Changes to Universal certificates and Total TLS

1. So Cloudflare will stop using DigiCert as an issuing certificate authority (CA) for new Universal certificates.
Read here:

Question: Which Certificate Authority will Cloudflare migrate to? There is no explanation for that.

2. I see that Cloudflare now has a new Total TLS option where you can choose CA from Let’s Encrypt or Google Trust Services

Question: For Total TLS, you need to purchase Advanced Certificate Manager. However, Let’s Encrypt is free. Why is Cloudflare asking us to purchase a subscription for a free SSL certificate?
Most hosting services issue a free Let’s Encrypt certificate now. Why can’t we just use something like that on Cloudflare?

Universal SSL has always been load balanced between the available CAs - it doesn’t really matter which your certificate goes to.

Because Cloudflare is a business - or more specifically, Total TLS is just an automation of what’s already possible with ACM so you’d naturally need ACM.

The other benefits of ACM are listed here:

You’re free to continue using a free certificate if you don’t need Total TLS or ACM.


To be clear, Cloudflare will continue to provide Let’s Encrypt and Google certificates for free in the same way they did before.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.