BisaCloud
cloudflare

Setting CA Universal SSL Cloudflare

BisaCloud Team
April 15, 2026
Setting CA Universal SSL Cloudflare

Saat proxy pada record DNS diaktifkan, Cloudflare akan otomatis menerbitkan Universal SSL sehingga domain atau subdomain dapat diakses melalui https://.

Secara default, sertifikat SSL biasanya diterbitkan menggunakan CA Let's Encrypt, namun Cloudflare menyediakan opsi CA lain seperti Google Trust Services, Sectigo, dan SSL.com (tergantung ketersediaan akun/zone).

ZONE_ID=ID
AUTH_KEY=KEY
AUTH_EMAIL=EMAIL

curl -X GET \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
  -H "X-Auth-Key: $AUTH_KEY" \
  -H "X-Auth-Email: $AUTH_EMAIL"

Mengubah Certificate Authority (CA)

DigiCert

curl -sX PATCH \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
  -H "X-Auth-Key: $AUTH_KEY" \
  -H "X-Auth-Email: $AUTH_EMAIL" \
  -H "Content-Type: application/json" \
  --data '{"certificate_authority":"digicert"}'

DigiCert mulai deprecated sejak tahun 2022. Referensi: https://developers.cloudflare.com/ssl/reference/migration-guides/digicert-update/

Google Trust Services

curl -sX PATCH \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
  -H "X-Auth-Key: $AUTH_KEY" \
  -H "X-Auth-Email: $AUTH_EMAIL" \
  -H "Content-Type: application/json" \
  --data '{"certificate_authority":"google"}'

Sectigo

curl -sX PATCH \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
  -H "X-Auth-Key: $AUTH_KEY" \
  -H "X-Auth-Email: $AUTH_EMAIL" \
  -H "Content-Type: application/json" \
  --data '{"certificate_authority":"sectigo"}'

SSL.com

curl -sX PATCH \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
  -H "X-Auth-Key: $AUTH_KEY" \
  -H "X-Auth-Email: $AUTH_EMAIL" \
  -H "Content-Type: application/json" \
  --data '{"certificate_authority":"ssl_com"}'

Let's Encrypt

curl -sX PATCH \
  "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
  -H "X-Auth-Key: $AUTH_KEY" \
  -H "X-Auth-Email: $AUTH_EMAIL" \
  -H "Content-Type: application/json" \
  --data '{"certificate_authority":"lets_encrypt"}'

Setelah CA diganti, sertifikat SSL yang sedang aktif tidak selalu langsung berubah ke CA baru. Cloudflare dapat tetap menggunakan sertifikat lama hingga masa berlaku habis atau sampai dilakukan re-issuance otomatis.

Namun, jika Anda menambahkan subdomain baru dengan status proxy aktif, biasanya sertifikat baru akan langsung diterbitkan menggunakan CA yang saat itu sedang dipilih.

Referensi:

Related Articles

Tags
#cloudflare