Advanced certificates
Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.
To order advanced certificates, you must purchase the Advanced Certificate Manager add-on. This add-on also unlocks the features listed below.
Advanced Certificate Manager allows you to:
- Order advanced certificates that can:
- Include up to 50 hosts as covered hostnames (the zone apex must be one of these 50).
- Cover more than one level of subdomain.
- Be issued by the certificate authority (CA) you choose.
- Use your preferred validation method.
- Have the validity period you choose.
- Automate domain control validation (DCV) for zones on a CNAME setup using delegated DCV.
- Enable Total TLS to automatically protect proxied hostnames.
- Select a custom trust store for origin authentication.
- Control cipher suites and per-hostname minimum TLS version.
| Free | Pro | Business | Enterprise | |
|---|---|---|---|---|
Availability | Paid add-on | Paid add-on | Paid add-on | Paid add-on |
Advanced certificates do not apply to Cloudflare Pages or R2 custom domains. Due to certificate prioritization, these products use Cloudflare for SaaS certificates instead.
Advanced certificates are Domain Validated (DV). If your organization needs Organization Validated (OV) or Extended Validation (EV) certificates, refer to Custom certificates.
Advanced certificates cover hostnames within a single domain. If you need a certificate that spans multiple domains (a multi-domain certificate), use Cloudflare for SaaS. For architecture guidance, refer to Leveraging Cloudflare for your SaaS applications.
Advanced Certificate Manager supports deep, multi-level subdomains (for example, api.staging.example.com). There is no arbitrary limit on the number of subdomain levels, but you must consider the following constraints.
These limits are defined by internet standards (RFC 1035 ↗ and RFC 5280 ↗) and apply to all certificates, regardless of the certificate authority:
- Total domain length: The entire domain name cannot exceed 253 characters.
- Label length: Each individual level (the text between dots) cannot exceed 63 characters.
- Common Name (CN) length: The Common Name field of a certificate cannot exceed 64 characters. If a hostname on your certificate exceeds 64 characters, you must order the certificate via the API and set the
cloudflare_brandingoption totrue. This placessni.cloudflaressl.comin the CN field and your long hostname in the SAN field. The dashboard does not support ordering certificates with hostnames longer than 64 characters.
Wildcard certificates only cover one subdomain level:
- A certificate for
*.example.comcoverswww.example.comandapi.example.combut notapi.staging.example.com. - To cover multiple levels, you must explicitly add a wildcard for each level to your certificate (for example,
*.example.com,*.staging.example.com).
A single advanced certificate can include up to 50 hosts (SANs) total. The zone apex must be one of these 50, leaving room for up to 49 additional hostnames or wildcards.
The character-length limits above (253-character total, 63-character label, 64-character CN) are defined by IETF standards (RFC 1035 ↗, RFC 5280 ↗) and apply uniformly across all CAs. Other constraints, such as the per-certificate SAN count and supported validity periods, are Cloudflare advanced certificates limits or vary by CA. Refer to Certificate authorities for CA-specific details.