To clear up any confusion, there are three ways to get basic SSL/TLS/HTTPS running for your site:
-
Universal SSL
Universal SSL comes with all plans (Free, Pro, Business, Enterprise) and is enabled by default. It issues an SSL certificate for free and is automatically used by Cloudflare by default. It covers your domain and first-level subdomains (e.g. example.com and *.example.com), and can only be used with your Cloudflare zone. -
Advanced Certificate Manager (ACM)
ACM is a paid add-on for $10/month. It allows you to create more certificates with custom hostnames to cover more than just the first subdomain level. You could add names such as (*.subdomain.example.com or *.some.subdomain.example.com). The certificates are still issued by Cloudflare and can only be used with your Cloudflare zone. -
Custom SSL
This feature is for the Business plan and above. It allows you to upload your very own SSL certificate to Cloudflare which will be used instead of the previous ones. It is included in Business & Enterprise plans, but it is used - hence the name - to be able to upload your own certificate. Therefore, you’d need an already issued certificate to make use of this feature, such as from a CA like LetsEncrypt, DigiCert, or many others.
I hope this clarifies any misunderstandings, but regardless of which type of SSL you use, your basic website will most likely be covered with all of them.