Certificate authorities
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility.
Availability per certificate type and encryption algorithm
Certificate | Algorithm | Let’s Encrypt | Google Trust Services | Sectigo | DigiCert |
---|---|---|---|---|---|
Universal | ECDSA RSA (Paid plans only) | ✅ ✅ | ❌ ✅ | N/A N/A | ✅ Deprecating soon ✅ Deprecating soon |
Advanced | ECDSA RSA | ✅ ✅ | ❌ ✅ | N/A N/A | ✅ Deprecating soon ✅ Deprecating soon |
Total TLS | ECDSA RSA | ✅ ✅ | ❌ ✅ | N/A N/A | ❌ ❌ |
SSL for SaaS | ECDSA RSA | ✅ ✅ | ❌ ✅ | N/A N/A | ✅ Deprecating soon ✅ Deprecating soon |
Backup | ECDSA RSA | ✅ ✅ | ❌ ✅ | ✅ ✅ | ❌ ❌ |
Features, limitations and browser compatibility
Let’s Encrypt
- Supports validity periods of 90 days.
- DCV tokens are valid for 7 days.
Limitations
- Hostname on certificate can contain up to 10 levels of subdomains.
- Duplicate certificate limit of 5 certificates per week.
Browser compatibility
The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts the self-signed “ISRG Root X1” certificate. As Let’s Encrypt announced a change in its chain of trust for 2024, devices that only trust the cross-signed version of the “ISRG Root X1” certificate will be impacted. Refer to Let’s Encrypt chain update for details.
You can find the full list of supported clients in the Let’s Encrypt documentation. Older versions of Android and Java clients might not be compatible with Let’s Encrypt certificates.
Other resources
Let’s Encrypt Root CAs: For checking compatibility between chain and client. As explained in Certificate pinning, you should not use this list for pinning against.
Google Trust Services
- Supports validity periods of 14, 30, and 90 days.
- DCV tokens are valid for 14 days.
Limitations
- Punycode domains are not yet supported.
- Cloudflare will be supporting ECDSA with Google Trust Services soon.
Browser compatibility (most compatible)
By cross-signing with a GlobalSign root CA that has been installed in client devices for more than 20 years, Google Trust Services can ensure optimal support across a wide range of devices.
Currently trusted by Microsoft, Mozilla, Safari, Cisco, Oracle Java, and Qihoo’s 360 browser, all browsers or operating systems that depend on these root programs are covered.
You can use the root CAs list for checking compatibility between chain and client but, as explained in Certificate pinning, you should not use this list for pinning against.
Sectigo
- Only used for Backup certificates.
- Backup certificates are valid for 90 days.
Browser compatibility
Refer to Sectigo documentation.
DigiCert (deprecating soon)
- Supports validity periods of 14, 30, and 90 days.
- DCV tokens are valid for 30 days.
Limitations
Due to sanctions imposed by the United States, DigiCert is legally prohibited or restricted from offering its products and services to specific countries or regions. Refer to Embargoed countries and regions for details.
Browser compatibility
Refer to DigiCert documentation.
Other resources
DigiCert Root CAs: For checking compatibility between chain and client. As explained in Certificate pinning, you should not use this list for pinning against.
CAA records
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf. If you need to add CAA records, refer to Add CAA records.
The following table lists the CAA record content for each CA:
Certificate authority | CAA record content |
---|---|
Let’s Encrypt | letsencrypt.org |
Google Trust Services | pki.goog; cansignhttpexchanges=yes |
DigiCert | digicert.com; cansignhttpexchanges=yes |
Sectigo | sectigo.com |