Cloudflare Docs
SSL/TLS
SSL/TLS
Visit SSL/TLS on GitHub
Set theme to dark (⇧+D)

Validity periods and renewal

​​ Universal SSL

For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur.

Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.

​​ Advanced certificates

When you order an advanced certificate, you can select the following values for the Certificate validity period:

Certificate validity period Auto renewal period Notes
1 year 30 days Soon to be deprecated
3 months 30 days
1 month 7 days Not supported by Let’s Encrypt
2 weeks 3 days Not supported by Let’s Encrypt

​​ Benefits of shorter validity periods

Cloudflare only issues certificates with validity periods of three months or less for two reasons.

First, shorter-lived certificates limit the damage from key compromise and mistaken issuance. Any compromised key material will be valid for a shorter period of time.

Second, shorter certificates encourage automation. The more frequently you have to do a task, the more likely you will want to automate it. Automation also means that you are less likely to let a certificate expire in production or give a person access to key material.

For more details on the benefits of shorter validity periods, refer to our blog post introducing Advanced Certificate Manager.

​​ Failure to renew and certificate replacement

For certificates managed by Cloudflare, attempts to renew start at the auto renewal period (based on the different validity periods) and continue up until 24 hours before expiration.

If a certificate fails to renew and another valid certificate exists for the hostname, Cloudflare will deploy the valid certificate within these last 24 hours.

For information regarding custom certificates (managed by you), consider this other page on renewal and expiration.