Limitations

Universal SSL certificates present some limitations.

Hostname coverage

Full setup

Universal SSL certificates only support SSL for the root or first-level subdomains such as example.com and www.example.com. To enable SSL support on second, third, and fourth-level subdomains such as dev.www.example.com or app3.dev.www.example.com, you can:

• Purchase Advanced Certificate Manager to order advanced certificates.
• Upgrade to a Business or Enterprise plan to upload custom certificates.

CNAME setup

On a CNAME setup zone, each subdomain has its own Universal SSL certificate and does not require additional features or purchases.

Certificate authority

For Universal SSL certificates, Cloudflare chooses the certificate authority (CA) used for your certificate.

Cloudflare can change the certificate authority without prior notification, and will not send any notification as the change happens.

If you want to choose the issuing certificate authority, order an advanced certificate.

Validity period

For Universal certificates, Cloudflare controls the validity period. Refer to validity periods and renewal for details.

TLS settings

Customizing cipher suites is only available with Advanced Certificate Manager or within Cloudflare for SaaS.

You can set up minimum TLS version at the zone level, but, for per-hostname settings, you must have Advanced Certificate Manager.

Delegated DCV

Delegated DCV allows zones with partial DNS setups to delegate the DCV process to Cloudflare. DCV delegation will not work with Universal SSL certificates and requires the use of an advanced certificate.

Spectrum

Universal SSL is not compatible with Cloudflare Spectrum. If you are trying to use Spectrum, use either an advanced certificate or a custom certificate.

Load balancing

Due to internal limitations, Universal SSL certificates do not cover load balancing hostnames by default. This behavior will be corrected in the future.

Browser support

For more on browser support, see Browser compatibility.