Certificate Authorities used by Cloudflare

I was wondering why Cloudflare seems to be one CA over the other. Among the sites I have added, some are using Cloudflare’s own CA, while others are using Let’s Encrypt, and apparently according to the documentation other CAs are supposed to be used (i.e. Sectigo, GlobalSign, Google)
How come I usually get certificates from one CA instead of another (in my case, I seem to almost always land with Let’s Encrypt than any other CA)
How does the CA selection process happen for a particular domain?
It’s also quite annoying that all your domains use the same CA except for one which uses another.
(I would like to use another CA than let’s encrypt; since not all my records are Cloudflared and I still need to generate SSL certificates for those uncloudflared subdomains without hitting rate limits)
it would be great if there was the ability to use the CA of your choice. (availability and rate limits taken into account of course)
Sincerely yours

Hi :grinning:,

Certificate authorities

Cloudflare may issue certificates for SSL products from any of the following Certificate Authorities (CAs):

  • DigiCert
  • GlobalSign
  • Let’s Encrypt
  • Google Trust Services
  • Sectigo (formerly Comodo)

Backup certificates

If Cloudflare is providing authoritative DNS for your domain, Cloudflare will issue a backup Universal SSL certificate for every standard Universal certificate issued.

Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services or Sectigo — than your domain’s primary Universal SSL certificate.

These backup certificates are not normally deployed, but they will be deployed automatically by Cloudflare in the event of a certificate revocation or key compromise.

P.S. From my personal experience, Let’s Encrypt will be used in zones with higher minimum security settings, such as minimum TLS version. So I’m guessing that the choice of CA might have something to do with compatibility. (please let me know if I’m wrong :stuck_out_tongue_closed_eyes:)

I don’t think it’s necessarily the case. As such, I have noticed that some of my domains do make use of TLS 1.2 as minimum TLS version and HSTS but they use the Cloudflare CA. Cloudflare seems to be using TXT validation for their own CA according to the logs.

Thanks a lot, that’s very useful. Glad to see we can actually control that.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.