When adding a domain to Cloudflare, it will assign a certificate with alternative names your-domain.com
and *.your-domain.com
. Such certificate is usually (if not always) signed by DigiCert.
However, sometimes we may want to change the CA. Cloudflare provides four CAs for signing certificates: DigiCert, Sectigo, Let's Encrypt and Google Trust Services. While Sectigo is unavailable for free-plan users, the other two (apart from DigiCert) are OK.
You can use Cloudflare's API to change. Just run the following command:
curl -X PATCH -H "X-Auth-Email: $account_email" -H "X-Auth-Key: $global_api_key" -H "Content-Type: application/json" --data '{"enabled":true,"certificate_authority":"lets_encrypt"}' https://api.cloudflare.com/client/v4/zones/$zone_id/ssl/universal/settings
Change lets_encrypt
to google
if you want to use Google Trust Services.
Note that Let's Encrypt certificates from Cloudflare use Root X2 and E1 instead of Root X1 and R3. GTS's certificates are RSA 2048 instead of EC 256.