Change TLS Certificate CA of Cloudflare

Not just DigiCert. Try Let's Encrypt and Google Trust Services.

When adding a domain to Cloudflare, it will assign a certificate with alternative names your-domain.com and *.your-domain.com. Such certificate is usually (if not always) signed by DigiCert.

However, sometimes we may want to change the CA. Cloudflare provides four CAs for signing certificates: DigiCert, Sectigo, Let's Encrypt and Google Trust Services. While Sectigo is unavailable for free-plan users, the other two (apart from DigiCert) are OK.

You can use Cloudflare's API to change. Just run the following command:

curl -X PATCH -H "X-Auth-Email: $account_email" -H "X-Auth-Key: $global_api_key" -H "Content-Type: application/json" --data '{"enabled":true,"certificate_authority":"lets_encrypt"}' https://api.cloudflare.com/client/v4/zones/$zone_id/ssl/universal/settings

Change lets_encrypt to google if you want to use Google Trust Services.

Note that Let's Encrypt certificates from Cloudflare use Root X2 and E1 instead of Root X1 and R3. GTS's certificates are RSA 2048 instead of EC 256.