Cloudflare Docs
SSL/TLS
SSL/TLS
Edit this page on GitHub
Set theme to dark (⇧+D)

FAQ

The following provide answers to the most common questions associated with Cloudflare SSL/TLS certificates and settings.

​​ If I have multiple Cloudflare certificates, which one is used?

Cloudflare certificates are prioritized by a combination of hostname specificity, zone specificity, and certificate type.

For more details, refer to Certificate and hostname priority.


​​ Will having Cloudflare’s SSL help with SEO?

Yes, Google announced that they use  HTTPS as a ranking signal for SEO.

For further SEO tweaks, refer to our article on improving SEO Rankings with Cloudflare.


​​ How long does it take for Cloudflare’s SSL to activate?

If Cloudflare is your authoritative DNS provider, Universal SSL certificates typically issue within 15 minutes of domain activation at Cloudflare and do not require further customer action after domain activation.

Alternatively, if you use Cloudflare services via CNAME records set at your authoritative DNS provider, provisioning your Universal SSL certificate requires manual addition of DNS verification records at your authoritative DNS provider. Advanced SSL certificates also typically issue within 15 minutes.

If the Certificate Authority requires a manual review of brand, phishing, or TLD requirements, a Universal SSL certificate can take longer than 24 hours to issue.


​​ What does SSL invalid brand check mean?

Some domains are not eligible for the Universal SSL if they contain words that conflict with trademarked domains.

To resolve this issue, you can:


​​ Does Cloudflare SSL support Internationalized Domain Names (IDN)?

The double byte / IDN / punycode domains support for Cloudflare edge certificates depends on the certificate authority (CA). Google Trust Services does not support punycode domains as mentioned in the certificate authorities limitations.


​​ How do I redirect all visitors to HTTPS/SSL?

Refer to Encrypt all visitor traffic.


​​ Does SSL work for hosting partners?

A free Universal SSL certificate is available for all new Cloudflare domains added via a hosting partner using both full and partial setups.

For more details, refer to Enable Universal SSL certificates.


​​ Are Cloudflare SSL certificates shared?

No. Cloudflare SSL/TLS certificates are not shared across domains nor across customers.


​​ Why do I see a Cloudflare certificate when an SSL certificate is installed at my website?

Cloudflare must decrypt traffic in order to cache and filter malicious traffic. Cloudflare either re-encrypts traffic or sends plain text traffic to the origin web server depending on your domain’s encryption mode.


​​ I want Cloudflare to use an SSL certificate that I purchased elsewhere.

Domains on Business and Enterprise plans can upload a Custom SSL certificate.


​​ Does enabling Cloudflare affect PayPal’s TLS 1.2 requirement?

No. Since Cloudflare does not proxy connections made directly to paypal.com, enabling Cloudflare for your domain does not affect how TLS connections are made.

However, note that PayPal IPN (Instant Payment Notification) might not support TLS version 1.3 if you have it enabled on your zone. If you are encountering issues with PayPal IPN when the traffic is proxied by Cloudflare, try setting the Minimum TLS version to 1.2.


​​ How can I serve an SSL certificate from Cloudflare’s China data centers?

Cloudflare Universal SSL and advanced certificates are not deployed in China.  If your domain is on an Enterprise plan and has been granted access to China data centers, Cloudflare’s data centers in China only serve a SSL certificate for your domain under the following conditions:

  1. You have uploaded a Custom SSL certificate.
  2. Allow Private Keys in China (Custom Certificates) is set to On in the Edge Certificates tab of the Cloudflare SSL/TLS app.

​​ Does Cloudflare support TLS client authentication?

Yes. For more details, refer to our documentation on Mutual TLS authentication.


​​ How do I obtain an SSL certificate for customers on partial (CNAME) setup?

A partial DNS setup requires additional steps to provision and validate an SSL certificate.

For more details, refer to Enable Universal SSL.


​​ Can I use Certificate Pinning?

No. Multiple industry leaders — including Digicert and Mozilla — have discouraged certificate pinning because of security concerns.

For a safer alternative, use Certificate Transparency Monitoring.

Refer to Certificate pinning for more details.


​​ Where can I learn more about SSL?

To learn more about SSL, go to the Cloudflare Learning Center.


​​ Redsys is not working with my Let’s Encrypt Certificate.

The Let’s Encrypt Certificate Authority and SNI are not currently supported by Redsys.

We recommend one of the following options: