Advanced certificates
On March 6, 2023, Cloudflare will stop using DigiCert as an issuing certificate authority (CA) for new advanced certificates. This will not affect existing advanced certificates.
On March 13, 2023, Cloudflare will stop using DigiCert as the CA for advanced certificate renewals. This will not affect existing advanced certificates, only their renewals.
Summary of changes
This table provides a summary of the differences between DigiCert and Cloudflare’s other CAs.
Area | DigiCert | Other CAs | Actions required |
---|---|---|---|
Domain Control Validation (DCV) | If a certificate has multiple hostnames in the Subject Alternative Name (SAN), one DCV record is required to complete validation. | If a certificate has multiple hostnames in the SAN, one DCV token is required for every hostname on the certificate (five hostnames in the SAN would require five DCV tokens). This will also require two DCV tokens to validate a certificate that covers an apex and wildcard ( example.com , *.example.com ). | Full zones: As long as Cloudflare remains the Authoritative DNS provider, no action is required since Cloudflare can complete TXT based DCV for certificate issuances and renewals. Partial zones: Cloudflare will complete HTTP DCV for non-wildcard hostnames, as long as they are proxying traffic through Cloudflare. For advanced certificates with wildcard hostnames, you should consider Delegated DCV. If that does not work, you will be required to complete TXT DCV for Advanced certificates with wildcard hostnames by placing the TXT DCV token at your Authoritative DNS provider. |
API | Customers can choose “digicert” as the issuing CA when using the API. | Customers can only choose “lets_encrypt” or “google” when using the API. | If you are currently using DigiCert as the issuing CA when creating advanced certificates, switch your integration to use Let’s Encrypt or Google. |
DCV Methods | Email DCV is available. | Email DCV will be deprecated. Customers will be required to use HTTP or DNS DCV. | If an existing certificate is relying on Email DCV then when the certificate comes up for renewal, Cloudflare will attempt to complete HTTP validation. If HTTP validation is not possible, then Cloudflare will use TXT DCV and return the associated tokens. |
Validity period | Advanced certificates can be valid for 14, 30, 90, or 365 days. | Advanced certificates can be valid for 14, 30, or 90 days. | No action required. Certificates will be renewed more frequently. Certificates using 14 or 30 day validity periods will be required to use Google Trust Services on renewal. Let’s Encrypt only supports certificates with 90 day validity periods. |
Required actions
Before March 6, 2023
If your system integrates with the Cloudflare API to order advanced certificates, you will need to update the following fields:
- The
"certificate_authority"
field should either use Google Trust Services ("google"
) or Let’s Encrypt ("lets_encrypt"
). - The
"validation_method"
field should either use"http"
(only available for non-wildcard hostnames) or"txt"
. - The
"validity_days"
field should either use14
,30
, or90
(14 or 30 day certificates will use Google Trust Services as the issuing CA).
Changes after March 13, 2023
The following changes will automatically affect certificates that are renewed after March 13, 2023. The renewed certificate will have a different certificate pack ID than the DigiCert certificate.
Certificate authorities
DigiCert certificates renewed after March 13th will be issued through a Certificate Authority chosen by Cloudflare (Let’s Encrypt or Google Trust Services).
Validity period
If the current DigiCert certificate has a 365 day validity period, that value will change to 90 in the “validity_days”
field when the certificate is renewed.
DCV method
If the DigiCert certificate had the “validation_method”
set to “email”
, then this value will change to either “txt”
or “http”
when the certificate is renewed.
Full zone certificate renewals will default to TXT DCV and are automatically renewed by Cloudflare. This is because Cloudflare can place the TXT DCV tokens as the Authoritative DNS provider.
Partial zone certificate renewals will default to HTTP DCV, unless there is a wildcard hostname on the certificate.
Certificates with wildcard hostnames will be required to complete Delegated DCV or TXT DCV.
DCV tokens
For multi-hostname or wildcard certificates using DigiCert, multiple DCV records will now be returned in the “validation_records”
field.
This is because DigiCert only requires one DCV record to be placed to validate the apex, wildcard, and subdomains on a certificate. Let’s Encrypt and Google Trust Services follow the ACME protocol which requires that one DCV token is placed for every hostname on a certificate.
If your certificate covers multiple hostnames, then on renewal you will see one DCV token associated with every hostname on the certificate. These tokens will be returned in the “validation_records”
field.
If your certificate includes a wildcard hostname, you will see a TXT DCV token returned for the wildcard hostname. Previously with DigiCert, only one TXT DCV token would have been required at the apex to complete validation for any subdomains or wildcard under the zone.
Required actions
Certificate migration
If you want to take control of migrating your certificates and choose a particular CA - instead of having Cloudflare handle migrations as certificates come up for renewal and choose a CA on your behalf - you will need to:
- Order new certificates (applying all the required changes noted before).
- Make sure your certificates are validated (partial zones will require additional steps than previously).
- Delete all existing DigiCert certificates (once each has been replaced and the new certificate is active).
DCV - Full zones
For full zones1, the only required action is to confirm the your nameservers are still pointing to Cloudflare.
Certificates on full zones - whether using a wildcard hostname or not - will be automatically renewed and validated without any action from you. Cloudflare can complete DCV on your behalf by serving the TXT DCV tokens.
DCV - Partial zones
For partial zones2, the process depends on whether the certificate uses a wildcard hostname.
If every hostname on a non-wildcard certificate is proxying traffic through Cloudflare, Cloudflare can automatically complete DCV on your behalf.
This applies to customers using Universal or Advanced certificates.
If one of the hostnames on the certificate is not proxying traffic through Cloudflare, certificate issuance and renewal will vary based on the type of certificate you are using:
- Universal: Perform DCV using one of the available methods.
- Advanced: In most cases, you can opt for Delegated DCV, which greatly simplifies certificate management.
For wildcard hostname certificates, certificate issuance and renewal varies based on the type of certificate you are using:
- Universal: Perform DCV using one of the available methods.
- Advanced: In most cases, you can opt for Delegated DCV, which greatly simplifies certificate management.
If you cannot use Delegated DCV, you need to use TXT based DCV for certificate issuance and renewal. This means you will need to place one TXT DCV token for every hostname on the certificate. If one or more of the hostnames on the certificate fails to validate, the certificate will not be issued or renewed.
This means that a wildcard certificate covering example.com
and *.example.com
will require two DCV tokens to be placed at the authoritative DNS provider. Similarly, a certificate with five hostnames in the SAN (including a wildcard) will require five DCV tokens to be placed at the authoritative DNS provider.
Fetch DCV tokens
To automatically fetch tokens for certificates that are coming up for renewal, set up notifications for Advanced Certificate Alert events. This notification will include the DCV tokens associated with new or renewed certificates.
Notifications can be sent to an email address or a webhook.
Once you create a new certificate and choose the validation method of TXT, your tokens will be ready after a few seconds.
These tokens can be fetched through the API or the dashboard when the certificates are in a pending validation state during custom hostname creation or during certificate renewals.
You can access these tokens using the API with the GET
request and including status=pending_validation
as a request parameter.
For example, here are two tokens highlighted in the API response for a wildcard certificate.
Response{ "result": [ { "id": "<CERTIFICATE_ID>", "type": "advanced", "hosts": ["*.<DOMAIN>.com", "<DOMAIN>.com"], "primary_certificate": "0", "status": "pending_validation", "certificates": [], "created_on": "2022-10-12T21:46:21.979150Z", "validity_days": 90, "validation_method": "txt", "validation_records": [ { "status": "pending", "txt_name": "_acme-challenge.best3.com", "txt_value": "lXLOcN6cPv0nproViNcUHcahD9TrIPlNgdwesj0pYpk" }, { "status": "pending", "txt_name": "_acme-challenge.best3.com", "txt_value": "O0o8VgJu_OGu-T30_cvT-4xO5ZX1_2WsVNUrpUKE6ns" } ], "certificate_authority": "google" } ]
}
- Log in to the Cloudflare dashboard.
- Choose your account and domain.
- Navigate to SSL/TLS > Edge Certificates.
- Select a certificate.
- Copy the values for Certificate validation TXT name and Certificate validation TXT value.
If you had created a wildcard certificate, you would need to copy the values for two different validation TXT records.
You will need to add all of the DCV records returned in the validation_records
field to your Authoritative DNS provider.
Once you update your DNS records, you can either wait for the next retry or request an immediate recheck.
To request an immediate recheck, send another PATCH request with the same validation_method
as your current validation method.
Once the certificate has been validated, the certificate status will change to Active.