Issues regarding SSL certificates for hosted vs non-hosted domain names

BACKGROUND:

Please refer to attached screenshot No.1 taken at “Edge Certificates”. I am on a free plan and genuinely thought the free total universal SSL certificate needs to be manually enabled. Also, I understood it could be enabled ONLY after we have added DNS records pointing to our hosting server. It appears I was mistaken taking into account I have not yet added any DNS to the domain name quoted in the screenshot.

On the one hand, I have the impression the certificate was activated by default because under columns “type” and “status” we can read UNIVERSAL and ACTIVE respectively. Furthermore, the existence of a label at the bottom of the same page allowing us to disable the universal SSL certificate provides an additional argument confirming that it is actually activated by default.

On the other hand, the fact that TOTAL TLS is deactivated by default indicates that the certificate is not added automatically which means we have to activate it manually.

QUERIES:

(1) Please confirm whether or not Cloudflare automatically enables the free SSL certificate to all domains added to our account without requiring any proactive action from us?

(2) Should we add the domain name to our hosting account BEFORE start implementing the SSL/TLS setting at Cloudflare?

(3) If I am told that the SSL certificate is automatically added, I would ask the following question:

Why then we need to click “Purchase ACM” in order to add either the free Universal SSL (my case) or purchase the Advanced Certificate Manager to be able to activate the Total TLS?

(4) If I am told that the SSL needs to be manually enabled, my next question would be [Please cf. screenshot No.2]:

Why then after selecting the plan under “Advanced Certificate Manager” I noticed that the NEXT button remains greyed out?

[5] I am wondering if the first step to undertake would be going to “Origin Server” and click CREATE CERTIFICATE? Apparently, this must be done before trying to add the certificate at “Purchase ACM”? Please confirm

ADDITIONAL COMMENT:

A short while ago I realized the tool HTTP Strict Transport Security (HSTS) only works if the website has already secured URL addresses (HTTPS) that have been created.


Universal SSL will be enabled on all domains added to the account for most user settings. Each domain will get its own certificate for the apex domain and first-level of subdomains (example.com and *.example.com).

If you don’t know what they are, then likely you don’t need Advanced certificates or Total TLS.

Make sure your origin server/hosting also has SSL enabled and a valid SSL certificate (either from Cloudflare’s origin certificates, or a trusted CA such as LetsEncrypt) and that your SSL/TLS mode on Cloudflare is set to “Full (strict)” to ensure your traffic is secured end-to-end.

2 Likes

Thank you! After reading your comment, I realized my confusion stemmed from the fact that I was mistakenly treating Universal SSL certificate and Total TLS as being exactly the same thing. The website says clearly that total TLS is available for domains that have purchased an Advanced Certificate Manager. Therefore, we can safely infer that having a Universal SSL certificate does not suffice to enable Total TLS which explains why the NEXT button is greyed out (screenshot 2).

I queried these SSL/TLS issues to ensure that the initial setting undertaken for each domain added is correctly configured. As it is now clear for me that the Universal SSL certificate is enabled by default on any domain added to the account, then I am satisfied at this stage because my hosting server offers a trusted CA (Let’s Encrypt) to complement the other side of the SSL/TLS process. This is especially so because I always set SSL/TLS mode to Full (strict").

I am aware this basic setting could definitely be improved, but I need time to go through a learning process to be able to assimilate the impressive number of resources and capabilities offered by Cloudflare. Furthermore, I feel it is not necessary to start upgrading with paid services unless our website grows or needs a higher level of security and performance.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.