Free wildcard SSL certificate?
Just a very simple question,
does Cloudflare actually provide free wildcard SSL certificates if you just validate your domain?
I would understand if they would give normal ones for free like Letsencrypt but wildcard ssl certificates cost a lot on other services.
19 Replies
They do, yes
letsencrypt also provides free wildcard certificates
they're a bit more complicated to get than "normal" ones but they do provide them
Oh, i didnt know this. Will check it out
Do Cloudflare SSL certificates only be trusted by browsers if the traffic goes through their network, so its hosted on CloudFlare?
Maybe ai's are stupid but i asked both chatgpt and bard to provide differences and both said that cloudflare certs arent trusted if they dont go through cloudflare's network
I dont really understand, sorry, is the "valid one" trusted on non-cloudflare network? How do they differ, which one i get? I am very sorry, you can call me stupid if you want.
I want to add my domain to cloudflare and then use SSL from CloudFlare.
I dont want to use Cloudflare sites.
Would it work or no?
Do i have to use Lets Encrypt instead?
Now i understand but what are you trying to say? Would it work or no?
Can the origin be non-cloudflare page and would it still work like that?
oh nvm you said that only cf trusts the cloudflare -> origin cert so no.
right?
and i can only do that through Cloudflare Sites?
I meant CloudFlare Pages sorry
Will check this, thanks
Unknown User•17mo ago
Message Not Public
Sign In & Join Server To View
oh okay, luckily i am not planning to use it like that
I meant CloudFlare Pages, sorry
i think google trust service is now more common, 5 of my sites are using gts ca 1p5 and sectigo as a backup
Pages has ssl included yea, and just for my ocd, it's Cloudflare now
should be fairly random, the lineup has been streamlined a bit though, no more digicert/Cloudflare certs, it's just GTS and LE for Universals, and GTS or Sectigo for backups (and I believe it only uses Sectigo if you have GTS for your universal)
cloudflare ssl too, i got some of them recently
they're effectively gone, although I guess for now they've semi-paused the migration, not going to be around for too much longer hopefully. At least for Universals I didn't think it was using them still, you might have some old ones though since they are a year long, but should eventually switch on renew. I know ACM/etc still default to it
i recently see way less LE ssl certs, mostly are GTS, then CF SSL (cuz 3 days ago i got one)
you got a digicert universal? That's interesting, I thought they were finally done with that, they had announced at one point they were. Well, interesting data point
i meant does it only work with CloudFlare Pages?
The universal cert/free ssl? no, it works with any origin, using the setup Leo described
CF Pages actually issues its own SSL cert as well, so you could even use Pages on a non-CF domain if you wanted (has to be on a subdomain though, but that's just pages specific)
just confimed this is false (and I believe it only uses Sectigo if you have GTS for your universal)
the backup not being sectigo? yea I guess it just uses any different random one, I checked my zones and I have a sectigo backup with an LE
Cert picking is kind of a magic black box, I can say from experience it seems it is pretty shy to pick Sectigo unless the universal is GTS, but they might have adjusted that since then as well
oh chaika, also can i like download the certificate and the corresponding key file or how does it work? i never used cf before, sorry if i am sayig something stupid
You can't download Edge Certificates (which is what the free/universal certs are called), no. They only work with proxy 
enabled, CF serves them automagically. Cloudflare offers Origin CA Certs (under SSL/TLS -> Origin Server) that you can configure on your origin and are trusted by the Cloudflare Proxy
Origin Certs can last up for 15 years, they're only trusted by the proxy though, so you can't use them unproxied
Your configuration would be like Visitor <- Edge/Universal Certificate -> Cloudflare <- Origin CA Cert (or you can use Let's Encrypt/any other trusted cert) -> Origin (your web server)
enabled, CF serves them automagically. Cloudflare offers Origin CA Certs (under SSL/TLS -> Origin Server) that you can configure on your origin and are trusted by the Cloudflare Proxy
Origin Certs can last up for 15 years, they're only trusted by the proxy though, so you can't use them unproxied
Your configuration would be like Visitor <- Edge/Universal Certificate -> Cloudflare <- Origin CA Cert (or you can use Let's Encrypt/any other trusted cert) -> Origin (your web server)there are lots of free Wildcard SSLs provided by diff CAs (e.g. LE, GTS, ZeroSSL, etc.), Cloudflare just simplifies the step of issuing the cert for you by doing that on their side, you can issue your own free wildcard SSLs using acme.sh or sth simliar.
i just tried, the Cloudflare ECC certs i have are all advanced certs automatically generated by connecting a custom domain to pages/workers/web3/r2/etc. (btw those used to be LE iirc)
ahh makes sense then, yea the cert. authorities docs still says they stopped using Digicert for Universals