# SSL/TLS Encrypt your web traffic to prevent data theft and other tampering > Links below point directly to Markdown versions of each page. Any page can also be retrieved as Markdown by sending an `Accept: text/markdown` header to the page's URL without the `index.md` suffix (for example, `curl -H "Accept: text/markdown" https://developers.cloudflare.com/ssl/`). > > For other Cloudflare products, see the [Cloudflare documentation directory](https://developers.cloudflare.com/llms.txt). > > Use [SSL/TLS llms-full.txt](https://developers.cloudflare.com/ssl/llms-full.txt) for the complete SSL/TLS documentation in a single file, intended for offline indexing, bulk vectorization, or large-context models. ## Overview - [Cloudflare SSL/TLS](https://developers.cloudflare.com/ssl/index.md): Cloudflare SSL/TLS offers free Universal SSL alongside advanced and enterprise features to meet your encryption and certificate management needs. ## Concepts - [Concepts](https://developers.cloudflare.com/ssl/concepts/index.md): This page defines and articulates key concepts that are relevant to Cloudflare SSL/TLS and are used in the Cloudflare SSL/TLS documentation. ## Get started - [Get started](https://developers.cloudflare.com/ssl/get-started/index.md): Set up SSL/TLS encryption between visitors, Cloudflare, and your origin server. ## Edge certificates - [Edge certificates](https://developers.cloudflare.com/ssl/edge-certificates/index.md): Edge certificates are the SSL/TLS certificates that Cloudflare presents to your visitors. Consider how different certificate types align to common use cases. - [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/index.md): Redirect all HTTP requests to HTTPS for your domain. - [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/index.md): Fix mixed content by rewriting HTTP URLs to HTTPS in page responses. - [Certificate Signing Requests (CSRs)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-signing-requests/index.md): Generate CSRs for use with custom certificates. - [Certificate Transparency Monitoring](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-transparency-monitoring/index.md): Certificate Transparency (CT) Monitoring is an opt-in feature in public beta that aims at improving security by allowing you to double-check any SSL/TLS certificates issued for your domain. - [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/index.md): Consider information about supported cipher suites, how to meet your security requirements, and how to troubleshoot compatibility and other issues. - [Compliance standards](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/compliance-status/index.md): Cipher suite compliance with FIPS 140-2, PCI DSS, and other standards. - [Customize cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/index.md): Restrict which cipher suites Cloudflare uses for edge connections. - [Customize cipher suites via API](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/index.md): Select allowed cipher suites for your zone using the API. - [Customize cipher suites via dashboard](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/dashboard/index.md): Select allowed cipher suites for your zone in the dashboard. - [Security levels](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/recommendations/index.md): Recommended cipher suite security levels for different use cases. - [Supported cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/supported-cipher-suites/index.md): Full list of cipher suites supported by Cloudflare edge certificates. - [Troubleshooting](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/troubleshooting/index.md): Resolve common cipher suite configuration issues. - [HTTP Strict Transport Security (HSTS)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/index.md): Enforce HTTPS connections with HSTS response headers. - [Minimum TLS Version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/index.md): Set the minimum TLS version for connections to your domain. - [Opportunistic Encryption](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/opportunistic-encryption/index.md): Serve HTTP sites over an encrypted TLS channel. - [TLS 1.3](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/tls-13/index.md): Enable TLS 1.3 for improved performance and security. - [Total TLS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/index.md): Issue individual certificates for every proxied subdomain. - [Enable](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/enable/index.md): Enable Total TLS to issue certificates for all subdomains. - [Error messages](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/total-tls/error-messages/index.md): Error messages you may encounter with Total TLS. - [Advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/index.md): Order advanced certificates with custom SANs, validity periods, and CAs. - [API commands](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/api-commands/index.md): API commands for managing advanced certificates. - [Manage advanced certificates](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/index.md): Learn how to create, delete and perform other operations to manage your Cloudflare Advanced SSL certificates. - [Backup certificates](https://developers.cloudflare.com/ssl/edge-certificates/backup-certificates/index.md): How Cloudflare issues backup certificates for redundancy. - [Add CAA records](https://developers.cloudflare.com/ssl/edge-certificates/caa-records/index.md): Add CAA DNS records to control which CAs can issue certificates. - [Domain control validation (DCV)](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/index.md): Learn when and how to perform Domain Control Validation when using Cloudflare SSL/TLS. - [Domain control validation flow](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/dcv-flow/index.md): Consider the steps that have to take place before the DCV process is completed and certificate authorities can issue SSL/TLS certificates. - [Methods](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/index.md): Review different methods to perform Domain Control Validation when using Cloudflare SSL/TLS. - [Delegated](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/index.md): Delegate domain control validation to Cloudflare. - [HTTP](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/http/index.md): Validate domain control with an HTTP token on your origin. - [TXT](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/methods/txt/index.md): Validate domain control with a TXT DNS record. - [Troubleshooting](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/index.md): Resolve domain control validation failures. - [Validation backoff schedule](https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/index.md): Consider what happens if a domain control validation (DCV) fails and what schedule Cloudflare follows for new attempts and backoff. - [Custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/index.md): Upload and manage your own TLS certificates on Cloudflare. - [Bundle methodologies](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/index.md): Certificate chain bundling options for custom certificates. - [Remove key file password](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/remove-file-key-password/index.md): Remove the password from a private key file before uploading. - [Renewal and expiration](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/renewing/index.md): Learn how renewal and expiration work when using Cloudflare Custom SSL certificates. - [Troubleshooting](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/troubleshooting/index.md): Troubleshoot issues with Client certificates - [Manage custom certificates](https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/uploading/index.md): Upload, update, and delete custom certificates. - [ECH Protocol](https://developers.cloudflare.com/ssl/edge-certificates/ech/index.md): Encrypt the SNI field with Encrypted Client Hello for improved privacy. - [Enforce HTTPS connections](https://developers.cloudflare.com/ssl/edge-certificates/encrypt-visitor-traffic/index.md): Force all visitor traffic to use HTTPS connections. - [Geo Key Manager](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/index.md): Control the geographic storage location of your private SSL/TLS keys. - [Setup](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/setup/index.md): Learn how to set up Geo Key Manager and choose the geographical boundaries of where your private encryption keys are stored. - [Supported options](https://developers.cloudflare.com/ssl/edge-certificates/geokey-manager/supported-options/index.md): Learn which options are supported for Geo Key Manager. - [Staging environment](https://developers.cloudflare.com/ssl/edge-certificates/staging-environment/index.md): Test certificate changes in a staging environment before production. - [Universal SSL](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/index.md): Free TLS certificates automatically issued for all proxied hostnames. - [Alerts](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/alerts/index.md): Notifications for Universal SSL certificate events. - [Disable Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/disable-universal-ssl/index.md): Turn off Universal SSL certificates for your domain. - [Enable Universal SSL certificates](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/enable-universal-ssl/index.md): Turn on Universal SSL certificates for your domain. - [Limitations](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/limitations/index.md): Review the limitations of Universal certificates, such as hostname coverage, certificate authority choice, and compatibility with other products. - [Troubleshooting](https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/troubleshooting/index.md): Review how to troubleshoot issues such as certificate timeouts when using Cloudflare Universal SSL. ## Client certificates (mTLS) - [Client certificates (mTLS)](https://developers.cloudflare.com/ssl/client-certificates/index.md): Use Cloudflare public key infrastructure (PKI) to create client certificates and enforce mutual Transport Layer Security (mTLS) encryption. - [Bring your own CA for mTLS](https://developers.cloudflare.com/ssl/client-certificates/byo-ca/index.md): Cloudflare mTLS now supports client certificates that have not been issued by Cloudflare CA. Learn how you can bring your own CA and use it with Cloudflare mTLS. - [Client certificate variables](https://developers.cloudflare.com/ssl/client-certificates/client-certificate-variables/index.md): Variables available in WAF rules when using client certificates. - [Configure your mobile app or IoT device](https://developers.cloudflare.com/ssl/client-certificates/configure-your-mobile-app-or-iot-device/index.md): This tutorial demonstrates how to configure your Internet-of-things (IoT) device and mobile application to use client certificates with API Shield. - [Create a client certificate](https://developers.cloudflare.com/ssl/client-certificates/create-a-client-certificate/index.md): Generate a client certificate using the dashboard or API. - [Enable mTLS](https://developers.cloudflare.com/ssl/client-certificates/enable-mtls/index.md): Enable mutual TLS to require client certificates for your host. - [Forward certificate to server](https://developers.cloudflare.com/ssl/client-certificates/forward-a-client-certificate/index.md): Forward client certificate details to your origin server. - [Label client certificates](https://developers.cloudflare.com/ssl/client-certificates/label-client-certificate/index.md): Organize client certificates with labels for easier management. - [Revoke a client certificate](https://developers.cloudflare.com/ssl/client-certificates/revoke-client-certificate/index.md): Revoke a client certificate to block its use. - [Troubleshooting](https://developers.cloudflare.com/ssl/client-certificates/troubleshooting/index.md): Troubleshoot issues with client certificates - [mTLS for Zero Trust](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/mutual-tls-authentication/index.md): Use mTLS with Zero Trust to verify device identity. ## Cloudflare for SaaS - [Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/index.md): Extend Cloudflare SSL/TLS to customer domains with Cloudflare for SaaS. ## Keyless SSL - [Keyless SSL](https://developers.cloudflare.com/ssl/keyless-ssl/index.md): Keep private keys on your own infrastructure while using Cloudflare TLS. - [Cloudflare Tunnel](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/cloudflare-tunnel/index.md): Deploy Keyless SSL with Cloudflare Tunnel for private connectivity. - [Public DNS](https://developers.cloudflare.com/ssl/keyless-ssl/configuration/public-dns/index.md): Deploy Keyless SSL with public DNS resolution. - [Glossary](https://developers.cloudflare.com/ssl/keyless-ssl/glossary/index.md): Learn more about the common terms related to Keyless SSL. - [Hardware security modules](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/index.md): Store private keys in hardware security modules for Keyless SSL. - [AWS cloud HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/aws-cloud-hsm/index.md): Learn how to use Keyless SSL with AWS CloudHSM. - [Azure Dedicated HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/azure-dedicated-hsm/index.md): Learn how to use Keyless SSL with Azure Dedicated HSM. - [Azure Managed HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/azure-managed-hsm/index.md): This tutorial uses Microsoft Azure's Managed HSM to deploy a VM with the Keyless SSL daemon. Follow these instructions to deploy your keyless server. - [Configuration](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/configuration/index.md): Configure the key server to work with hardware security modules. - [Entrust nShield Connect](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/entrust-nshield-connect/index.md): Learn how to use Keyless SSL with Entrust nShield Connect. - [Fortanix Data Security Manager](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/fortanix-dsm/index.md): Configure Keyless SSL with Fortanix Data Security Manager. - [Google Cloud HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/google-cloud-hsm/index.md): Learn how to use Keyless SSL with Google Cloud HSM. - [IBM Cloud HSM](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/ibm-cloud-hsm/index.md): Learn how to use Keyless SSL with IBM Cloud HSM. - [SoftHSMv2](https://developers.cloudflare.com/ssl/keyless-ssl/hardware-security-modules/softhsmv2/index.md): Learn how to use Keyless SSL with SoftHSMv2. - [High availability](https://developers.cloudflare.com/ssl/keyless-ssl/reference/high-availability/index.md): Deploy Keyless SSL key servers with high availability. - [Keyless delegation](https://developers.cloudflare.com/ssl/keyless-ssl/reference/keyless-delegation/index.md): Delegate certificate signing to downstream key servers. - [Scaling and benchmarking](https://developers.cloudflare.com/ssl/keyless-ssl/reference/scaling-and-benchmarking/index.md): Scale and benchmark Keyless SSL key servers. - [Troubleshooting](https://developers.cloudflare.com/ssl/keyless-ssl/troubleshooting/index.md): Review how to troubleshoot issues when using Cloudflare Keyless SSL. - [Upgrade your key server](https://developers.cloudflare.com/ssl/keyless-ssl/upgrading-your-key-server/index.md): Upgrade your Keyless SSL key server to the latest version. ## Post-quantum cryptography (PQC) - [Post-quantum cryptography (PQC)](https://developers.cloudflare.com/ssl/post-quantum-cryptography/index.md): Get an overview of how Cloudflare is deploying post-quantum cryptography to protect you against harvest now, decrypt later. - [Post-quantum cryptography in Cloudflare One](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-and-zero-trust/index.md): Use post-quantum cryptography with WARP and Cloudflare Tunnel. - [PQC support](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-support/index.md): Consider information about post-quantum cryptography at Cloudflare - deployed key agreements and software support. - [Post-quantum between Cloudflare and origin servers](https://developers.cloudflare.com/ssl/post-quantum-cryptography/pqc-to-origin/index.md): Learn about post-quantum cryptography in connections from Cloudflare to your origin servers. ## Troubleshooting - [Troubleshooting](https://developers.cloudflare.com/ssl/troubleshooting/index.md): Troubleshoot common SSL/TLS errors and configuration issues. - [General SSL errors](https://developers.cloudflare.com/ssl/troubleshooting/general-ssl-errors/index.md): Learn how to troubleshoot various SSL/TLS errors with Cloudflare. - [Mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/index.md): Fix mixed content errors caused by HTTP resources on HTTPS pages. - [ERR_TOO_MANY_REDIRECTS](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/index.md): Learn how to troubleshoot ERR_TOO_MANY_REDIRECTS when using Cloudflare SSL/TLS. - [ERR_SSL_VERSION_OR_CIPHER_MISMATCH](https://developers.cloudflare.com/ssl/troubleshooting/version-cipher-mismatch/index.md): Learn how to troubleshoot ERR_SSL_VERSION_OR_CIPHER_MISMATCH when using Cloudflare SSL/TLS. ## SSL/TLS FAQ - [SSL/TLS FAQ](https://developers.cloudflare.com/ssl/faq/index.md): Get answers to commonly asked questions about the certificates you can obtain through Cloudflare and the CAs that Cloudflare partners with. ## Changelog - [Changelog](https://developers.cloudflare.com/ssl/changelog/index.md): Track the latest updates and changes to Cloudflare SSL/TLS features. ## origin-configuration - [Authenticated Origin Pulls (mTLS)](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/index.md): Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network. - [AWS integration](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/aws-alb-integration/index.md): Learn how to set up Cloudflare Authenticated Origin Pulls with the AWS Application Load Balancer. - [About](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/explanation/index.md): How Authenticated Origin Pulls use mTLS to verify Cloudflare connections. - [Global](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/global/index.md): Set up global Authenticated Origin Pulls for all hostnames. - [Manage certificates](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/manage-certificates/index.md): Upload and manage certificates for Authenticated Origin Pulls. - [Per-hostname](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/index.md): Set up per-hostname Authenticated Origin Pulls with custom certificates. - [Roll back per-hostname AOP](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/rollback/index.md): Roll back per-hostname Authenticated Origin Pulls to zone-level settings. - [Zone-level](https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level/index.md): Set up zone-level Authenticated Origin Pulls with a custom certificate. - [Cipher suites](https://developers.cloudflare.com/ssl/origin-configuration/cipher-suites/index.md): Review a list of cipher suites that Cloudflare presents to origins during an SSL/TLS handshake. - [Custom Origin Trust Store](https://developers.cloudflare.com/ssl/origin-configuration/custom-origin-trust-store/index.md): Custom Origin Trust Store allows you to upload certificate authorities (CAs) that Cloudflare will use to authenticate connections to your origin server. - [Cloudflare origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/index.md): Encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. - [Troubleshooting Cloudflare origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/troubleshooting/index.md): Troubleshoot issues like NET::ERR_CERT_AUTHORITY_INVALID when using Cloudflare origin CA. - [Encryption modes](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/index.md): Encryption modes allow you to control how Cloudflare connects to your origin web server and how certificates presented by your origin are validated. - [Flexible](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/flexible/index.md): Traffic from browsers to Cloudflare can be encrypted via HTTPS, but traffic from Cloudflare to the origin server is not. This mode is common for origins that do not support TLS, though upgrading the origin configuration is recommended whenever possible. - [Full](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full/index.md): Cloudflare matches the browser request protocol when connecting to the origin. If the browser uses HTTP, Cloudflare connects to the origin via HTTP; if HTTPS, Cloudflare uses HTTPS without validating the origin’s certificate. This mode is common for origins that use self-signed or otherwise invalid certificates. - [Full (strict)](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/full-strict/index.md): Similar to Full Mode, but with added validation of the origin server’s certificate, which can be issued by a public CA like Let’s Encrypt or by Cloudflare Origin CA. - [Off (no encryption)](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/index.md): No encryption is used for traffic between browsers and Cloudflare or between Cloudflare and origins. Everything is cleartext HTTP. - [Strict (SSL-Only Origin Pull)](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/ssl-only-origin-pull/index.md): Regardless of whether the browser-to-Cloudflare connection uses HTTP or HTTPS, Cloudflare always connects to the origin over HTTPS with certificate validation. - [SSL/TLS Recommender](https://developers.cloudflare.com/ssl/origin-configuration/ssl-tls-recommender/index.md): Get recommendations for the optimal SSL/TLS encryption mode. ## reference - [Features and plans](https://developers.cloudflare.com/ssl/reference/all-features/index.md): Review information on all Cloudflare SSL/TLS features and their availability. - [Browser compatibility](https://developers.cloudflare.com/ssl/reference/browser-compatibility/index.md): Review information about browser compatibility for the different Cloudflare SSL/TLS offerings. - [Certificate and hostname priority](https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/index.md): Learn about how Cloudflare decides which certificate and associated SSL/TLS settings to apply to individual hostnames. - [Certificate authorities](https://developers.cloudflare.com/ssl/reference/certificate-authorities/index.md): For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility. - [Certificate pinning](https://developers.cloudflare.com/ssl/reference/certificate-pinning/index.md): Learn why Cloudflare does not support HTTP public key pinning (HPKP) and consider an alternative solution to prevent certificate misissuance. - [Certificate statuses](https://developers.cloudflare.com/ssl/reference/certificate-statuses/index.md): Understand certificate statuses in Cloudflare SSL/TLS, including stages like Initializing, Pending Validation, and Active. Monitor via dashboard or command line. - [Validity periods and renewal](https://developers.cloudflare.com/ssl/reference/certificate-validity-periods/index.md): Learn about Cloudflare SSL certificate validity periods, auto renewal processes, and the benefits of shorter validity periods for enhanced security. - [Cloudflare and CVE-2019-1559](https://developers.cloudflare.com/ssl/reference/cloudflare-and-cve-2019-1559/index.md): How Cloudflare addressed the CVE-2019-1559 TLS vulnerability. - [PCI compliance and vulnerabilities mitigation](https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities/index.md): PCI compliance status and TLS vulnerability mitigations. - [DigiCert Legacy Root (G1) distrust by major browsers](https://developers.cloudflare.com/ssl/reference/migration-guides/digicert-g1-distrust/index.md): Learn how the DigiCert G1 root distrust may affect your Cloudflare configuration. - [Entrust distrust by major browsers](https://developers.cloudflare.com/ssl/reference/migration-guides/entrust-distrust/index.md): Chrome and Mozilla have announced they will no longer trust Entrust certificates. Read about this change and how you can use Cloudflare to reduce impact. - [TLS protocols](https://developers.cloudflare.com/ssl/reference/protocols/index.md): Explore Cloudflare's support for TLS protocols from 1.0 to 1.3. Learn about differences, security standards, and recommendations on what version to use.