Issue certificates
Cloudflare automatically issues certificates when you create a custom hostname.
Certificate authorities
If you create the custom hostname via API, you can leave the certificate_authority
parameter empty to set it to “default CA”. With this option, Cloudflare checks the CAA records before requesting the certificates, which helps ensure the certificates can be issued from the CA.
Refer to this certificate authorities reference page to learn more about the CAs that Cloudflare uses to issue SSL/TLS certificates.
Certificate details and compatibility
For each custom hostname, Cloudflare issues two certificates bundled in chains that maximize browser compatibility (unless you upload custom certificates).
The primary certificate uses a P-256
key, is SHA-2/ECDSA
signed, and will be presented to browsers that support elliptic curve cryptography (ECC). The secondary or fallback certificate uses an RSA 2048-bit
key, is SHA-2/RSA
signed, and will be presented to browsers that do not support ECC.