Advanced Certificate Manager not working for Cloudflare Pages

I’m trying to use ACM to restrict connections to specific cipher suites for a custom domain in Cloudflare Pages. It seems like the Universal SSL cert is not replaced with the Advanced SSL cert even though the Advanced SSL cert is active, and I’ve removed and disabled the Universal SSL cert under Edge Certificates.

I’ve also tried to change the minimum TLS version to 1.3 but scanning on Qualys SSL Labs still shows Universal SSL cert with TLS 1.2 is enabled.


Can anyone help me, please? Thank you.

May I ask if both of them are active and enabled, or?

Only the Advanced cert is active. I have removed the Universal cert.

Thank you for feedback.

Did you tried some other online tools?
They might have an SSL certificate in a cache for some time.
Or even display two certificates - in my case, it was always the Universal SSL + ACM SSL as I have had both of them active and enabled.

Seems like ACM is now okay.

It might take some time to update, I think? :thinking:

Thank you for your quick response.

Yes, I’ve tried a few online tools but it seems to be the same. The SSL cert does not match with the Advanced cert that was created.

I created this new Cloudflare Pages project for further testing on the SSL cert. I was working on another project that has ACM setup and it wasn’t changing to Advanced cert after around 18 hours.

This is unfortunately correct, and apparently unavoidable.

I had a ticket some months ago about this, and was provided the following response:

We’ve checked in internally with Pages Team and they confirm that indeed Pages uses SSL for SaaS certificates and it is not possible to use Advanced Certificates for Pages. Currently there is no plans to support any other type of certificate configuration.

The Pages Certs are essentially SSL for SAAS certs, and the SSL for SAAS takes precedence. Certificate and hostname priority · Cloudflare SSL/TLS docs

My use case was to use ACM to set a limited set of Ciphers. ACM ciphers do not work with Pages when using the SSL for SaaS certs. If you are able to use a Custom Cert then it will take priority, and the ACM ciphers you define will become active.

1 Like

This is what I’m trying to do too, to disable weak ciphers.

Looks like I have to be on the Business plan or higher with ACM in order to upload a custom cert. Seems a lot just to disable weak ciphers.

Thank you all for your responses.

I totally agree. I would prefer that you could choose from a few cipher sets (perhaps like Cloudfront security policies), or have Cloudflare change the default to a better set of ciphers, and have users jump through hoops to enable weaker ciphers.

1 Like