SSL Certificate Query


I’ve set up 2 websites with the same SSL configuration on Cloudflare:

  • Full (Strict)
  • Edge Certificate (Universal)
  • Always Use HTTPS (Enabled)
  • Minimum TLS Version (TLS 1.0 Default)
  • Opportunistic Encryption (Enabled)
  • TLS 1.3 (Enabled)
  • Automatic HTTP Rewrites (Enabled)

Both websites have:

  • Wordpress 5.3.9
  • SSL certificate by Lets Encrypt (provided free by Web Host)

The only difference I can see is both certificate chains are different. > E1 > ISRG X2 > ISRG X1 > R3 > ISRG X1 is showing the original certificate by Let’s Encrypt while is showing the certificate by Cloudflare (

I’ve “curl -vI” and both are showing Server as Cloudflare. SSLShopper is also showing both as Server Type Cloudflare.

Both web sites are working fine via https so its not like anything is broken. But I can’t figure out why both websites are showing different certificates even though both are going through Cloudflare.

Any advice would be most appreciated.


Cloudflare uses 3 different CA’s (DigiCert, Comodo or Let’s Encrypt) to back their intermediary certificate for Universal SSL - there’s no guarantee which one it uses or which other SANs appear on your certificate.

If you’d like more control, you’d need to purchase Advanced Certificate Manager - but if it’s not causing any issues, I wouldn’t bother.

Wouldn’t both websites be showing a certificate from Cloudflare since both are Universal type? is showing the original cert I generated with the web host as its only valid for 3 months. So presumably, that would mean I have disabled Universal SSL. But I didn’t.

While, which is showing as the certificate, is valid for 1 year. Which I assume means its using Cloudflare’s Universal SSL.

I’m not looking for more control, just trying to understand how SSL works in Cloudflare.


Without knowing the actual addresses, I wouldn’t be able to give you an answer.

Visit the website that’s showing the ‘original cert’ that you generated & see if it’s actually going through Cloudflare - i.e a Server: cloudflare response header or just dig the website & see if the returned addresses are in

For website showing original cert … curl returns “server: Cloudflare” and dig returns and, both Cloudflare addresses.

For website showing Cloudflare’s cert … curl returns “server: Cloudflare” and dig returns and, both Cloudflare addresses.

I’ve also tested both on SSL Shopper and both return “Server Type: Cloudflare”.

As long as you see the certificate in then it’ll be managed by Cloudflare.

The only scenarios where the origin certificate would be presented is when Universal SSL (might actually just give an insecure error on it’s own) or SSL Mode is set to Off.

Yes, in Cloudflare’s dashboard under Edge Certificates, both are showing Edge certificates as Universal, Active and ECDSA SHA256 Managed by Cloudflare.

Only difference is on the dashboard is the Certificate Authority …

Web site showing original cert (3 lines):
Certificate Validity Period 3 months
Certificate validation method TXT
Certificate Authority Let’s Encrypt

Website showing Cloudflare’s cert (only 2 lines):
Certificate Validity Period 1 year
Certificate validation method TXT


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.