Cloudflare SSL Certificates
Cloudflare issues free SSL certificates for all sites on its CDN. Learn about Cloudflare's Universal SSL, origin certificates, and how to identify Cloudflare-issued certs.
Cloudflare provides free SSL/TLS certificates for all domains proxied through its CDN, including on its free tier. Cloudflare operates its own subordinate CA infrastructure and issues certificates automatically when you add a domain to Cloudflare.
Types of Cloudflare Certificates
- Universal SSL: Free DV certificate automatically provisioned for all Cloudflare-proxied domains. Typically a multi-domain SAN certificate shared across many Cloudflare customers.
- Advanced Certificate Manager: Paid feature for custom SAN certificates and more control over certificate settings.
- Origin CA Certificates: Cloudflare can issue origin certificates for the connection between Cloudflare's edge and your origin server. These are only trusted by Cloudflare, not browsers.
Identifying Cloudflare Edge Certificates
Cloudflare's edge certificates (what browsers see) show O: Cloudflare, Inc. in the issuer, with intermediates like CN: Cloudflare Inc ECC CA-3 or CN: Cloudflare Inc RSA CA-2. These chain to Baltimore CyberTrust Root or DigiCert Global Root CA. SANs on Cloudflare Universal SSL certificates often contain dozens or hundreds of unrelated customer domains — this is normal and by design.
Shared vs. Dedicated Certificates
By default, Cloudflare's Universal SSL places your domain on a shared certificate with other Cloudflare customers. Advanced Certificate Manager lets you get a dedicated certificate with only your own domains. If you decode a Cloudflare Universal SSL certificate and see unexpected domain names in the SAN list, those are other Cloudflare customers on the same shared cert.
Ready to inspect a certificate?
Use the free decoder to decode any PEM certificate and see all fields including sans, fingerprints, validity dates, and extensions.
Decode a Certificate