Certificate authorities
Learn more about the certificate authorities Cloudflare uses to issue Universal, Advanced, or SSL for SaaS certificates.
Comparisons
Main features
| Certificate authority | Features | Limitations | Client support |
|---|---|---|---|
| DigiCert (soon to be deprecated) | RSA and ECDSA certificates Supports validity periods of 14, 30, and 90 days | TLD restrictions | Browser compatibility Status page Root CAs |
| Let’s Encrypt | RSA and ECDSA certificates Supports validity periods of 90 days. DCV tokens valid for 7 days. | Hostname on certificate must contain 10 or less levels of subdomains Duplicate certificate limit of 5 certificates per week. | Browser compatibility Root CAs |
| Google Trust Services | RSA certificates Supports validity periods of 14, 30, and 90 days. DCV tokens valid for 14 days. | ECDSA certificates and Punycode domains are not yet supported. | Currently trusted by Microsoft, Mozilla, Safari, Cisco, Oracle Java, and Qihoo’s 360 browser. All browsers or operating systems that depend on these root programs are covered. In addition, some of Google Trust Services’ root CAs may rely on a cross-signature to ensure optimal support across a wide range of devices. |
| Sectigo | Only used for Backup certificates |
Universal SSL
For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur.
Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
CAA records
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
Cloudflare adds CAA records automatically in two situations:
- When you have Universal SSL enabled and add any CAA records to your zone.
- When you have Universal SSL enabled and enable AMP Real URL or SXG Signed Exchanges.
These records make sure Cloudflare can still issue Universal certificates on your behalf.
If Cloudflare has automatically added CAA records on your behalf, these records will not appear in the Cloudflare dashboard. However, if you run a command line query using dig, you can see any existing CAA records, including those added by Cloudflare (replacing example.com with your own domain on Cloudflare):
➜ ~ dig example.com caa +short# CAA records added by DigiCert
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
# CAA records added by Sectigo
0 issue "sectigo.com"
0 issuewild "sectigo.com"
# CAA records added by Let's Encrypt
0 issue "letsencrypt.org"
0 issuewild "letsencrypt.org"
# CAA records added by Google Trust Services
0 issue "pki.goog; cansignhttpexchanges=yes"
0 issuewild "pki.goog; cansignhttpexchanges=yes"
Backup certificates
Cloudflare may also issue backup certificates from Google Trust Services or Sectigo.