Cloudflare's SSL/TLS tab provides encryption of traffic between your visitors and Cloudflare. One of the most important parts of this section is Edge Certificates, which are SSL certificates used on edge servers.

In this guide, we explain all the options and subheadings related to Cloudflare Edge Certificates in detail, explaining step by step what each setting does.

What are Edge Certificates?

Edge Certificates ensure that the connection between visitors and the Cloudflare edge network is established securely over HTTPS. These certificates are hosted on Cloudflare servers and are specifically assigned to your domain name.

Certificate Types in Cloudflare:

Universal SSL: A shared certificate provided by Cloudflare, offered free of charge to all users.
Advanced Certificate Manager: Offers advanced control and customization. Custom subdomains can be defined.
Dedicated SSL: Certificates dedicated to you, used in more professional projects.

Edge Certificates Settings and Meanings

1. Advanced Certificate Manager (ACM)

Custom subdomain specification (custom SAN)
Certificate authority selection
TLS version control
Cipher suite selection
Total TLS (individual certificate for each hostname)

2. Total TLS

Cloudflare automatically creates a separate TLS certificate for each proxied subdomain.
Provides maximum coverage and compatibility.
Only available with Advanced Certificate Manager.

3. Cipher Suites

Allows you to customize the algorithms used to establish the SSL/TLS connection.
It is important to select recommended encryption algorithms for strong security and compliance.
This setting is also enabled with ACM.

4. Always Use HTTPS

Automatically redirects all requests coming over HTTP to HTTPS.
Important for SEO, security, and user experience.

5. HTTP Strict Transport Security (HSTS)

Tells browsers that they should only connect to this domain over HTTPS.
Difficult to revert after setup, should be configured carefully.

6. Minimum TLS Version

Determines the lowest TLS version that visitors can use to connect.
Recommended setting: TLS 1.2 or TLS 1.3 (TLS 1.0 is not secure)

7. Opportunistic Encryption

Enables hidden TLS usage for sites accessed over HTTP.
The browser still sees http:// but the connection is encrypted.

8. TLS 1.3

The most current and fastest TLS protocol.
Recommended to be enabled by default (performance + security).

9. Automatic HTTPS Rewrites

Solves mixed content issues.
http:// links within the page are automatically replaced with https://.

10. Certificate Transparency Monitoring

You will be notified by email when any Certificate Authority (CA) issues a new SSL certificate for your domain name.
Very important for detecting potential fake certificates.

11. Disable Universal SSL

Disables the default Universal SSL certificates.
If you do not have a dedicated certificate, HTTPS connections will fail.

Edge Certificates Certificate List

The existing certificates are listed in your Cloudflare panel:

Which domain names it covers (SAN - Subject Alternative Name)
Type (Universal, Backup, Dedicated)
Last validity date
Management status (Managed / Manual)

️ Common Situations and Recommendations

Scenario	Recommended Settings
E-commerce site	TLS 1.2+, Always HTTPS, HSTS, Dedicated SSL
SEO-friendly blog	Auto HTTPS Rewrite, Always Use HTTPS
System hosting many subdomains	Advanced Certificate Manager, Total TLS
Security-focused corporate site	Certificate Transparency, HSTS, TLS 1.3

Conclusion

Cloudflare's SSL/TLS and Edge Certificates settings are one of the most critical components of your site in terms of both performance and security. Starting with Universal SSL is free, but the Advanced Certificate Manager offers great advantages for specific needs.

For enterprise-level security, SEO compliance, and fast connection times, it is recommended to keep your TLS version up to date and make a full transition to HTTPS.