Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Certificate authorities

For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations and browser compatibility.

​​ Availability per certificate type and encryption algorithm

Certificate Algorithm Let’s Encrypt Google Trust Services Sectigo DigiCert
Universal ECDSA


RSA
(Paid plans only)






N/A


N/A

Deprecating soon


Deprecating soon
Advanced ECDSA


RSA






N/A


N/A

Deprecating soon


Deprecating soon
Total TLS ECDSA


RSA






N/A


N/A



SSL for SaaS ECDSA


RSA






N/A


N/A

Deprecating soon


Deprecating soon
Backup ECDSA

RSA








​​ Features, limitations and browser compatibility


​​ Let’s Encrypt

​​ Limitations

​​ Browser compatibility

The main determining factor for whether a platform can validate Let’s Encrypt certificates is whether that platform trusts ISRG’s “ISRG Root X1” certificate. You can find the full list of supported clients in the Let’s Encrypt documentation. Older versions of Android and Java clients might not be compatible with Let’s Encrypt certificates.

​​ Other resources

Let’s Encrypt Root CAs


​​ Google Trust Services

​​ Limitations

  • Punycode domains are not yet supported.
  • Cloudflare will be supporting ECDSA with Google Trust Services soon.

​​ Browser compatibility (most compatible)

Currently trusted by Microsoft, Mozilla, Safari, Cisco, Oracle Java, and Qihoo’s 360 browser. All browsers or operating systems that depend on these root programs are covered. In addition, some of Google Trust Services’ root CAs may rely on a cross-signature to ensure optimal support across a wide range of devices.


​​ Sectigo

​​ Browser compatibility

Refer to Sectigo documentation.


​​ DigiCert (deprecating soon)

​​ Limitations

Due to sanctions imposed by the United States, DigiCert is legally prohibited or restricted from offering its products and services to specific countries or regions. Refer to Embargoed countries and regions for details.

​​ Browser compatibility

Refer to DigiCert documentation.

​​ Other resources

Status page

DigiCert Root CAs


​​ CAA records

A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.

If you are using Cloudflare as your DNS provider, then the CAA records will be added on your behalf. If you need to add CAA records, refer to Add CAA records.

The following table lists the CAA record content for each CA:

Certificate authority CAA record content
Let’s Encrypt letsencrypt.org
Google Trust Services pki.goog; cansignhttpexchanges=yes
DigiCert digicert.com; cansignhttpexchanges=yes
Sectigo sectigo.com