Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

Get started with SSL/TLS

Follow the steps below to enable SSL/TLS protection for your application.

​​ Choose an edge certificate

As explained in the concepts page, edge certificates are the SSL/TLS certificates that Cloudflare presents to your visitors.

Cloudflare offers a variety of options for your application’s edge certificates:

  • Universal certificates:

    By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare.

  • Advanced certificates: Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.
  • Custom certificates: Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates.
  • Keyless certificates (Enterprise only): Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys.

Refer to Edge certificates for more information on how different certificate types can respond to common use cases.

​​ Choose your encryption mode

Once you have chosen your edge certificate, choose an encryption mode.

Encryption modes specify how Cloudflare encrypts connections between (a) visitors and Cloudflare, and (b) Cloudflare and your origin server. For more context about this two-part process refer to the concepts page.

Note that some encryption modes will require you to have a valid origin certificate, which is managed on your origin server. Each encryption mode setup page lists out this and other requirements and you can also consider other Cloudflare options to use with your origin server, such as Origin CA certificates.

​​ Enforce HTTPS connections

Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.

Using various Cloudflare settings, however, you can force all or most visitor connections to use HTTPS.

​​ Enable additional features

After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings:

  • Edge certificates: Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
  • Authenticated origin pull: Ensure all requests to your origin server originate from the Cloudflare network.
  • Notifications: Set up alerts related to certificate validation status, issuance, deployment, renewal, and expiration.