Limitations
Universal SSL certificates present some limitations.
Cloudflare can only serve an SSL/TLS certificate for a DNS record when you set the record's proxy status to Proxied. If you do not do this, the origin server your record points to will be responsible for supporting SSL/TLS connections.
Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com. To enable SSL support on second, third, and fourth-level subdomains such as dev.www.example.com or app3.dev.www.example.com, you can:
- Purchase Advanced Certificate Manager to order advanced certificates.
- Upgrade to a Business or Enterprise plan to upload custom certificates.
On a CNAME setup zone, each subdomain (regardless of level) has its own Universal SSL certificate and does not require additional features or purchases. As long as the subdomains are proxied to Cloudflare, a universal certificate will be provisioned.
For Universal SSL certificates, Cloudflare chooses the certificate authority (CA) used for your certificate.
Cloudflare can change the certificate authority without prior notification, and will not send any notification as the change happens.
If you want to choose the issuing certificate authority, order an advanced certificate.
For Universal certificates, Cloudflare controls the validity period. Refer to validity periods and renewal for details.
Customizing cipher suites is only available with Advanced Certificate Manager or within Cloudflare for SaaS.
You can set up minimum TLS version at the zone level, but, for per-hostname settings, you must have Advanced Certificate Manager.
Delegated DCV allows zones with partial DNS setups to delegate the DCV process to Cloudflare. DCV delegation will not work with Universal SSL certificates and requires the use of an advanced certificate.
Universal SSL is not compatible with Cloudflare Spectrum. If you are trying to use Spectrum, use either an advanced certificate or a custom certificate.
Due to internal limitations, Universal SSL certificates do not cover load balancing hostnames by default. This behavior will be corrected in the future.
For more on browser support, see Browser compatibility.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark