Cloudflare Docs

Cloudflare Docs

Overview
Get started
Edge certificates
Universal SSL
Enable Universal SSL certificates
Disable Universal SSL certificates
Limitations
Troubleshooting
Advanced certificates
Manage advanced certificates
API commands
Custom certificates
Manage custom certificates
Renewing
Bundle methodologies
Add CAA records
Remove key file password
Enforce HTTPS connections
Domain Control Validation (DCV)
Methods
TXT
Email
HTTP
Troubleshooting
Staging environment (Beta)
Backup certificates
Additional options
Certificate Transparency Monitoring
HTTP Strict Transport Security (HSTS)
Certificate Signing Requests (CSRs)
TLS 1.3
Minimum TLS Version
Automatic HTTPS Rewrites
Total TLS
Enable
Error messages
Always Use HTTPS
Opportunistic Encryption
Client certificates
Create a client certificate
Configure your mobile app or IoT device
Enable mTLS
Revoke a client certificate
Troubleshooting
Keyless SSL
Get started
Hardware security modules
Configuration
AWS cloud HSM
Azure Dedicated HSM
Azure Managed HSM
SoftHSMv2
Entrust nShield Connect
IBM cloud HSM
Google Cloud HSM
Upgrade your key server
Reference
High availability
Scaling and benchmarking
Keyless delegation
Troubleshooting
Mutual authentication
Origin server
Encryption modes
Off (no encryption)
Flexible
Full
Full (strict)
Strict (SSL-Only Origin Pull)
Cipher suites
Origin CA certificates
SSL/TLS Recommender
Authenticated origin pull
How authenticated origin pulls work
Set up authenticated origin pulls
Custom origin trust store
SSL for SaaS
Reference
Cipher suites
Recommendations
Supported cipher suites
Customize cipher suites
Compliance status
Custom certificates
Match on origin
Troubleshooting
TLS protocols
Certificate and hostname priority
Certificate authorities
Browser compatibility
Migration guides
Changes to HTTP DCV
DigiCert update
Universal certificates
Advanced certificates
Custom hostnames
Certificate pinning
Certificate statuses
Validation backoff schedule
Validity periods
Troubleshooting
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
ERR_TOO_MANY_REDIRECTS

Reference

For more on Cloudflare SSL/TLS, refer to these articles:

Cipher suites: Cipher suites are a combination of ciphers used to negotiate security settings during the SSL/TLS handshake (and therefore separate from the SSL/TLS protocol).
TLS protocols: Cloudflare supports a variety of TLS protocols, ranging from TLS 1.0 to TLS 1.3.
Certificate and hostname priority: Learn about how Cloudflare decides which certificate (and the associated SSL/TLS settings) apply to individual hostnames.
Certificate authorities: Learn more about the certificate authorities Cloudflare uses to issue Universal, Advanced, or SSL for SaaS certificates.
Browser compatibility: Cloudflare attempts to provide compatibility for as wide a range of user agents (browsers, API clients, etc.) as possible. The specific set of supported browsers differs by SSL product, however. See below for specific details.
Migration guides: These guides walk you through the migration processes associated with various changes in Cloudflare’s SSL/TLS infrastructure.
Certificate pinning: Cloudflare does not support HTTP public key pinning (HPKP) for Universal, Advanced, or Custom Hostname certificates.
Certificate statuses: Certificates statuses show which stage of the issuance process each certificate is in.
Validation backoff schedule: Domain control validation (DCV) has to happen before a Certificate Authority (CA) will issue a certificate for a domain. If DCV fails, Cloudflare automatically retries it on a schedule.
Validity periods: When you order an advanced certificate, you can select the following values for the Certificate validity period: