Since moving to CloudFlare the browser padlock is no longer green

In the Safari browser, both iPhone and Mac desktop browsers, the padlock (Mac desktop) and entire URL (iPhone) used to show as green when DNS was pointed to our server directly. Since moving to CloudFlare, and Upgrading to their optional Edge Certificate, I’m still seeing no green in either instance. We have other subdomains that are NOT “Proxied” that show the green padlock and URL as they used to, but the subdomains and root domains that are “Proxied” no longer show the green.

Here’s a link to our site (keeping it hidden for SEO reasons since this is not a private forum)… https://tinyurl.com/yayo7zpz

Is it possible to get these green elements back, since obviously there are some security related elements that are now lacking with the URLs that are now CloudFlare Proxied.

It is green and fully secured for me. Try clearing your cache.

Thanks Jake, but as I noted, I’m referring to Safari on Mac and iPhone. Something with those browsers is no longer showing the green elements noted in my OP.

Anyone else experience this issue, or have thoughts as to the cause?

Hi @dzyner,

Can you post one of these subdomains that works as you expect?

Also, can you post a screenshot of the domain that isn’t working as expected where the :ssl: is not green and one of it working as expected.

Do you, by any chance, have an EV certificate on the server?

Unfortunately I can’t since they’re protected corporate domains. Wish I could. What info are you looking for and I can potentially provide the info for you.

That makes it very difficult for us to troubleshoot.


Yes, the server has an EV Multidomain Cert installed.

I am guessing that is why. The Cloudflare Universal SSL is DV. You can upload your EV cert on the Business plan, however, personally I don’t think EV certs are necessary.

Thanks for the info, but I don’t fully understand. Are you saying the CF Universal DV SSL is actually on par with, or better than our server-side EV cert?

Also, when you say you you don’t think EV certs are necessary, why?

Extended Validation certificates are theoretically ‘better’ than domain validation certificates. They are supposed to verify the organisation behind the site, not just the domain name. There is no difference in the strength of the encryption etc.

EV relies on the visitor making a decision whether to trust the site in the presence or absence of the indicator. The indicator has now been made far less prominent in most major browsers, and users generally don’t notice the difference!

This is explained in more detail in the post linked to above and in

It is up to you, you need both a Cloudflare and a server side certificate to secure the connection. If you want the EV cert in Cloudflare, you will need the business plan, though :slight_smile:

1 Like

It’s iOS iPadOS and MacOS - all WebKit based browsers stopped showing a green padlock in favor of a grey one. Nothing has changed on Cloudflare’s end; the security remains the same…

I do believe that coincidence of timing is to blame

EV Certs offer not just a green padlock but also color the beginning of the web address green to identify sites that paid too much $$$ for a level of protection that truly is no better than a cert one may obtain for free from, e.g., Let’s Encrypt. Now, there are those that include “insurance” up to a certain limit and under a limited set of circumstances. Most don’t offer anywhere near the money needed to pay a fine for data breaches, if any. The final difference is the application process, which will actually be simplified within the year as per CA’s recent voting on certain measures. Ofc they’d want it simplified since extended certs are, generally, outrageously expensive. They also voted against a reduction in cert lifetimes, which is needed, but that’s another subject entirely. For now, one has to “prove” you exist as a business, from multinationals to sole proprietors DBA [business name]. So in that regard, anyone can get en extended cert since the process of turning one’s self into a business (whether actual or not) is very simple. A Social Security Number is all you need to do it.

1 Like

Good reading from Troy. @dzyner Think of it this way if you do want extended certificates - if Mozilla Firefox shows green, Google Chrome & Chromium show green, but Apple’s Safari does not nor do browsers on iOS iPadOS and MacOS due to the WebKit only rule imposed by Apple, is your extended cert actually no longer an extended cert?

1 Like

As far as I’m aware, there is no known evidence of a CA ever paying out.

https://scotthelme.co.uk/do-ssl-warranties-protect-you-as-much-as-rocks-keep-tigers-away/

1 Like

I have encountered 0 tigers on my walk to work since I purchased my tiger-be-gone rock for just $499. How much more proof do you need of it’s value?

3 Likes

Always keep it with you at home, too.

1 Like