Using Cloudflare as an External SSL Certificate Provider in an era of shortening TLS lifetimes 

By Sam Taylor, Cloud Engineer

The Problem 

Starting in 2026, organizations will face much shorter TLS certificate lifetimes, creating a need for more frequent renewals. This change, announced in May 2025 by the CA/Browser Forum, reduces the maximum certificate lifetime progressively: 

  • March 15, 2026: 200 days 
  • March 15, 2027: 100 days 
  • March 15, 2029: 47 days 

Currently, the maximum certificate lifetime is 398 days, but these upcoming changes will significantly increase the frequency of renewals. For organizations that struggle with managing their complete certificate inventory (with only 5% fully automating certificate management), this will be a daunting challenge. Many IT professionals are concerned about how to tackle this issue as it grows closer. 

Fortunately, Cloudflare offers a solution that simplifies automated certificate management without needing agents, while also reducing the cost of purchasing publicly signed certificates. 

What Are Cloudflare Edge Certificates? 

When you delegate a zone to Cloudflare, it automatically issues a Universal SSL certificate for your domain. This certificate, managed by Cloudflare and issued by Google Trust Services (or Let’s Encrypt), is valid for both the root domain (e.g., example.com) and subdomains (e.g., *.example.com). 

This certificate renews automatically every 3 months, requiring no intervention. When your site is proxied through Cloudflare, users will see this valid Cloudflare certificate instead of your site’s publicly signed certificate. 

The best part? This service is free for all domains added to Cloudflare. 

For most organizations, this can eliminate the need for purchasing and renewing publicly signed certificates for external sites, while also removing the complexity of installing and maintaining agents to automate certificate replacements. 

What About Higher-Level Domains? 

A common concern is what happens if you have higher-level domains like one.two.example.com or one.two.three.example.com. The Universal SSL certificate issued by Cloudflare only covers example.com and *.example.com. 

Here, Cloudflare’s Advanced Certificate Manager can help. This add-on (available on all Cloudflare plans) enables a feature called Total TLS. With Total TLS, Cloudflare issues an individual certificate for each proxied hostname, so you can protect higher-level domains instantly upon onboarding. 

Additionally, Advanced Certificate Manager offers greater flexibility for customization and management on a per-hostname basis, allowing you to tailor the setup for different sites. 

Do I Still Need a Publicly Signed Certificate on My Origin? 

Cloudflare provides four encryption modes for different setups at your origin, all while presenting an auto-renewing certificate to end users and maintaining an encrypted connection between Cloudflare and your server. Here’s a breakdown of those modes: 

  1. Full
    • Cloudflare presents an SSL certificate to users. 
    • Your origin server must have an SSL certificate, but it doesn’t need to be publicly trusted or valid. 
    • The connection from Cloudflare to your origin server must use HTTPS. 
  1. Full (Strict)
    • Cloudflare presents an SSL certificate to users. 
    • Your origin server must have a publicly trusted SSL certificate or a Cloudflare Origin CA Certificate
  1. Strict (SSL-Only Origin Pull)
    • Same as Full (Strict), but it forces Cloudflare to always use HTTPS when connecting to the origin server, regardless of the user’s protocol. 
  1. Flexible
    • Cloudflare presents an SSL certificate to users. 
    • There is no SSL certificate on the origin server, and all connections from Cloudflare to the origin server are made over HTTP. 
    • Note: This is not recommended outside of edge cases, as it doesn’t encrypt traffic end-to-end. 

What Is a Cloudflare Origin Certificate? 

For users who want end-to-end encryption with Cloudflare’s Full (Strict) or Strict (SSL-only origin pull) modes, using a publicly trusted certificate on the origin server may not align with their security goals. This is where Cloudflare Origin Certificates come into play. 

These certificates encrypt traffic between Cloudflare and your origin server and act as a substitute for publicly signed certificates. Origin certificates can cover any required hostnames and can be applied to any relevant origin server. 

Best of all, these certificates have a maximum 15-year lifetime and require no maintenance or agents to keep them active. 

How Does This All Come Together? 

  1. Onboard your site to Cloudflare with proxying enabled. 
  1. Cloudflare automatically generates a Universal SSL certificate
  1. Generate a Cloudflare Origin Certificate and apply it to your origin server. 
  1. Set your encryption mode to Full (Strict)

With these simple configuration steps, your site will present a Google Trust Services certificate to users, and your origin server will use an Origin Certificate. This setup provides automatic certificate renewals and ensures your site is ready for the upcoming 47-day certificate lifecycle—without purchasing publicly signed certificates or deploying agents. 

Additionally, your site benefits from all of Cloudflare’s proxy features, enhancing both security and performance. 

Ready for a 47-Day Certificate Lifecycle? Don’t wait for shortened certificate lifetimes to disrupt your operations. Let TekStream design a Cloudflare-based solution that eliminates renewal risk, reduces certificate spend, and simplifies management. Talk to our Cloudflare experts today.

About the Author

Sam Taylor joins TekStream with a wealth of experience as the Cloudflare Administrator for the Indiana State Government, where he’s spent his career helping state and local organizations enhance their web and application security. At TekStream, Sam partners with clients to design Cloudflare-based solutions that strengthen the security of both public-facing sites and applications, as well as internal infrastructures. He holds advanced-level certifications in Application Security and Zero Trust from Cloudflare and has a Bachelor’s degree in Information Technology from Purdue University, with a focus on Cybersecurity and Network Engineering.