CAs and certificates FAQ
Refer to this page for frequently asked questions about Cloudflare SSL/TLS certificate offerings and the CAs that Cloudflare partners with.
Yes. Cloudflare can issue both RSA and ECDSA certificates.
Cloudflare uses Let’s Encrypt, Google Trust Services, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the certificate authorities reference page.
DigiCert will soon be removed as a CA from the Cloudflare pipeline and Sectigo is only used for backup certificates.
You can find a list of limitations for every CA in our pipeline in the certificate authorities reference page.
In the certificate authorities reference page, you can find information about device and browser compatibility.
If you are on a Business or Enterprise plan, you can upload a certificate from the CA of your choice.
You can find CAA records associated with every Cloudflare CA in the certificate authorities reference page. If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf.
You can use Cloudflare CFSSL trust store ↗, which includes all of the CAs that are used by Cloudflare managed certificates.
To be able to specify a CA, you must purchase Advanced Certificate Manager. Through Advanced Certificate Manager, you can choose the certificate authority when ordering an advanced certificate or you can choose a default CA when using Total TLS.
If you are on a Business or Enterprise plan, you can upload a certificate from the CA of your choice. In this case, certificate issuance and renewal will have to be managed by you.
Universal certificates on free zones only receive an ECDSA certificate. Paid zones receive an RSA and ECDSA certificate.
When ordering an advanced certificate, you can choose the CA through the UI or API.
Total TLS allows you to get full certificate coverage. When enabling Total TLS, you can choose the CA that will be used for all Total TLS certificates.