Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Certificate authorities

Learn more about the certificate authorities Cloudflare uses to issue Universal, Advanced, or SSL for SaaS certificates.

​​ Comparisons

​​ Main features

Certificate authorityFeaturesLimitationsClient support
DigiCert (soon to be deprecated)RSA and ECDSA certificates

Supports validity periods of 14, 30, and 90 days
TLD restrictionsBrowser compatibility

Status page

Root CAs
Let’s EncryptRSA and ECDSA certificates

Supports validity periods of 90 days.

DCV tokens valid for 7 days.
Hostname on certificate must contain 10 or less levels of subdomains

Duplicate certificate limit of 5 certificates per week.
Browser compatibility

Root CAs
Google Trust ServicesRSA certificates

Supports validity periods of 14, 30, and 90 days.

DCV tokens valid for 14 days.
ECDSA certificates and Punycode domains are not yet supported.Currently trusted by Microsoft, Mozilla, Safari, Cisco, Oracle Java, and Qihoo’s 360 browser. All browsers or operating systems that depend on these root programs are covered.

In addition, some of Google Trust Services’ root CAs may rely on a cross-signature to ensure optimal support across a wide range of devices.

​​ Universal SSL

For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur.

Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.

​​ CAA records

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

If you have AMP Real URL enabled, Cloudflare automatically adds CAA records for each of our CA providers when necessary.

If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):

➜ ~ dig example.com caa +short
# CAA records added by DigiCert
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
# CAA records added by Sectigo
0 issue "sectigo.com"
0 issuewild "sectigo.com"
# CAA records added by Let's Encrypt
0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"
# CAA records added by Google Trust Services
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "pki.goog; cansignhttpexchanges=yes"

​​ Backup certificates

Cloudflare may also issue backup certificates from Google Trust Services or Sectigo.