Introducing Dedicated SSL Certificates

by Patrick R. Donahue.

When we launched Universal SSL in September 2014 we eliminated the costly and confusing process of securing a website or application with SSL, and replaced it with one free step: sign up for Cloudflare.

CC BY 2.0 image by JD Hancock

When you complete the sign-up process, we batch your domain together with a few dozen other recently signed-up domains, and fire off a request to one of our Certificate Authority (CA) partners. The CA then sends us back a shared certificate covering the root (e.g. example.com) and top-level wildcard (e.g. *.example.com) of your domain, along with the hostnames of the other customers in the request. We then package this shared certificate with its encrypted private key and distribute it to our datacenters around the world, ensuring that your visitors’ HTTPS sessions are speedy no matter where they originate.

Since that process was created, we have used it to secure millions of domains with free Universal SSL certificates and helped make the Internet a faster and more secure place.

More control and personalization

But along the way we heard from customers who wanted more control over the certificates used for their domains. They want control of when they’re issued, whether other customers’ (or Cloudflare’s) hostnames appear on them, the breadth of subdomains they protect and which SSL/TLS versions and encryption options they support.

In short, customers want a service that provides a non-shared, customizable certificate for their domain.

CC BY 2.0 image by JD Hancock

Perhaps the most common request we heard was "I love your Universal SSL product, but how can I use it on my website in a way that the certificate shows my domain name instead of cloudflaressl.com? And how can I prevent the certificate from being shared with other customers (all without upgrading my plan)?".

A close second was “Why do I have to disable Cloudflare on my extra.long.name.example.com or risk my users experiencing browser errors? Your Universal SSL certificates cover only one level of wildcard but I also want my hosts at *.staging.example.com protected.

Lastly, as we’ve rolled out exciting encryption features like TLS 1.3, Automatic HTTPS Rewrites, Opportunistic Encryption, we’ve heard that you want granular control over which certificates and subdomains have these new features enabled.

Dedicated SSL

Today we’re excited to announce two new products to meet all of these needs and many more to come: Dedicated SSL Certificates and Dedicated SSL Certificates with Custom Hostnames. These new certificate offerings are issued on-demand, with a new private key generated exclusively for your domain, and branded prominently with your domain name.

A customer owning the domain dedicatedcerts.xyz would have shared certificate with a name like ssl329744.cloudflaressl.com under Universal SSL, but their own certificate with Dedicated SSL Certificates.

Dedicated Certificate as rendered in Google Chrome
Universal SSL Certificate as rendered in Google Chrome

Dedicated Certificates combine the benefits of Universal SSL certificates—automated renewal and rapid revocation/reissuance to address nascent crypto vulnerabilities—without having to upload (and manage the renewal of) certificates purchased elsewhere.

They’re also the first step in our plan to provide true subdomain-level customization of your HTTPS settings, whether requiring Modern TLS or selectively enabling new and upcoming features such as Automatic HTTPS Rewrites or HTTPS from within China using separate keys.

Unlike custom certificates that you acquire and upload yourself, Dedicated Certificates free you from the complexity and monotony of safely generating and storing private keys; crafting certificate signing requests (CSRs); requesting, downloading, and building certificate chains; and regularly renewing and re-installing certificates on your server. Why risk letting a certificate expire and show errors to users, or not reissuing your key pair fast enough when the next Heartbleed pops up?

Sounds great. How do I order one?

The process is incredibly easy and quick. Simply log in to the Cloudflare Dashboard, click on the Crypto tab, and then click the "Order SSL Certificate" button. You’ll be asked whether you need to add custom hostnames, given a chance to input them, and then confirm your billing information. The cost for a Dedicated Certificate is $5 per month and the cost of a Dedicated Certificate with Custom Hostnames is $10 per month.

As soon as you hit "Next" we’ll validate your domain name with one of our Certificate Authorities, charge your account for the remainder of the month, and then order the certificate and distribute it to our edge. The whole process takes just a minute or two to order and send your certificate to all 100 of our datacenters, where it’ll be ready and waiting to accelerate and protect your visitors’ HTTPS sessions.



Use cases for Dedicated Certificates

Isolating certificates from other Cloudflare customers’ zones

While there are no inherent security risks with a shared certificate, we’ve heard from quite a few customers that they do not want their hostnames listed alongside the hostnames of other customers (who may be in other, entirely unrelated industries). By ordering a Dedicated Certificate you can be sure that only your hostnames appear on your certificate.

Isolating certificates for agencies and SaaS providers

Similarly, Dedicated Certificates allows agencies, SaaS providers, and other businesses to isolate their customers onto separate certificates—a must for those serving competitive firms in the same industry. If you currently serve customer1 and customer2 on a sub-domain of your zone, example.com, you can issue a separate certificate to each, guaranteeing that neither customers’ domain name appears on the other’s certificate.

A branded HTTPS experience

Universal SSL certificates are issued using a common name that is a concatenation of "ssl", a six-digit sequence number, and “.cloudflaressl.com”. For example, ssl123456.cloudflaressl.com. With Dedicated Certificates you can use your domain name in this field, and be sure that no other domains—whether an unrelated site or yours or someone else’s—are ever shown to your visitors.

Protecting multiple levels of subdomains

Until today, if you had orange-clouded (proxied) entries in DNS for hosts such as www.staging.example.com and www.uat.example.com, you would need a Business or Enterprise plan to avoid showing your users SSL errors (that may or may not be dismissible, depending on other security settings). Using Dedicated Certificates with Custom Hostnames you can now order a certificate protecting *.staging.example.com, *.uat.example.com—with room for up to 50 total hostnames or wildcards.

Control over reissuance frequency

Dedicated Certificates gives you control over how frequently you want their private keys to be regenerated and your certificate reissued. Want us to reissue your certificate immediately? Weekly? Simply delete it from the Edge Certificates table and request another one through our UI or API. You won’t be charged for the replacement unless you explicitly cancel your monthly subscription.

Dedicated private keys for SSL in China (coming soon)

Enterprise customers that want to serve SSL within China may have concerns about using the same private key there as the one that secures their HTTPS traffic in other parts of the world. We’re looking forward to giving you control over designating a specific Dedicated SSL Certificate to be used exclusively in China.

What if I make a mistake during my order?

Not a problem. Simply delete the certificate from the Edge Certificates card on the Crypto tab in your dashboard and re-order it. You will not be prompted for payment again unless you explicitly cancel the subscription from the Subscriptions page.

Can Dedicated Certificates be used with all plans?

Yes, all Cloudflare plans can order Dedicated Certificates.

If you are a Free, Pro, or Business customer, simply follow the instructions above to place an order. If you are an Enterprise customer or want to order certificates for a Multi-User Organization, please contact your Customer Success Engineer to request that your account be provisioned with the desired number of certificates.

Note that in all cases you must have completed the onboarding process for your zone and have your nameservers pointed to Cloudflare DNS. We are working on adding support for those zones that use an external DNS provider, or have been onboarded through one of our partners.

I have a Universal SSL certificate, a Dedicated Certificate, a Dedicated Certificate with Custom Hostnames, and an Uploaded Certificate all listed in the dashboard. Which one will be served to my web visitors?

Certificates are served in the following priority order (from highest to lowest):

  1. Uploaded Certificates

  2. Dedicated Certificates with Custom Hostnames

  3. Dedicated Certificates

  4. Universal Certificates

However, if the highest priority certificate doesn’t have a hostname matching the incoming request, we’ll move on to the next certificate. If none of the certificates can handle the request, e.g., you’re serving traffic at www.staging.example.com but haven’t purchased a Dedicated Certificate with Custom Hostnames (or uploaded a certificate to a Business or Enterprise plan), your users will see an error.

How do Dedicated Certificates differ from Let's Encrypt or another CA?

Cloudflare works with Let's Encrypt (and other CA certificates) in two ways: you can upload a Let's Encrypt certificate and we will serve it to your visitors, and when we make a connection to your origin server you can use a Let's Encrypt certificate to secure the connection.

Cloudflare's Dedicated Certificates totally automates the process of acquiring and distributing a certificate and has added advantages over using a third-party certificate.

  1. We optimize the certificate chain to maximize compatibility with browsers/user agents, and deploy multiple versions of your certificate—SHA-2/ECDSA, SHA-2/RSA, and SHA-1/RSA—in a certificate pack. Based on the capabilities of the browser sending each incoming request, we’ll serve the most optimal certificate for that connection.

  2. We support both custom names on the certificate and wildcard records (at multiple levels).

  3. We handle renewal automatically and distributed renewed certificates without any work required by you.

How do Dedicated Certificates relate to Origin CA certificates?

Dedicated Certificates encrypt traffic between your visitors’ web browsers and Cloudflare, while Origin CA certificates encrypt traffic between Cloudflare and your (origin) server.

When a user connects to your site hosted on Cloudflare, e.g., https://www.example.com, a Dedicated Certificate will be used if it exists. When we need to fetch data from your origin server, we’ll look for an Origin CA (or other) certificate on your origin.

The two offerings are complementary and should be used together with Strict mode to create a validated, end-to-end encrypted connection.

Can I put multiple domains on my Dedicated Certificate?

No, these certificates are branded with the Common Name (CN) of the domain under which you placed the order. All custom hostnames or wildcard entries added must be subdomains of this parent zone.

If you would like a Dedicated Certificate for another domain, simply switch to that zone using the "Select Website" dropdown in the top-left corner of the Cloudflare Dashboard.

Want to work with the amazing group of Software Engineers and Product Designers that built this product?

We’d love to talk to you. And we’re always hiring. Reach out on whatever medium suits you, or find us at https://www.cloudflare.com/join-our-team!

comments powered by Disqus