Edge certificates

Edge certificates are the SSL/TLS certificates that Cloudflare presents to visitors connecting to your domain. These certificates secure the encrypted connection between your visitors and Cloudflare.

Use the guidance below to choose the right certificate type for your use case. If you are not familiar with SSL/TLS certificates, refer to Concepts.

Note

Occasionally, the Cloudflare dashboard displays a wildcard certificate with only the apex hostname listed (and does not include the wildcard symbol *).

This behavior occurs when all of the following conditions are true:

• The zone is on a subdomain setup.
• The certificate has a subject or SAN that is a wildcard for the zone's parent domain.

Use cases

Simplify issuance and renewal

Managing certificate issuance, renewal, and expiration tracking can be time-consuming. Cloudflare can handle this for you:

• Universal SSL: Automatic, free certificates for your apex domain and first-level subdomains. Provisioned automatically on full setups.
• Advanced certificates: Automatic certificates with more control — choose your certificate authority (CA), covered hostnames, and validity period.
• Custom certificates: Upload your own certificates for full control over the CA and validation level. You handle issuance and renewal.

Meet cipher suites requirements

A cipher suite is a set of encryption algorithms that a visitor's browser and the server negotiate when establishing a secure connection. Some compliance standards (for example, PCI DSS) require specific cipher suites or prohibit older ones.

With cipher suites customization, you can set different cipher suites per hostname. For example, you could allow broader compatibility on www.example.com for legacy devices while enforcing stricter compliance standards on shop.example.com.

Custom cipher suites apply to any edge certificate serving that hostname. To use this feature, you must purchase the Advanced Certificate Manager add-on ↗. Refer to Customize cipher suites for setup instructions.

Automate domain control validation (DCV)

Before a certificate authority (CA) issues a certificate, it must verify you control the domain. This process is called domain control validation (DCV).

If Cloudflare runs your authoritative DNS (full setup), DCV happens automatically. If you manage DNS with another provider (partial setup), you may need to complete DCV manually each time a certificate is issued or renewed.

To automate DCV for partial setups, use advanced certificates with delegated DCV.