SaaS Custom Hostnames: How is the CA selected?

I am creating hostnames programmatically via the API, using HTTP Pre-validation. Being on the “Pro Plan” it doesn’t seem to be possible specifying the CA when creating a hostname. About 90% of the created hostnames are getting Google as the CA, while the rest seems to be using Let’s Encrypt.
Is there any reason behind this, why some names are using Google and the others Let’s Encrypt? Or is it somehow possible to enforce only one of them being used?

I’ve noticed that GTS is used more often recently as the main certificate for Universal SSL, likely due to the upcoming LE cross sign with IdenTrust expiring. It’s not quite June yet, but possible GTS is already preferred…

Initially Cloudflare were sending out warnings about this, but seems they’ve decided to head off problems/customer support load and not use LE for a while for those “Universal SSL customers and those using SSL for SaaS with the default CA choice.”

@sjr thanks for your reply… Yes it is obviously preferred as nearly all certificates use GTS, but just “nearly”… Therefore I am wondering if there’s any logic behind that or if Let’s Encrypt is still randomly chosen sometimes…

I don’t recall anyone giving details. My guess, it’s a sliding change over time, from mostly LetsEncrypt (at one point, LE was exclusive for the default on Universal SSL and GTS was not used) to exclusively GTS in June so as to avoid any issues with a step change on a single date.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.