Skip to content

Universal SSL -- Free TLS Certificates

DodaTech 6 min read

In this tutorial, you'll learn about Universal SSL. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Universal SSL provides free TLS certificates for every Cloudflare-proxied domain, automatically issued and renewed without any configuration. When you add a domain to Cloudflare and proxy DNS through the orange cloud, Universal SSL activates within minutes, encrypting traffic between visitors and Cloudflare's edge network at no cost.

Why Universal SSL Matters

Before Cloudflare, obtaining and maintaining TLS certificates was a manual Process involving Certificate Signing Requests (CSRs), certificate installation on servers, and repeated renewals every 90 days (for Let's Encrypt) or 1-2 years (for paid CAs). Universal SSL eliminates this operational burden entirely. For small businesses, personal blogs, and nonprofits, this means HTTPS is no longer a financial or technical barrier. For enterprises, it means consistent encryption across hundreds or thousands of domains without per-certificate management overhead.

Real-World Use Case

A non-profit organization running 50 subdomains across multiple hosting providers previously managed 50 separate TLS certificates with different expiry dates. One expired certificate caused a donation page to show browser warnings, reducing incoming donations by 30% over two weeks. After moving to Cloudflare, Universal SSL covered all subdomains with a single automatic certificate, and the expired-certificate problem never recurred.

How Universal SSL Works

flowchart LR
    A[Domain Added to Cloudflare] --> B[DNS Proxied via Orange Cloud]
    B --> C[Cloudflare Requests Certificate from CA]
    C --> D[CA Validates Domain Ownership]
    D --> E[Certificate Issued and Deployed to Edge]
    E --> F[Automatic Renewal Before Expiry]
    F --> E
    
    style C fill:#4a90d9,color:#fff
    style E fill:#27ae60,color:#fff

Cloudflare partners with multiple Certificate Authorities including Let's Encrypt, Google Trust Services, and other public CAs. When a domain is proxied through Cloudflare, the system automatically requests a certificate. The CA validates domain ownership through DNS or HTTP challenge methods. Once issued, the certificate is deployed across Cloudflare's global edge network.

Certificate Types

Universal SSL provides two types of edge certificates:

  • Universal Edge Certificates -- cover the root domain and one level of wildcard (*.example.com). These are free and auto-renewed.
  • Advanced Certificates -- cover multiple levels of wildcard, multiple zones, or custom CAs. These require a paid plan.

Coverage and Limitations

Universal SSL covers the root domain and one subdomain level (e.g., example.com and *.example.com). It does not cover more than one wildcard level (e.g., *.app.example.com requires an Advanced Certificate). The certificates use 2048-bit RSA keys and support TLS 1.2 and TLS 1.3.

Verifying Universal SSL Status

# Check Universal SSL status via Cloudflare API
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/ssl/universal/settings" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" | python3 -m json.tool
# Expected output:
# {
#   "result": {
#     "enabled": true
#   },
#   "success": true
# }

The enabled: true field confirms Universal SSL is active for your zone. If disabled, you can enable it with a PATCH request. Disabling Universal SSL requires an alternative certificate source such as Custom SSL or Advanced Certificate Manager.

Listing Edge Certificates

# List all edge certificates for a zone
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/ssl/certificate_packs" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" | python3 -c "
import sys, json
data = json.load(sys.stdin)
for cert in data['result']:
    print(f"Type: {cert['type']}, Status: {cert['status']}, Hosts: {cert['hosts']}")
"
# Expected output:
# Type: universal, Status: active, Hosts: ['example.com', '*.example.com']

This lists all certificate packs including universal, advanced, and custom certificates. Each entry shows the certificate type, issuance status, and covered hostnames. Use this to audit which hostnames are covered and whether any certificates are expiring soon.

Checking Certificate Expiry with OpenSSL

# Check the TLS certificate served by Cloudflare for your domain
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
  openssl x509 -noout -dates -subject -issuer
# Expected output:
# notBefore=Jun  1 00:00:00 2025 GMT
# notAfter=Aug 30 23:59:59 2025 GMT
# subject=CN = sni.cloudflaressl.com
# issuer=C = US, O = Cloudflare, Inc., CN = Cloudflare Inc ECC CA-3

The output shows when the current edge certificate was issued, when it expires, and who issued it. Universal SSL certificates typically have a 90-day validity period and are auto-renewed before expiry. If you see a different issuer (like a custom CA), your domain may be using a custom or advanced certificate.

Common Errors and Troubleshooting

Certificate Not Issued

Universal SSL may fail to issue if DNS is not proxied through Cloudflare (gray cloud), if the domain is not fully activated, or if the CA cannot validate domain ownership. Solution: verify DNS records are proxied (orange cloud) and wait up to 24 hours for issuance.

Certificate Expired Warning

Universal SSL renews automatically 30 days before expiry. If you see an expired certificate warning, the auto-renewal may have failed. Solution: disable and re-enable Universal SSL in the Cloudflare dashboard, or check that your domain is still actively proxied.

Only Root Domain Covered

Universal SSL covers example.com and *.example.com by default. If you need coverage for sub.sub.example.com, you need an Advanced Certificate or a Custom SSL certificate.

Mixed Content After SSL Activation

After Universal SSL activates, pages served over HTTPS may still reference HTTP resources. This triggers browser mixed content warnings. Solution: use Cloudflare's Automatic HTTPS Rewrites feature to rewrite HTTP URLs to HTTPS in the HTML response.

SSL Handshake Errors with Old Clients

Some very old browsers or API clients may not support the TLS versions or ciphers used by Universal SSL. Solution: enable support for older TLS versions in the Cloudflare dashboard under Edge TLS settings, though this reduces security.

Practice Questions

  1. What is the default wildcard coverage provided by Cloudflare Universal SSL?
  2. How long before expiry does Universal SSL automatically renew certificates?
  3. Which Cloudflare API endpoint shows whether Universal SSL is enabled for a zone?

FAQ

Is Universal SSL really free?

Yes. Universal SSL is included with every Cloudflare plan at no additional cost. There are no hidden fees, no per-certificate charges, and no renewal costs. You only pay if you need Advanced Certificate Manager features such as multiple wildcard levels or custom CA integration.

How long does it take for Universal SSL to activate?

Universal SSL typically activates within 15 minutes to 24 hours after proxying DNS through Cloudflare. Most domains are issued a certificate within the first hour. If certificate issuance takes longer than 24 hours, check that your DNS records are proxied and that your domain is not in a pending state.

Can I use my own certificate with Universal SSL?

Yes. Universal SSL runs alongside custom certificates. Cloudflare serves the most specific certificate for each hostname. If you upload a custom certificate covering example.com, Cloudflare uses it instead of the universal certificate for that hostname. Universal SSL continues covering other hostnames in your zone.

Summary

Cloudflare Universal SSL delivers free, automatically managed TLS certificates for every proxied domain. It eliminates the operational overhead of manual certificate procurement, installation, and renewal. Universal SSL covers root domains and one wildcard level, supports TLS 1.2 and TLS 1.3, and integrates seamlessly with Cloudflare's global edge network. For any domain proxied through Cloudflare, Universal SSL activates automatically and keeps your traffic encrypted without ongoing maintenance.

This guide is brought to you by the developers of Cloudflare, SSL, and Web Security tools at DodaTech.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro