Manage universal certificates
Enable Universal SSL
Authoritative (Full) domains
For an authoritative or full domain — domains that changed their domain nameservers – Universal SSL requires two steps:
- Once you change your domain nameservers, your domain should receive its Universal SSL certificate within 24 hours.
- Based on your imported DNS records, Cloudflare sets your default SSL/TLS encryption mode. For help changing your encryption mode, refer to SSL modes .
Non-authoritative (Partial) domains
For non-authoritative or partial domains (domains on a CNAME setup), Universal SSL will be:
Provisioned once the DNS record is proxied through Cloudflare (orange-clouded).
Validated:
- Immediately if you add Domain Control Validation (DCV) records to your authoritative DNS.
- After a brief period of downtime if you do not add DCV records (once your traffic is proxied).
Disable Universal SSL
Some customers may need to manage their own SSL certificates or rely on specific Certificate Authorities.
If you disable your domain’s Universal SSL certificate, Cloudflare removes that certificate from our network and will not order or renew any additional Universal SSL certificates.
Potential errors
To avoid errors with your domain, either upload a custom certificate or purchase Advanced Certificate Manager before disabling Universal SSL.
If you disable Universal SSL, you may experience errors with the following scenarios:
Enabled features:
Other setups:
- Page rules that redirect traffic to HTTPS
- HTTP to HTTPS redirects at your origin web server
Disable Universal SSL
To disable Universal SSL:
- Make sure you have uploaded a custom certificate or purchased Advanced Certificate Manager to protect your domain.
- Log in to the Cloudflare dashboard and select your account.
- Select your domain.
- Go to SSL/TLS > Edge Certificates.
- For Disable Universal SSL, select Disable Universal SSL.
- Read the warnings in the Acknowledgement.
- Select I Understand and click Confirm.