Is it possible to change the SSL CA for a site hosted on Pages?
I have been able to effectively change the SSL Certificate Authority through the API (
/zones/{zone}/ssl/universal/settings) for sites protected by Cloudflare, but not for sites fully hosted on Cloudflare Pages. Although the changes are reflected immediately in the dashboard under Edge Certificates, the CA on the website certificate remains unchanged (yes, I have checked using cURL to ensure it isn't cached in the browser or something).
Why do I care? Well, I have observed that, for instance, the certificate for www.dayfiles.com has been issued by Let's Encrypt, whereas the certificate for dayfiles.com has been issued by Google. This doesn't feel right, especially if you consider that the certificate issued by Let's Encrypt covers both dayfiles.com and *.dayfiles.com.
Any ideas as to why this is the case? Is it even possible to change the SSL CA for a site hosted on Pages? Is there something I'm missing here?
Thanks!6 Replies
Pages load balances between CAs for custom domains. If I remember correctly each custom domain gets its own certificate that only covers the domain and nothing else. I don’t believe it is possible to set a specific CA for pages projects
Yeah we load balance on the project. It sounds like you added these two at different times when we rolled out GTS
I actually added both custom domains one right after the other
Just yesterday
It's not a big deal, though. It just kind of triggered my OCD, I guess 
If it's helpful to explain as well, Pages uses Cf/SSL for SaaS, which issues its own certs, and has higher priority then Advanced or Universal Certs, and it is more specific. The logic for CF picking a cert to serve is here: https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/
Unless you want to get Biz/Ent and upload your own certs, the Pages certs will always have higher priority
Oh I think you're seeing the universal not the custom hostname
Since it covers *.
Pages will have issued GTS for both
Yeah, so I guess it would make sense for both to be GTS
Idk
I see. Thanks all 🙂
I was able to set the certificate for www.dayfiles.com to GTS through the API, thus keeping the CA consistent across the entire site. I consider this a win!