S/MIME certificate for emails

Hi Cloudflare,

Only one business in the entire world is now providing a free S/MIME certificate. A certificate can be self-signed using OpenSSL, although doing so diminishes confidence because it is not independently checked, and certain email clients display a warning sign when the certificate is self-signed.

I think it would be quite beneficial for many if Cloudflare could include S/MIME in the offering, and we wouldn’t need to go elsewhere for email security.



I fully agree that the email encryption market needs a jump-start. Cloudflare might not be the best place to do that though. They do not operate a CA, and they don’t provide mail clients either. But nobody else has decided to do anything with either S/MIME or PGP (at least, nobody has gotten any traction for their solutions), and Cloudflare have enough resources to tackle this problem.


Hi @michael

Although I am aware that Cloudflare is not a CA, it still seems odd to me that I have to go elsewhere for a S/MIME certificate but i can get free SSL for website. Cloudflare offers very advanced email security in Area 1, but they do not offer an S/MIME certificate a very basic and very easy to issue certificate.

It is comparable to purchasing a pricey phone from a retailer who does not provide a plastic bag for you to carry it since they are not a manufacturer of plastic bags. Even if a bag is unimportant and not something a company sells, it still degrades the user’s shopping experience.

I believe that at the very least, customers should have the option of purchasing certificates directly from Cloudflare, which may issue them elsewhere. simply to keep all of my DNS, email, and website security solutions in one place.

Previously, there were 14 different companies, but there is only one now (Comodo RSA Certification Authority). However, based on what I read, they are not issuing any new free certificates, and I’m not sure what to do when the current certificates begin to expire.

I think Cloudflare can really help alot of people to come onboard with Cloudflare and provide a better overall products.

Thanks for taking the time to upvote.

Correct, but Cloudflare isn’t going to give you the private key to install yourself.

1 Like

Hi @sdayman

Why not all they need to verify is if the email belongs to me or if i have access to the email. Companies usually send a confirmation email with a verification code and then provides you the certificate. Having it from Cloudflare will make more sense for people who use Cloudflare.

I do not know why you think giving private key of certificate can be an issue? For website i do not need private key since all the work is done by Cloudflare but for email it is different.


I don’t think it’s an issue. There’s just no precedent for Cloudflare to do so. The only certificates they give the private key for are the origin certificates, which you can’t use publicly.

There are certainly areas where Cloudflare pushes hard for change. Email isn’t one of these, so far. Area1 was an acquisition, and Email Forwarding is just a convenience, like Domain Registrar. And both of those still have a ways to go before they full-featured.

It certainly is, which why it doesn’t yet make sense for Cloudflare to jump into something that’s not even part of the services they offer at this time.

Email’s just an antiquated system that’s getting band-aid after band-aid to make it halfway decent. I don’t think Cloudflare can offer as much improvement as they’ve done for DNS (DNSSEC/DoH/DoT/Gateway). S/MIME is one step up from PGP, which I’ve used for a very long time with a very low percentage of adoption.

Anyway, I’m getting a bit off track here. I have no objection to Cloudflare getting into the S/MIME business, but they’re a very tiny player when it comes to email. Here’s a long old thread trying to get Let’s Encrypt to do the same:

7 Years old post and still no progress. You can see what i mean here the demand is huge and implementation of this service very easy and this will give many users including me 1 additional reason to be with Cloudflare. So they can solve a decade old issue :slight_smile:

If that were true, it’d be done already.

1 Like

Hi @sdayman

You can simply issue a certificate using openSSL the only issue is some email clients show a warning sign for the self signed certificate which is actually worst than having no certificate.

But other than that this seems very straight forward and simple process.


I’m still not seeing that. Cloudflare is not your email provider, yet you want them to authenticate your email. I stand by my statement: If it was easy, it’d be done already by someone, like Google, who is a CA and has a pretty sizeable presence in Email.

1 Like

I’ve obviously missed something. Every time I have set up S/MIME it has been a pain, and managing the certs across multiple devices is a universally terrible user experience.

Right now, Cloudflare does not provide publicly trusted certificates to any customer. The Universal SSL certificates are only used for client to proxy traffic, and a Cloudflare never exports the keys for customers. And whoever controls the spice keys controls the universe. Without the keys on the clients what exactly are you expecting S/MIME to do?

Large scale S/MIME deployment would create a few problems we don’t have in the typical HTTP use-cases for TLS. If all email was encrypted, how would indexing work? Most email security tools today are middle boxes, and scan everything passing through. How do they work if all payloads are encrypted? Key escrow is an option for both of these situations, but key escrow has its own problems. Separating encryption and signing keys mitigates some of the risk of key escrow, but it is an issue for use cases where encryption is important for privacy.

Cloudflare continues to offer Flexible SSL, but the genesis of that feature was in a different era, and nobody really wants to see a similar situation arising in the email world, where the email is not actually E2E encrypted. Within the current products from Cloudflare, I don’t see where S/MIME would slot in?

Really? How does the user generate the key? How does the user get a CSR to Cloudflare (or any other CA for that matter). How will Cloudflare prove control of the email address for a Class 1 certificate? How will the user get those keys onto multiple devices (or can you only use it on one machine).

I think the problem is way bigger than you seem to think.

What Cloudflare can certainly do is to work with the major players in the industry to drive adoption of existing S/MIME standards. Right now, adoption is close to 0%.

1 Like

Maybe it is, but the problem is that Let’s Encrypt and GTS aims for certificate automation. How can you automate S/MIME certificates? It’s true that there are people who have already made Certbot mods to allow S/MIME issuance, but they require manual intervention.

If you need an S/MIME certificate, you can get one from Actalis for free (if you don’t mind that they generate the private key for you).

Yes, that’s really dissapointing. I’ve been using S/MIME daily for a long time, but the main issue nowadays is that just a few desktop (and even less mobile) email clients support S/MIME. GMail support S/MIME just for their Workspace Enterprise plans ($$$), and Outlook is for paid plans (and is also hard to setup, requires setting manual AD servers).

1 Like

Isn’t that their “Hosted S/MIME” offering?

All of the default mail clients I use daily support S/MIME (Windows Mail, iOS and MacOS native mail, Outlook on iOS, Windows and MacOS etc.)

Web based email encryption is generally going to be difficult.

1 Like