How Universal SSL actually works?

I am fairly new in Cloudflare and a bit confused about the concept and working of Universal SSL. I tried searching this forum as well as the documentation for the latest info, but didn’t find something relevant.

My main questions regarding this are :-

  1. What exactly is Universal SSL ?
  2. How is it issued to a domain ?
  3. Is it a dedicated certificate ? (I read previously that it is issued to some internal URLs of Cloudflare, and domains are added as SNIs, but when checked on my domain, jithe the subject and alternative names are same as my domain, no any URL from Cloudflare.)
  4. If it’s not a dedicated certificate, how the Cloudflare URLs are hidden from subject names ?

Start reading the article below, and see what is
not answered.

As Cloudflare host the DNS for domains on CF, they are able to create DNS TXT records to confirm domain control during certificate validation.

Dedicated SSL was a Cloudflare product, now replaced by ACM.

Previous versions of Universal had multiple domains share a certificate, but I have not seen such certs in a while. Generally certs have SANs for example.com, *.example.com and sni.Cloudflare.com.

Thank you @michael…!

I got answers of my first two questions from your reply.

I found answer of my first question in the article you provided. I had read that previously, but I read again thoroughly.

Here, you answered my second question.

But, I am still not getting why my domain does not have sni.Cloudflare.com in SANs. As you said, something has been probably changed. My certificate is issued by Let’s Encrypt Authority. And it clearly looks like a dedicated certificate exclusively for my domain, not a shared one.

May be Cloudflare is offering some kind of hybrid certificate ?

I confirmed that I actually have been issued a dedicated certificate exclusively for my domain. I verified that by performing test as mentioned here in the below thread :

Results of my test showed that my domain is not a common name of ssl123456.cloudflaressl.com but it is itself shown as common name and alternative name.

I think this is due the fact that Cloudflare itself has not issued me the certificate but R3 open authority has certified me…!

All my doubts are cleared now.

Thanks @michael for giving me the exact clues.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.