Get started

Set up encrypted connections for your domain by choosing a certificate, selecting an encryption mode, and enforcing HTTPS.

Before you begin

• Create an account and register an application

Choose an edge certificate

Edge certificates are the SSL/TLS certificates that Cloudflare presents to visitors connecting to your domain. Cloudflare offers several types:

• Universal certificates:

  By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare.

• Advanced certificates:

  Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.

• Custom certificates:

  Custom certificates are meant for Business and Enterprise customers who want to use their own SSL certificates.

• Keyless certificates (Enterprise only):

  Keyless SSL allows security-conscious clients to upload their own custom certificates and benefit from Cloudflare, but without exposing their TLS private keys.

For help deciding which certificate type fits your use case, refer to Edge certificates.

For SaaS providers

Cloudflare for SaaS allows you to extend the security and performance benefits of Cloudflare's network to your customers via their own custom or vanity domains.

For more details, refer to Cloudflare for SaaS (managed hostnames).

Choose your encryption mode

Once you have chosen your edge certificate, choose an encryption mode.

Encryption modes control how Cloudflare manages two separate connections: one between visitors and Cloudflare, and another between Cloudflare and your origin server. Modes range from no encryption to strict validation of your origin certificate. For more context, refer to the concepts page.

Full (strict) mode — the most secure option — requires a valid, unexpired certificate on your origin server. You can use a certificate from a publicly trusted certificate authority (CA), or generate a free Origin CA certificate from Cloudflare. Each encryption mode page lists its specific requirements.

Enforce HTTPS connections

Even if your application has an active edge certificate, visitors can still access resources over unsecured HTTP connections.

Using various Cloudflare settings, however, you can force all or most visitor connections to use HTTPS.

SEO considerations

Using HTTPS can improve user trust and may be used as a ranking signal by search engines. For related guidance, refer to Improve SEO.

Optional - Enable additional features

After you have chosen your encryption mode and enforced HTTPS connections, evaluate the following settings:

• Edge certificates: Customize different aspects of your edge certificates, from enabling Opportunistic Encryption to specifying a Minimum TLS Version.
• Authenticated origin pull: Ensure all requests to your origin server originate from the Cloudflare network.
• Notifications: Set up alerts related to certificate validation status, issuance, renewal, and expiration.