexible/) : Traffic from browsers to Cloudflare can be encrypted via HTTPS, but traffic from Cloudflare to the origin server is not. This mode is common for origins that do not support TLS, though upgrading the origin configuration is recommended whenever possible. * [ Full ](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) : Cloudflare matches the browser request protocol when connecting to the origin. If the browser uses HTTP, Cloudflare connects to the origin via HTTP; if HTTPS, Cloudflare uses HTTPS without validating the origin’s certificate. This mode is common for origins that use self-signed or otherwise invalid certificates. * [ Full (strict) ](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) : Similar to Full Mode, but with added validation of the origin server’s certificate, which can be issued by a public CA like Let’s Encrypt or by Cloudflare Origin CA. * [ Strict (SSL-Only Origin Pull) ](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/ssl-only-origin-pull/) : Regardless of whether the browser-to-Cloudflare connection uses HTTP or HTTPS, Cloudflare always connects to the origin over HTTPS with certificate validation. ## Update your encryption mode * [ Dashboard ](#tab-panel-6573) * [ API ](#tab-panel-6574) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). Note To use this feature on specific hostnames - instead of across your entire zone - use a [configuration rule](https://developers.cloudflare.com/rules/configuration-rules/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-modes/","name":"Encryption modes"}}]} ``` --- --- title: Flexible description: Traffic from browsers to Cloudflare can be encrypted via HTTPS, but traffic from Cloudflare to the origin server is not. This mode is common for origins that do not support TLS, though upgrading the origin configuration is recommended whenever possible. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-modes/flexible.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Flexible Setting your encryption mode to **Flexible** makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your origin are made through HTTP. As a result, an SSL certificate is not required on your origin. flowchart LR accTitle: Flexible SSL/TLS Encryption accDescr: With an encryption mode of Flexible, your application encrypts traffic between the visitor and Cloudflare, but not between Cloudflare and your server. A[Browser] <--Encrypted--> B((Cloudflare))<--Unencrypted--> C[(Origin server)] ## Use when Choose this option when you cannot set up an SSL certificate on your origin or your origin does not support SSL/TLS. ## Required setup ### Prerequisites Depending on your origin configuration, you may have to adjust settings to avoid [Mixed Content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) or [redirect loops](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). ### Process * [ Dashboard ](#tab-panel-6575) * [ API ](#tab-panel-6576) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). ## Limitations Flexible mode is only supported for HTTPS connections on port 443 (default port). Other ports using HTTPS will fall back to [**Full** mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/). If your application contains sensitive information (personalized data, user login), use [**Full**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) or [**Full (Strict)**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/) modes instead. [Authenticated Origin Pull](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) does not work when your [**SSL/TLS encryption mode**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-modes/","name":"Encryption modes"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/ssl-modes/flexible/","name":"Flexible"}}]} ``` --- --- title: Full description: Cloudflare matches the browser request protocol when connecting to the origin. If the browser uses HTTP, Cloudflare connects to the origin via HTTP; if HTTPS, Cloudflare uses HTTPS without validating the origin’s certificate. This mode is common for origins that use self-signed or otherwise invalid certificates. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-modes/full.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Full When you set your encryption mode to **Full**, Cloudflare allows HTTPS connections between your visitor and Cloudflare and makes connections to the origin using the scheme requested by the visitor. If your visitor uses `http`, then Cloudflare connects to the origin using plaintext HTTP and vice versa. ## Use when Choose **Full** mode when your origin can support an SSL certification, but — for various reasons — it cannot support a valid, publicly trusted certificate. Note In addition to **Full** encryption, you can also set up [Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) to ensure all requests to your origin are evaluated before receiving a response. ## Required setup ### Prerequisites Before enabling **Full** mode, make sure your origin allows HTTPS connections on port 443 and presents a certificate (self-signed, [Cloudflare Origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/), or purchased from a Certificate Authority). Otherwise, your visitors may experience a [525 error](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-525/). Depending on your origin configuration, you may have to adjust settings to avoid [Mixed Content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) or [redirect loops](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). ### Process * [ Dashboard ](#tab-panel-6577) * [ API ](#tab-panel-6578) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). ## Limitations The certificate presented by the origin will **not be validated in any way**. It can be expired, self-signed, or not even have a matching CN/SAN entry for the hostname requested. Without using [**Full (strict)**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/), a malicious party could technically hijack the connection and present their own certificate. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-modes/","name":"Encryption modes"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/ssl-modes/full/","name":"Full"}}]} ``` --- --- title: Full (strict) description: Similar to Full Mode, but with added validation of the origin server’s certificate, which can be issued by a public CA like Let’s Encrypt or by Cloudflare Origin CA. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-modes/full-strict.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Full (strict) When you set your encryption mode to **Full (strict)**, Cloudflare does everything in [Full mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/) but also enforces more stringent requirements for origin certificates. flowchart LR accTitle: Full - Strict SSL/TLS Encryption accDescr: With an encryption mode of Full (strict), your application encrypts traffic going to and coming from Cloudflare. A[Browser] <--Encrypted--> B((Cloudflare))<--Encrypted--> C[("Origin server (verified) #9989;")] ## Use when For the best security, choose **Full (strict)** mode whenever possible (unless you are an [Enterprise customer](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/ssl-only-origin-pull/)). Your origin needs to be able to support an SSL certificate that is: * Unexpired, meaning the certificate presents `notBeforeDate < now() < notAfterDate`. * Issued by a [publicly trusted certificate authority ↗](https://github.com/cloudflare/cfssl%5Ftrust) or [Cloudflare’s Origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/). * Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname. Note In addition to **Full (strict)** encryption, you can also set up [Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) to ensure all requests to your origin are evaluated before receiving a response. ## Required setup ### Prerequisites Before enabling **Full (strict)** mode, make sure your origin: * Allows HTTPS connections on port `443`. * Presents a certificate matching the requirements above. Otherwise, your visitors may experience a [526 error](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/). ### Process * [ Dashboard ](#tab-panel-6579) * [ API ](#tab-panel-6580) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). ## Limitations Depending on your origin configuration, you may have to adjust settings to avoid [Mixed Content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) or [redirect loops](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-modes/","name":"Encryption modes"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/ssl-modes/full-strict/","name":"Full (strict)"}}]} ``` --- --- title: Off (no encryption) description: No encryption is used for traffic between browsers and Cloudflare or between Cloudflare and origins. Everything is cleartext HTTP. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-modes/off.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Off (no encryption) Setting your encryption mode to **Off (not recommended)** redirects any HTTPS request to plaintext HTTP. flowchart LR accTitle: No SSL/TLS Encryption accDescr: With an encryption mode of Off, your application does not encrypt traffic between the visitor and Cloudflare or between Cloudflare and your server. A[Browser] <--Unencrypted--> B((Cloudflare))<--Unencrypted--> C[(Origin server)] ## Use when Cloudflare does not recommend setting your encryption mode to **Off**. ## Required setup * [ Dashboard ](#tab-panel-6581) * [ API ](#tab-panel-6582) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). ## Limitations When you set your encryption mode to **Off**, your application: * Leaves your visitors and your application [vulnerable to attacks ↗](https://www.cloudflare.com/learning/ssl/why-use-https/). * Will be marked as "not secure" by Chrome and other browsers, reducing visitor trust. * Will be penalized in [SEO rankings ↗](https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html). ### Incompatible settings When you set your SSL/TLS encryption mode to **Off**, you will not see the options for [**Always Use HTTPS**](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) or [**Onion Routing**](https://developers.cloudflare.com/network/onion-routing/). [Authenticated Origin Pull](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) does not work when your [**SSL/TLS encryption mode**](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is set to **Off** or **Flexible**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-modes/","name":"Encryption modes"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/ssl-modes/off/","name":"Off (no encryption)"}}]} ``` --- --- title: Strict (SSL-Only Origin Pull) description: Regardless of whether the browser-to-Cloudflare connection uses HTTP or HTTPS, Cloudflare always connects to the origin over HTTPS with certificate validation. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-modes/ssl-only-origin-pull.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Strict (SSL-Only Origin Pull) Note This method is only available for Enterprise zones. When you set your encryption mode to **Strict (SSL-Only Origin Pull)**, connections to the origin will always be made using SSL/TLS, regardless of the scheme requested by the visitor. The certificate presented by the origin will be validated the same as with [Full (strict) mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/). ## Use when You want the most secure configuration available for your origin, you are an Enterprise customer, and you meet the requirements for [**Full (strict)** mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/). ## Required setup The setup is generally the same as [**Full (strict)** mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/), but you select **Strict (SSL-Only Origin Pull)** for your encryption mode. Note In addition to **Strict (SSL-Only Origin Pull)** encryption, you can also set up [Authenticated Origin Pulls](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) to ensure all requests to your origin are evaluated before receiving a response. ### Process * [ Dashboard ](#tab-panel-6583) * [ API ](#tab-panel-6584) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). ## Limitations Depending on your origin configuration, you may have to adjust settings to avoid [Mixed Content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) or [redirect loops](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-modes/","name":"Encryption modes"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/origin-configuration/ssl-modes/ssl-only-origin-pull/","name":"Strict (SSL-Only Origin Pull)"}}]} ``` --- --- title: SSL/TLS Recommender description: The SSL/TLS Recommender helps you choose which Encryption mode is best for your application. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/origin-configuration/ssl-tls-recommender.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # SSL/TLS Recommender The SSL/TLS Recommender helps you choose which [Encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is best for your application. Warning Cloudflare is deprecating our SSL/TLS Recommender in favor of [Automatic SSL/TLS](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/#automatic-ssltls-default). ## Availability | Free | Pro | Business | Enterprise | | | ------------ | --- | -------- | ---------- | --- | | Availability | Yes | Yes | Yes | Yes | ## Common tasks ### Enable SSL/TLS recommendations To make sure you do not inadvertently block the **SSL/TLS Recommender**, review your settings to make sure your domain: * Is accessible. * Is not blocking requests from our bot (which uses a user agent of `Cloudflare-SSLDetector`). * Does not have any active, SSL-specific [Page Rules](https://developers.cloudflare.com/rules/page-rules/) or [Configuration rules](https://developers.cloudflare.com/rules/configuration-rules/). Then, you can enable the SSL/TLS recommender. * [ Dashboard ](#tab-panel-6585) * [ API ](#tab-panel-6586) To enable SSL/TLS recommendations in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. For **SSL/TLS Recommender**, switch the toggle to **On**. To adjust your SSL/TLS Recommender enrollment with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/ssl/subresources/recommendations/methods/get/) request with the `enabled` parameter set to your desired setting (`true` or `false`). ### Manually trigger a new scan Once you enable it, the recommender runs future scans periodically — typically every two days — and sends notifications if new recommendations become available. To manually re-trigger a new scan, disable and then [re-enable SSL/TLS recommendations](#enable-ssltls-recommendations). ## How it works Once enabled, the SSL/TLS Recommender runs an origin scan using the user agent `Cloudflare-SSLDetector` and ignores your `robots.txt` file (except for rules explicitly targeting the user agent). Based on this initial scan, the Recommender may decide that you could use a stronger [SSL encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/). It will never recommend a weaker option than what is currently configured. If so, it will send the application owner an email with the recommended option and add a _Recommended by Cloudflare_ tag to that option on the **SSL/TLS** page. You are not required to use this recommendation. If you do not receive an email, keep your current **SSL encryption mode**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/origin-configuration/","name":"Origin server"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/origin-configuration/ssl-tls-recommender/","name":"SSL/TLS Recommender"}}]} ``` --- --- title: Features and plans description: Review information on all Cloudflare SSL/TLS features and their availability. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/all-features.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Features and plans Cloudflare provides the following features for different [plans ↗](https://www.cloudflare.com/plans/). ## Features ### Advanced Certificates **Link:** [Advanced Certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) **Feature availability** * **Free:** Paid add-on * **Pro:** Paid add-on * **Business:** Paid add-on * **Enterprise:** Paid add-on ### Authenticated origin pull **Link:** [Authenticated origin pull](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Backup Certificates **Link:** [Backup Certificates](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **Can opt out?** Enterprise-only * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes ### Custom Certificates **Link:** [Custom Certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) **Feature availability** * **Free:** No * **Pro:** No * **Business:** Yes * **Enterprise:** Yes **Certificates included** * **Free:** 0 * **Pro:** 0 * **Business:** 1 Modern and 1 Legacy * **Enterprise:** 1 Modern (can purchase more) and 1 Legacy (can purchase more) ### Always Use HTTPS **Link:** [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Automatic HTTPS Rewrites **Link:** [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Certificate Transparency Monitoring **Link:** [Certificate Transparency Monitoring](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **Email Recipients** * **Free:** All account members * **Pro:** All account members * **Business:** Specified email addresses * **Enterprise:** Specified email addresses ### Opportunistic Encryption **Link:** [Opportunistic Encryption](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/opportunistic-encryption/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### HTTP Strict Transport Security **Link:** [HTTP Strict Transport Security](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### TLS 1.3 **Link:** [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Minimum TLS Version **Link:** [Minimum TLS Version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **Per-hostname** * **Free:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Pro:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Business:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Enterprise:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) ### Certificate Signing Requests **Link:** [Certificate Signing Requests](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-signing-requests/) **Feature availability** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) ### Custom Hostnames **Link:** [Custom Hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/plans/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Contact your account team **Hostnames included** Varies * **Free:** 100 * **Pro:** 100 * **Business:** 100 * **Enterprise:** Custom **Max hostnames** * **Free:** 50,000 * **Pro:** 50,000 * **Business:** 50,000 * **Enterprise:** Unlimited, but contact sales if using over 50,000. **Price per additional hostname** * **Free:** $0.10 * **Pro:** $0.10 * **Business:** $0.10 * **Enterprise:** Custom pricing **[Custom analytics](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/hostname-analytics/)** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **[Custom origin](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/)** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **[SNI Rewrite for Custom Origin](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/custom-origin/#sni-rewrites)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Contact your account team **[Custom certificates](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes **[CSR support](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/custom-certificates/certificate-signing-requests/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes **[Selectable CA](https://developers.cloudflare.com/ssl/reference/certificate-authorities/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes **Wildcard custom hostnames** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes **Non-SNI support for SaaS zone** * **Free:** No * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **[mTLS support](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes **[WAF for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/waf-for-saas/)** * **Free:** WAF rules with current zone plan * **Pro:** WAF rules with current zone plan * **Business:** WAF rules with current zone plan * **Enterprise:** Create and apply custom firewall rulesets. **[Apex proxying/BYOIP](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/advanced-settings/apex-proxying/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Paid add-on **[Custom metadata](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Paid add-on ### Custom origin trust store **Link:** [Custom origin trust store](https://developers.cloudflare.com/ssl/origin-configuration/custom-origin-trust-store/) **Feature availability** * **Free:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Pro:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Business:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Enterprise:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) ### SSL/TLS encryption mode **Link:** [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **Strict (SSL-Only Origin Pull)** Enterprise-only * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes ### Keyless SSL **Link:** [Keyless SSL](https://developers.cloudflare.com/ssl/keyless-ssl/) **Feature availability** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Paid add-on ### Origin certificates **Link:** [Origin certificates](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Staging environment **Link:** [Staging environment](https://developers.cloudflare.com/ssl/edge-certificates/staging-environment/) **Feature availability** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes (open beta) ### SSL/TLS Recommender **Link:** [SSL/TLS Recommender](https://developers.cloudflare.com/ssl/origin-configuration/ssl-tls-recommender/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Custom cipher suites **Link:** [Custom cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) **Feature availability** * **Free:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Pro:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Business:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Enterprise:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) ### Total TLS **Link:** [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) **Feature availability** * **Free:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Pro:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Business:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Enterprise:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) ### Delegated DCV **Link:** [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) **Feature availability** * **Free:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Pro:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Business:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) * **Enterprise:** Included with [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) ### Universal Certificates **Link:** [Universal Certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes ### Client Certificates **Link:** [Client Certificates](https://developers.cloudflare.com/ssl/client-certificates/) **Feature availability** * **Free:** Yes * **Pro:** Yes * **Business:** Yes * **Enterprise:** Yes **Client Certificates included, issued by a Cloudflare Managed CA** * **Free:** 100 * **Pro:** 100 * **Business:** 100 * **Enterprise:** 100 (default), but can allocate more quota. **[Bring your own CA](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/)** * **Free:** No * **Pro:** No * **Business:** No * **Enterprise:** Yes ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/all-features/","name":"Features and plans"}}]} ``` --- --- title: Browser compatibility description: Review information about browser compatibility for the different Cloudflare SSL/TLS offerings. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/browser-compatibility.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Browser compatibility Cloudflare attempts to provide compatibility for as wide a range of user agents (browsers, API clients, etc.) as possible. However, the specific set of supported clients can vary depending on the different SSL/TLS certificate types, your visitor's [browser version](#non-sni-support), and the [certificate authority (CA)](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) that issues the certificate. ## Universal SSL Cloudflare Universal SSL only supports browsers and API clients that use the [Server Name Indication (SNI) ↗](https://www.cloudflare.com/learning/ssl/what-is-sni/) extension to the TLS protocol. Also, for zones on Free plan, Universal SSL is only compatible with browsers that support Elliptic Curve Digital Signature Algorithm (ECDSA). Paid plans have additional compatibility, also supporting RSA algorithm. ## Other certificate types Refer to [Certificate authorities](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) for a detailed list of Cloudflare SSL/TLS offerings, the different algorithms available, and browser compatibility for each CA. ## Non-SNI support Although [SNI extensions ↗](https://www.cloudflare.com/learning/ssl/what-is-sni/) to the TLS protocol were standardized in 2003, some browsers and operating systems only implemented this extension when TLS 1.1 was released in 2006 (or 2011 for mobile browsers). If your visitors use devices that have not been updated since 2011, they may not have SNI support. To support non-SNI requests, you can: * [Upload a custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/#upload-a-custom-certificate) and specify a value of `Legacy` for its client support. Note that `Legacy` custom certificates are not compatible with [BYOIP](https://developers.cloudflare.com/byoip/) and that, unlike [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) or [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/), Cloudflare does not manage issuance and renewal for [custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/). * (BYOIP customers only) Enterprise customers can choose to bring their own IP prefix to the Cloudflare network and [specify the default SNI used for any non-SNI handshake in the address map](https://developers.cloudflare.com/byoip/address-maps/setup/#non-sni-support). * (Paid plans only) [Contact Cloudflare Support](https://developers.cloudflare.com/support/contacting-cloudflare-support/) and request a set of non-SNI IPs for your zone. ## HTTPS records [HTTPS Service (HTTPS) records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#svcb-and-https) allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection. If your domain has [HTTP/2 or HTTP/3 enabled](https://developers.cloudflare.com/speed/optimization/protocol/), [proxied DNS records](https://developers.cloudflare.com/dns/proxy-status/), and is also using [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/), Cloudflare automatically generates HTTPS records on the fly, to advertise to clients how they should connect to your server. Warning Both HTTP/2 and HTTP/3 configurations also require that you have an SSL/TLS certificate served by Cloudflare. This means that disabling Universal SSL, for example, could impact this behavior. ## OCSP and HTTP versions Cloudflare's OCSP implementation uses HTTP/1.1 by default for plain HTTP connections. For HTTPS connections, the client automatically attempts to use HTTP/2 if the server supports it through the TLS ALPN (Application-Layer Protocol Negotiation) extension. If HTTP/2 is not available or supported by the server, it will fall back to HTTP/1.1. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/browser-compatibility/","name":"Browser compatibility"}}]} ``` --- --- title: Certificate and hostname priority description: Learn about how Cloudflare decides which certificate and associated SSL/TLS settings to apply to individual hostnames. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/certificate-and-hostname-priority.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Certificate and hostname priority When a new certificate is created, Cloudflare first deploys the certificate and then serves it. --- ## Certificate deployment For any given hostname, Cloudflare uses the following order to determine which certificate (and associated TLS settings) to apply to that hostname: 1. **Hostname specificity**: A specific subdomain certificate (`www.example.com`) would take precedence over a wildcard certificate (`*.example.com`) for requests to `www.example.com`. 2. **Zone specificity**: A specific subdomain certificate (`www.example.com`) would take precedence over a custom hostname certificate if the domain is active as a zone on Cloudflare. 3. **Certificate priority**: If the hostname is the same, certain types of certificates take precedence over others. | Priority | Certificate Type | | -------- | ------------------------------------------------------------------------------------------------------------------------ | | 1 | [Keyless SSL](https://developers.cloudflare.com/ssl/keyless-ssl/) | | 2 | [Custom Legacy](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) | | 3 | [Custom Modern](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) | | 4 | [Custom Hostname (Cloudflare for SaaS)](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) | | 5 | [Advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | | 6 | [Advanced - Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) | | 7 | [Universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) | 4. **Certificate expiration**: The most recently ordered certificate takes precedence unless a certificate deletion has occurred. If and when a certificate is deleted, the certificate with the latest expiration date is deployed. Note In this case, when the certificate with the closest expiration date is renewed, it will then become the one with the latest expiration date and get presented. --- ## Certificate presentation Cloudflare uses the following order to determine the certificate and settings used during a TLS handshake: 1. **SNI match**: Certificates and settings that match the SNI hostname _exactly_ take precedence. 2. **SNI wildcard match**: If there is not an exact match between the hostname and SNI hostname, Cloudflare uses certificates and settings that match an SNI wildcard. 3. **IP address**: If no SNI is presented, Cloudflare uses certificate based on the IP address (the hostname can support TLS handshakes made without SNI). --- ## Hostname priority When multiple proxied DNS records exist for a hostname, in multiple zones — usually due to [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) — only one record will control the zone settings and associated origin server. Cloudflare determines this priority in the following order, assuming each record exists and is proxied (orange-clouded): 1. **Exact hostname match**: 1. [New custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/) (belonging to a SaaS provider) 2. [Legacy custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/reference/versioning/) (belonging to a SaaS provider) 3. [DNS](https://developers.cloudflare.com/dns/proxy-status/) (belonging to the logical DNS zone) 2. **Wildcard hostname match**: 1. DNS (belonging to the logical DNS zone) 2. New custom hostname (belonging to a SaaS provider) If a hostname resource record is not proxied (gray-clouded) for a zone on Cloudflare, that zone's settings are not applied and any settings configured at the associated origin are applied instead. This origin could be another zone on Cloudflare or any other server. ### Example scenarios #### Scenario 1 Customer1 uses Cloudflare as authoritative DNS for the zone `shop.example.com`. Customer2 is a SaaS provider that creates and successfully [verifies the new custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/) `shop.example.com`. Afterward, traffic starts routing over Customer2's zone: * If Customer1 wants to regain control of their zone, Customer1 contacts Customer2 and requests them to delete the custom hostname record. Customer1 should make sure to have their record target updated to something other than the SaaS provider target, otherwise Customer1 would get a [1014 error](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/error-1014/). * If Customer1 already has a proxied record for `www.example.com` when Customer2 creates and verifies a new custom hostname `www.example.com`, [O2O](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/how-it-works/) applies. * If Customer1 already has a proxied record for `www.example.com` in a legacy custom hostname setup (with another SaaS provider, Customer3) and Customer2 creates and verifies a new wildcard custom hostname for `*.example.com`, legacy custom hostname on Customer3 platform takes precedence due to exact hostname match. #### Scenario 2 A customer has a [proxied](https://developers.cloudflare.com/dns/proxy-status/) DNS record for their domain. The customer's zone on Cloudflare is using a Free plan. This customer is also using a SaaS provider that uses Cloudflare for SaaS. The SaaS provider is using a Cloudflare Enterprise plan. If the provider is using a wildcard custom hostname, then the original customer's plan limits will take precedence over the provider's plan limits (Cloudflare will treat the zone as a Free zone). To apply the Enterprise limits through Cloudflare for SaaS, the original customer's zone would need to either use a [DNS-only](https://developers.cloudflare.com/dns/proxy-status/) record or the SaaS provider would need to use an exact hostname match. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/certificate-and-hostname-priority/","name":"Certificate and hostname priority"}}]} ``` --- --- title: Certificate authorities description: For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/certificate-authorities.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Certificate authorities For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs [features, limitations, and browser compatibility](#features-limitations-and-browser-compatibility). ## Availability per certificate type and encryption algorithm | Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [SSL.com](#sslcom) | [Sectigo](#sectigo) | | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | ------------------------------ | ----------------------------------------------- | ------------------ | ------------------- | | [Universal](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/) | ECDSARSA(Paid plans only) | ✅✅ | ✅✅ | ✅✅ | N/AN/A | | [Advanced](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) | ECDSARSA | ✅✅ | ✅✅ | ✅ ✅ | N/AN/A | | [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) | ECDSARSA | ✅✅ | ✅✅ | ✅ ✅ | N/AN/A | | [SSL for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSARSA | ✅✅ | ✅✅ | ✅ ✅ | N/AN/A | | [Backup](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/) | ECDSARSA | ✅✅ | ✅✅ | ✅✅ | ✅✅ | ## Features, limitations, and browser compatibility Universal SSL For Universal certificates, Cloudflare controls the validity periods and certificate authorities (CAs), making sure that renewal always occur. For details, refer to [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/). --- ### Let's Encrypt * Supports [validity periods](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/) of 90 days. * [DCV tokens](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) are valid for 7 days. #### Limitations * Hostname on certificate can contain up to 10 levels of subdomains. * Duplicate certificate limit of [5 certificates ↗](https://letsencrypt.org/docs/rate-limits/) per week. * Redsys[1](#user-content-fn-1) is not compatible with Let's Encrypt certificates. If you use Redsys and find issues with Let's Encrypt certificates, order an advanced certificate or upload a custom certificate to use a different CA. #### Browser compatibility Warning This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Let's Encrypt documentation ↗](https://letsencrypt.org/docs/certificate-compatibility/). The main determining factor for whether a platform can validate Let's Encrypt certificates is whether that platform trusts the self-signed ISRG Root X1 certificate. As Let's Encrypt announced a [change in its chain of trust in 2024 ↗](https://blog.cloudflare.com/shortening-lets-encrypt-change-of-trust-no-impact-to-cloudflare-customers/), older devices (for example Android 7.0 and earlier) that only trust the cross-signed version of the ISRG Root X1 are no longer compatible. You can find the full list of supported clients in the [Let's Encrypt documentation ↗](https://letsencrypt.org/docs/certificate-compatibility/). Older versions of Android and Java clients might not be compatible with Let's Encrypt certificates. #### Other resources [Let's Encrypt Root CAs ↗](https://letsencrypt.org/certificates/): For checking compatibility between chain and client. As explained in [Certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/), you should **not** use this list for pinning against. --- ### Google Trust Services * Supports [validity periods](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/) of 14, 30, and 90 days. * [DCV tokens](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) are valid for 14 days. #### Browser compatibility (most compatible) Warning This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Google Trust Services documentation ↗](https://pki.goog/faq/). By cross-signing with a [GlobalSign root CA ↗](https://valid.r1.roots.globalsign.com/) that has been installed in client devices for more than 20 years, Google Trust Services can ensure optimal support across a wide range of devices. Currently trusted by Microsoft, Mozilla, Safari, Cisco, Oracle Java, and Qihoo’s 360 browser, all browsers or operating systems that depend on these root programs are covered. You can use the [root CAs list ↗](https://pki.goog/faq/#connecting-to-google) for checking compatibility between chain and client but, as explained in [Certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/), you should **not** use this list for pinning against. --- ### SSL.com * Supports [validity periods](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/) of 14, 30, and 90 days. Enterprise customers using [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) can also choose a validity period of one year. * [DCV tokens](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) are valid for 14 days. #### Limitations SSL.com DCV tokens are specific for RSA certificates and ECDSA certificates. This means that, for cases where you have to [manually perform DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required), you will have to place two validation tokens per certificate order. To avoid management overhead, consider using a [full setup](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/#full-dns-setup---no-action-required), or setting up [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). #### Browser compatibility Warning This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [SSL.com documentation ↗](https://www.ssl.com/browser%5Fcompatibility/). SSL.com is highly compatible, being accepted by over 99.9% of browsers, tablets, and mobile devices. SSL.com certificates are [cross-signed with Certum ↗](https://www.ssl.com/repository/) and the [CA that cross-signs intermediates ↗](https://crt.sh/?caid=840) is from 2004. #### Other resources [Acceptable top level domains (TLDs) and current restrictions ↗](https://www.ssl.com/acceptable-top-level-domains-tlds-for-ssl-certificates/) --- ### Sectigo * Only used for [Backup certificates](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/). * Backup certificates are valid for 90 days. #### Browser compatibility Refer to [Sectigo documentation ↗](https://www.sectigo.com/resource-library/sectigo-certificate-authority-root-keys). --- ## CAA records A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization. If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf. If you need to add CAA records, refer to [Add CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/). The following table lists the CAA record content for each CA: | Certificate authority | CAA record content | | --------------------- | ---------------------------------- | | Let's Encrypt | letsencrypt.org | | Google Trust Services | pki.goog; cansignhttpexchanges=yes | | SSL.com | ssl.com | | Sectigo | sectigo.com | ## Footnotes 1. A payment gateway used with some ecommerce plugins. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/certificate-authorities/","name":"Certificate authorities"}}]} ``` --- --- title: Certificate pinning description: Learn why Cloudflare does not support HTTP public key pinning (HPKP) and consider an alternative solution to prevent certificate misissuance. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/certificate-pinning.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Certificate pinning Cloudflare does not support HTTP public key pinning (HPKP)[1](#user-content-fn-1) for Universal, Advanced, or Custom Hostname certificates. Cloudflare regularly rotates the edge certificates provisioned for your domain. If HPKP were enabled, your domain would go offline each time a certificate rotates because the new certificate would not match the pinned key. Additionally, [industry experts ↗](https://scotthelme.co.uk/im-giving-up-on-hpkp/) discourage using HPKP. For a detailed overview, refer to the Cloudflare blog post on [why certificate pinning is outdated ↗](https://blog.cloudflare.com/why-certificate-pinning-is-outdated/). ## Recommended alternative The problem HPKP tries to solve is preventing certificate misissuance. A safer way to detect misissuance without risking downtime is [Certificate Transparency Monitoring](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/), which alerts you when a certificate is issued for your domain. ## If you must pin certificates If your use case requires certificate pinning, the only advisable approach is to upload a [custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) to Cloudflare and pin to that certificate. Because you control the certificate lifecycle — including renewal timing, CA selection, and key material — you can ensure pin continuity. However, pinning still carries outage risk: if a renewal deploys a new key, clients pinned to the old key will fail TLS. If you need pin continuity, you must intentionally reuse the same key material during renewal. Test renewed certificates in the [staging environment](https://developers.cloudflare.com/ssl/edge-certificates/staging-environment/) before production. Select the [**user-defined** bundle method](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/#user-defined) so that you control exactly which CA, intermediate, and leaf certificate are served. ## Footnotes 1. Key pinning allows a host to instruct a browser to only accept certain public keys when communicating with it for a given period of time. [↩](#user-content-fnref-1) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/certificate-pinning/","name":"Certificate pinning"}}]} ``` --- --- title: Certificate statuses description: Understand certificate statuses in Cloudflare SSL/TLS, including stages like Initializing, Pending Validation, and Active. Monitor via dashboard or command line. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/certificate-statuses.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Certificate statuses Certificates statuses show which stage of the issuance process each certificate is in. ## New certificates When you order a new certificate, either an [edge certificate](https://developers.cloudflare.com/ssl/edge-certificates/) or a certificate used for a [custom hostname](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/), its status will move through various stages as it progresses to Cloudflare's global network: 1. Initializing 2. Pending Validation 3. Pending Issuance 4. Pending Deployment 5. Active Once you issue a certificate, it should be in **Pending Validation**, but change to **Active** after the validation is completed. If you see any errors, you or your customer may need to take additional actions to validate the certificate. If you deactivate a certificate, it will become a **Deactivating** and then an **Inactive** status. ### Certificate replacement When replacing a certificate, you may note a **Pending Cleanup** status. Old certificates are not deleted until the replacement has been successfully issued. This ensures TLS will not break for the hostname while the certificate is being replaced. When the new certificate is successfully issued and activated, the status for the old certificate will transition from **Pending Cleanup**, and the certificate will be deleted. ## Custom certificates If you are using a [custom certificate](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) and your [zone status](https://developers.cloudflare.com/dns/zone-setups/reference/domain-status/) is **Pending** or **Moved**, your certificate may have a status of **Holding Deployment**. When your zone becomes active, your custom certificate will deploy automatically (also moving to an **Active** status). If your zone is already active when you upload a custom certificate, you will not see this status. ## Staging certificates When you create certificates in your [staging environment](https://developers.cloudflare.com/ssl/edge-certificates/staging-environment/), those staging certificates have their own set of statuses: * **Staging deployment**: Similar to **Pending Deployment**, but for staging certificates. * **Staging active**: Similar to **Active**, but for staging certificates. * **Deactivating**: Your staging certificate is in the process of becoming **Inactive**. * **Inactive**: Your staging certificate is not at the edge, but you can deploy it if needed. ## Client certificates When you use [client certificates](https://developers.cloudflare.com/ssl/client-certificates/), those client certificates have their own set of statuses: * **Active**: The client certificate is active. * **Revoked**: The client certificate is revoked. * **Pending Reactivation**: The client certificate was revoked, but it is being restored. * **Pending Revocation**: The client certificate was active, but it is being revoked. --- ## Monitor certificate statuses ### SSL/TLS Monitor a certificate's status on the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page or by using the [Get Certificate Pack endpoint](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/get/). For more details on certificate validation, refer to [Domain Control Validation](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/). ### SSL for SaaS Monitor a certificate's status on the [**Custom Hostnames** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/custom-hostnames) page or by using the [Custom Hostname Details endpoint](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/get/). For more details on certificate validation, refer to [Issue and validate certificates](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/). ### Via the command line To view certificates, use `openssl` or your browser. The command below can be used in advance of your customer pointing the `app.example.com` hostname to the edge ([provided validation was completed](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/)). Terminal window ``` openssl s_client -servername app.example.com -connect $CNAME_TARGET:443 /dev/null | openssl x509 -noout -text | grep app.example.com ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/certificate-statuses/","name":"Certificate statuses"}}]} ``` --- --- title: Validity periods and renewal description: Learn about Cloudflare SSL certificate validity periods, auto renewal processes, and the benefits of shorter validity periods for enhanced security. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/certificate-validity-periods.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Validity periods and renewal For certificates managed by Cloudflare, attempts to renew start at the auto renewal period and continue up until 24 hours before expiration. The auto renewal period varies according to the certificate validity period, as explained in the sections below. If a certificate fails to renew and another valid certificate exists for the hostname, Cloudflare will deploy the valid certificate within the last 24 hours before expiration. ## Certificate types ### Universal SSL For Universal certificates, Cloudflare controls the validity periods and certificate authorities (CAs), making sure that renewal always occur. Partial setup and DCV If you are on a [CNAME setup (partial)](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/#partial-dns-setup), make sure [Domain control validation (DCV)](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/) is configured correctly. Refer to [Troubleshooting DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/) for further help. Universal certificates have a 90-day validity period. The auto renewal period starts 30 days before expiration. ### Advanced certificates When you order an [advanced certificate](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/), you can select different certificate validity periods. Each certificate validity period has a corresponding auto renewal period, when [attempts to renew](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/) will start. | Certificate validity period | Auto renewal period | Notes | | --------------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 year | 30 days | Limited to Enterprise customers using [advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) with [SSL.com](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#sslcom) | | 3 months | 30 days | | | 1 month | 7 days | Not supported by [Let's Encrypt](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#lets-encrypt) | | 2 weeks | 3 days | Not supported by [Let's Encrypt](https://developers.cloudflare.com/ssl/reference/certificate-authorities/#lets-encrypt) | Note For more details on the `validity_days` parameter used in API calls, refer to [Order Advanced Certificate Pack](https://developers.cloudflare.com/api/resources/ssl/subresources/certificate%5Fpacks/methods/create/). ### Custom certificates For information regarding custom certificates (managed by you), consider this other page on [renewal and expiration](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/renewing/). ### SSL for SaaS For SSL for SaaS certificates, refer to [Renew certificates](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates/). ## Domain control validation (DCV) Before a certificate authority (CA) will issue a certificate for a domain, the requester must prove they have control over that domain. This process is known as domain control validation (DCV). [HTTP validation](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/http/) is attempted on renewals but will fall back to TXT validation depending on the certificate validity period: * 90-days certificates: after failing for 15 days * 30-days certificates: after failing for 7 days * 14-days certificates: after failing for 3 days ## Benefits of shorter validity periods Cloudflare only issues certificates with validity periods of three months or less for two reasons. First, shorter-lived certificates limit the damage from key compromise and mistaken issuance. Any compromised key material will be valid for a shorter period of time. Second, shorter certificates encourage automation. The more frequently you have to do a task, the more likely you will want to automate it. Automation also means that you are less likely to let a certificate expire in production or give a person access to key material. For more details on the benefits of shorter validity periods, refer to our [blog post introducing Advanced Certificate Manager ↗](https://blog.cloudflare.com/advanced-certificate-manager/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/certificate-validity-periods/","name":"Validity periods and renewal"}}]} ``` --- --- title: Cloudflare and CVE-2019-1559 description: The GOLDENDOODLE and Zombie POODLE attacks affect applications that use certain cipher suites associated with TLS 1.2. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/cloudflare-and-cve-2019-1559.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Cloudflare and CVE-2019-1559 The [GOLDENDOODLE and Zombie POODLE attacks ↗](https://www.tripwire.com/state-of-security/vulnerability-management/zombie-poodle-goldendoodle/) affect applications that use certain cipher suites associated with TLS 1.2. Any application on Cloudflare, however, is not vulnerable to these attacks because Cloudflare does not use the affected version of openssl at its edge. Cloudflare could not remove these cipher suites from our edge by default because we did not want to break customer applications using legacy cipher suites. ## Remove warnings from external security scanners Even though your application is not vulnerable to CVE-2019-1559, some security scanners may flag your application erroneously. To remove these warnings, refer to [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) and exclude the following ciphers: * `ECDHE-ECDSA-AES256-SHA384` * `ECDHE-ECDSA-AES128-SHA256` * `ECDHE-RSA-AES256-SHA384` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/cloudflare-and-cve-2019-1559/","name":"Cloudflare and CVE-2019-1559"}}]} ``` --- --- title: PCI compliance and vulnerabilities mitigation description: Both TLS 1.0 and TLS 1.1 are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/compliance-and-vulnerabilities.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # PCI compliance and vulnerabilities mitigation Both [TLS 1.0 and TLS 1.1](https://developers.cloudflare.com/ssl/reference/protocols/) are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic. PCI standards recommend using TLS 1.2 or higher. Refer to [Compliance standards](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/) for a list of recommended cipher suites. Cloudflare also [implements mitigations against known vulnerabilities](#known-vulnerabilities-mitigations) for TLS 1.0 and 1.1. ## Set Minimum TLS Version to 1.2 To configure your Cloudflare domain to only allow connections using TLS 1.2 or newer protocols: 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Minimum TLS Version**, select **TLS 1.2** or higher. Refer to [Minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) for more information about this setting and other setup options. ## Known vulnerabilities mitigations There are several mitigations Cloudflare performs against known vulnerabilities for TLS versions prior to 1.2\. For example, Cloudflare does not support: * Header compression in TLS * Header compression in SPDY 3.1 * RC4 * SSL 3.0 * Renegotiation with clients * DHE ciphersuites * Export-grade ciphers Cloudflare mitigations protect against several attacks: * CRIME * BREACH * POODLE * RC4 Cryptographic Weaknesses * SSL Renegotiation Attack * Protocol Downgrade Attacks * FREAK * LogJam * 3DES is disabled entirely for TLS 1.1 and 1.2 and Cloudflare implements mitigations for TLS 1.0 Cloudflare provides additional mitigations for: * Heartbleed * Lucky Thirteen * CCS injection vulnerability Cloudflare has patched all servers against these vulnerabilities. Also, the [Cloudflare Web Application Firewall](https://developers.cloudflare.com/waf/) has managed rules that mitigate several of these vulnerabilities including Heartbleed and ShellShock. ### Return of Bleichenbacher's Oracle Threat (ROBOT) Security scans that note the presence of ROBOT while on Cloudflare are a false positive. Cloudflare checks padding in real time and swaps to a random session key if the padding is incorrect. ### Sweet32 (CVE-2016-2183) A vulnerability in the use of the Triple DES (3DES) encryption algorithm in the Transport Layer Security (TLS) protocol. Sweet32 is currently a proof of concept attack, there are no known examples of this in the wild. Cloudflare has manually mitigated the vulnerability for TLS 1.0 in the following manner: * The attacker must collect 32GB of data from a single TLS session. * Cloudflare forces new TLS 1.0 session keys on the affected 3DES cipher well before 32GB of data is collected. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/compliance-and-vulnerabilities/","name":"PCI compliance and vulnerabilities mitigation"}}]} ``` --- --- title: Entrust distrust by major browsers description: Chrome and Mozilla have announced they will no longer trust Entrust certificates. Read about this change and how you can use Cloudflare to reduce impact. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # Entrust distrust by major browsers Google Chrome and Mozilla have announced they will no longer trust certificates issued from Entrust's root CAs. Since Entrust is not within the [certificate authorities](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) used by Cloudflare, this change may only affect customers who upload [custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/) issued by Entrust. ## The decision New Entrust certificates issued on **November 12, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued on **December 1, 2024 or after** will not be trusted on Mozilla by default. Refer to the announcements ([Chrome ↗](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla ↗](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted. ## Entrust's response To prevent their customers from facing issues, Entrust has partnered with SSL.com, a different certificate authority, trusted by both Chrome and Mozilla. This means that Entrust certificates will be issued using SSL.com roots. ## Cloudflare managed certificates Since Cloudflare also [partners with SSL.com](https://developers.cloudflare.com/ssl/reference/certificate-authorities/), you can switch from uploading custom certificates to using Cloudflare's managed certificates. This change brings the following advantages: * Use [Advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) to have more control and flexibility while also benefitting from automatic renewals. * Enable [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/) to automatically issue certificates for your [proxied hostnames](https://developers.cloudflare.com/dns/proxy-status/). * Use [Delegated DCV](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) to reduce manual intervention when renewing certificates for [partial (CNAME) setup](https://developers.cloudflare.com/dns/zone-setups/partial-setup/) zones. * If you are a SaaS provider, extend the benefits of automatic renewals to your customers by specifying SSL.com as the certificate authority when [creating](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/create/) or [editing](https://developers.cloudflare.com/api/resources/custom%5Fhostnames/methods/edit/) your custom hostnames (API only). ## More resources * [Use Cloudflare with SSL.com certificates](https://developers.cloudflare.com/ssl/reference/certificate-authorities/) * [Google Security Blog ↗](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html) * [Entrust TLS Certificate Information Center ↗](https://www.entrust.com/tls-certificate-information-center) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/migration-guides/","name":"Migration guides"}},{"@type":"ListItem","position":5,"item":{"@id":"/ssl/reference/migration-guides/entrust-distrust/","name":"Entrust distrust by major browsers"}}]} ``` --- --- title: TLS protocols description: Explore Cloudflare's support for TLS protocols from 1.0 to 1.3. Learn about differences, security standards, and recommendations on what version to use. image: https://developers.cloudflare.com/core-services-preview.png --- [Skip to content](#%5Ftop) Was this helpful? YesNo [ Edit page ](https://github.com/cloudflare/cloudflare-docs/edit/production/src/content/docs/ssl/reference/protocols.mdx) [ Report issue ](https://github.com/cloudflare/cloudflare-docs/issues/new/choose) Copy page # TLS protocols Cloudflare supports the following TLS protocols: * TLS 1.0 * TLS 1.1 * TLS 1.2 * TLS 1.3 TLS 1.0 is the [version that Cloudflare sets by default](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) for all customers using certificate-based encryption. For information about which cipher suites are supported between clients and the Cloudflare network, refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). ## Understand TLS versions A higher TLS version implies a stronger cryptographic standard. TLS 1.2 includes fixes for known vulnerabilities found in previous versions. As of June 2018, TLS 1.2 is the version required by the Payment Card Industry (PCI) Security Standards Council. Cloudflare recommends migrating to TLS 1.2 to comply with the PCI requirement. [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/), which offers additional security and performance improvements, was approved by the Internet Engineering Task Force (IETF) in May 2018. PayPal's TLS 1.2 requirement Using Cloudflare does not affect PayPal's TLS 1.2 requirement. However, note that PayPal IPN (Instant Payment Notification) might not support [TLS version 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/). If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the [Minimum TLS version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) to 1.2. ## Decide which version to use TLS 1.3 has become widely adopted. As a general rule, Cloudflare recommends setting TLS to 1.3, as it will provide the best security. However, not all browser versions support TLS 1.2 and above. Depending on your particular business situation, this may present some limitations in using stronger encryption standards: * Consider using TLS 1.0 or 1.1 for sites with a broad user base, particularly non-transactional sites. In this way, you minimize the possibility that some clients cannot connect to your site securely. * For a narrow user base and sites that run internal applications or business and productivity applications, Cloudflare recommends TLS 1.2\. These sites might already have more stringent security requirements or might be subject to [PCI compliance](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/). You also need to ensure that your users upgrade to a TLS 1.2 compliant browser. ## Related resources * [PCI compliance and vulnerabilities mitigation](https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities/) * [Transport Layer Security ↗](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) * [PCI Security Standards Council ↗](https://www.pcisecuritystandards.org/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/ssl/","name":"SSL/TLS"}},{"@type":"ListItem","position":3,"item":{"@id":"/ssl/reference/","name":"Reference"}},{"@type":"ListItem","position":4,"item":{"@id":"/ssl/reference/protocols/","name":"TLS protocols"}}]} ```