SYSTEM Cited by 1 source

Cloudflare Universal SSL

What

Cloudflare Universal SSL (September 2014) is the Cloudflare product that auto-issues and auto-renews TLS certificates for every domain on Cloudflare — including free-plan customers — with no customer action required. Original launch post: Introducing Universal SSL.

Universal SSL was a step-function event in industry HTTPS adoption: prior to its launch, TLS certificates cost customers $50-200/year with non-trivial operational overhead (manual issuance, manual renewal, chain-configuration errors). Overnight, every Cloudflare-proxied site had a valid TLS cert by default.

Relevant to this wiki as the historical precedent Cloudflare's 2026 PQ roadmap invokes for its default-on no-additional-cost posture — see patterns/default-on-security-upgrade. (Source: sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security)

Mechanism (high level)

• Cloudflare operates CA infrastructure (later also partnering with public CAs like DigiCert, Let's Encrypt).
• When a customer adds a domain to Cloudflare and points DNS there, Cloudflare automatically issues a cert for the customer's hostname(s).
• Cert automatically renewed before expiration — no customer action, no manual replacement.
• Cert served from Cloudflare's edge as the TLS termination point for proxied traffic; encrypted again on the Cloudflare → origin hop.

Strategic significance

Universal SSL is the canonical early instance of Cloudflare's broader posture: ship security capabilities as universal platform behaviour rather than premium features. Same posture:

• 2022 — PQ encryption for all on all Cloudflare TLS connections by default. >65 % of human traffic to Cloudflare now PQ-encrypted.
• 2029 target — full PQ security (encryption + authentication) across entire product suite, default-on, no additional cost.

Closing quote from the 2026 roadmap post:

Free TLS helped encrypt the web. Free post-quantum cryptography will help secure it for what comes next.

The 2014 → 2022 → 2029 arc is the structural rhetorical backbone of the 2026 roadmap announcement.

Raw-scope caveats

This wiki page is scoped to what the Cloudflare 2026 post invokes about Universal SSL:

• 2014 launch of free TLS for all Cloudflare-proxied sites.
• Cited as the historical precedent for the default-on-no-extra- cost PQ rollout posture.

Detailed Universal SSL mechanics (cert issuance CA chain, multi-domain cert strategy, ECH interactions, SNI handling) are covered in the 2014 launch post and subsequent Cloudflare blog coverage — future ingests may deepen this page.

Seen in

• sources/2026-04-07-cloudflare-targets-2029-for-full-post-quantum-security — historical precedent cited in the 2029 PQ roadmap post. The "free TLS" reference and the 2014 launch-post link anchor Cloudflare's explicit framing of the default-on security upgrade at no additional cost posture.

Related

• companies/cloudflare — the provider whose posture this system anchors.
• patterns/default-on-security-upgrade — the pattern this system is the canonical 2014 instance of.
• concepts/post-quantum-cryptography — the 2022 / 2029 sibling instances of the same pattern.