| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2024-10-21 |
cis |
{{site.data.keyword.attribute-definition-list}}
{: #managing-edge-certs}
{{site.data.keyword.cis_full}} offers three types of edge certificates: Universal, Advanced, and Custom. {: shortdesc}
{: #universal-certificate-type}
By default, {{site.data.keyword.cis_short_notm}} issues free, unshared, publicly trusted SSL certificates to all domains added on {{site.data.keyword.cis_short_notm}}. For these Universal certificates, {{site.data.keyword.cis_short_notm}} controls the validity periods and certificate authorities (CAs), making sure that renewals always occur. Universal certificates that are issued by Let's Encrypt or Google Trust Services have a 90-day validity period.
CIS can change the CA of Universal certificates without prior notice, and will not notify you of these changes. If you prefer to select your own issuing certificate authority, order an advanced certificate. {: attention}
{: #advanced-certificate-type}
Advanced certificates offer a flexible and customizable way to issue and manage certificates. Use advanced certificates when you want something more customizable than Universal SSL but still want the convenience of SSL certificate issuance and renewal.
Advanced certificates are ordered directly through {{site.data.keyword.cis_short_notm}}.
{: #cert-validity-renewal-periods}
Universal certificates are always valid for 90 days and are renewed automatically 30 days before expiration.
By using Advanced certificates, you can select the validity and auto-renewal dates as shown in the following table.
| Certificate validity period | Auto renewal period | Details |
|---|---|---|
| 3 months | 30 days | |
| 1 month | 7 days | Not supported by Let's Encrypt |
| 2 weeks | 3 days | Not supported by Let's Encrypt |
| {: caption="{{site.data.keyword.cis_short_notm}} certificate validity periods" caption-side="bottom"} |
Renewal periods are automated on the back end, and are not customizable. {: note}
{: #backup-certificates}
If CIS is providing authoritative DNS for your domain, CIS will issue a backup Universal SSL certificate for every standard Universal certificate issued.
Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let’s Encrypt, Sectigo, or SSL.com — than your domain’s primary Universal SSL certificate.
These backup certificates are not normally deployed, but they will be deployed automatically by CIS in the event of a certificate revocation or key compromise.
{: #certificate-authorities}
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). The following CAs are available for selection in {{site.data.keyword.cis_short_notm}}:
- Let's Encrypt
- Supports validity periods of 90 days
- DCV tokens are valid for 7 days
- Compatibility documentation{: external}
- Google Trust Services
- Supports validity periods of 14, 30, and 90 days
- DCV tokens are valid for 14 days
- Compatibility documentation{: external}
- SSL.com
- Supports validity periods of 14, 30, and 90 days
- 1-year validity period is available to Enterprise customers
- DCV tokens are valid for 14 days
- Compatibility documentation{: external}
- Supports validity periods of 14, 30, and 90 days
- DigiCert [deprecated]{: tag-deprecated}
- Supports validity periods of 14, 30, and 90 days
- DCV tokens are valid for 30 days
- Compatibility documentation{: external}
- Sectigo
- Used only for backup certificates when {{site.data.keyword.cis_short_notm}} is providing authoritative DNS for your domain
- Supports validity periods of 90 days
- Compatibility documentation{: external}
{: #custom-certificate-type}
Custom certificates are for customers who want to use their own SSL certificates. You upload these certificates to {{site.data.keyword.cis_short_notm}}.
Unlike Universal or Advanced certificates, {{site.data.keyword.cis_short_notm}} does not manage the issuance or renewal for custom certificates. You are responsible for uploading, updating, and tracking the expiration dates of your custom certificates.
{: #failure-to-renew-replace}
For certificates managed by {{site.data.keyword.cis_short_notm}}, renewal attempts begin at the auto renewal period and continue until 24 hours before the expiration. If a certificate fails to renew and another valid certificate exists for the hostname, {{site.data.keyword.cis_short_notm}} deploys the valid certificate within these last 24 hours.
{: #caa-records}
A Certificate Authority Authorization (CAA) DNS record specifies which certificate authorities (CAs) are allowed to issue certificates for a domain. This record reduces the chance of unauthorized certificate issuance and promotes standardization across your organization.
The following table lists the CAA record content for each CA:
| Certificate authority | CAA record content |
|---|---|
| Let's Encrypt | letsencrypt.org |
| Google Trust Services | pki.goog; cansignhttpexchanges=yes |
| SSL.com | ssl.com |
| DigiCert | digicert.com; cansignhttpexchanges=yes |
| Sectigo | sectigo.com |
| {: caption="CAA record content for each CA" caption-side="bottom"} |
{: #certificate-statuses}
Each certificate status describes where in the issuance process you are, and can vary depending on the type of certificate.
{: #new-cert-status}
When you order a new certificate, whether it's an edge certificate or a certificate that is used for a custom hostname, its status moves through various stages as it progresses to the global network.
- Initializing
- Pending Validation
- Pending Issuance
- Pending Deployment
- Active
After you issue a certificate, it moves to Pending Validation, and changes to Active after the validation is completed. If you see any errors, you might need to take more actions to validate the certificate.
If you deactivate a certificate, it moves to Deactivating and then Inactive status.
{: #custom-cert-status}
When you use a custom certificate and your zone status is Pending or Moved, your certificate might have a status of Holding Deployment.
When your zone becomes active, your custom certificate deploys automatically and changes to an Active status. However, if your zone is already active when you upload a custom certificate, you do not see this status.
{: #staging-cert-status}
When you create certificates in your staging environment, those staging certificates have their own set of statuses.
- Staging deployment: Similar to Pending Deployment, but for staging certificates.
- Staging active: Similar to Active, but for staging certificates.
- Deactivating: Your staging certificate is in the process of becoming Inactive.
- Inactive: Your staging certificate is not at the edge, but you can deploy it if needed.
{: #client-cert-status}
When you use client certificates, those client certificates have their own set of statuses:
- Active: The client certificate is active.
- Revoked: The client certificate is revoked.
- Pending Reactivation: The client certificate was revoked, but is being restored.
- Pending Revocation: The client certificate was active, but is being revoked.
{: #related-links-certificates}