Change the type of SSL certificate issued by Cloudflare for free

Cloudflare is, by no doubt, the most popular reverse proxy & DDOS protection tool. Cloudflare provides many features for free, and one of them is the free issuance of an SSL certificate.

Cause of the error

The SSL certificate used on the domain, proxied by Cloudflare (when the orange cloud is active on your DNS management), may cause such issues. While it may not be an issue for everyone, sometimes the Cloudflare proxied website may show that the connection to the website is insecure, particularly on older systems, that haven’t been updated in quite a while.

Example of the error

If you are the website’s administrator, this article is for you. This article will discuss changing the Certificate Authority on Cloudflare proxied domains using the Cloudflare Developer API.

How to change the Certificate Authority

To change the Certificate Authority of the Universal SSL, we will first have to generate an API Key from the Cloudflare Dashboard.

To do this, you will first have to go to the API tokens section in the Cloudflare dashboard.
https://dash.cloudflare.com/profile/api-tokens

Then, we have to click on the create token button.

Creating an API token

We will then be presented with a page where we can choose if we want to start with a template or create a custom token. For our current use, we will have to make a custom token.

Creating a custom token

We will then be presented with a page where we have to fill in the token form. Here, you will have to fill in the details based on your domain.

Token Name

You may keep the Token Name anything you’d like. Here, I put the name of my website.

Naming token

Permissions

On the first option, you will have to select Zone, then SSL and Certificates and Edit, as illustrated in the screenshot below.

Choosing Permissions

Zone Resources

On the first option, you will have to select Include, then Specific Zone, and on the last option, you will have to choose the domain name on the list you want to change the Certificate Authority for.

Selecting the Zone

Continue to Summary

You may omit the other options as it is not required.

Continue to summary

After clicking the continue button, you will be presented with the permissions the token has.

Token Permission

Then, click on Create Token button.

After clicking on the create button, you will be shown the token value. Click on the copy button to copy the token to a safe place.

Cloudflare token screen

Using the Token to change Certificate Authority

As of writing this article, Cloudflare supports the following Certificate Authorities:

  • digicert
  • google
  • lets_encrypt
  • sectigo

Now, to change the certificate authority, you will first have to get the Zone ID from the Cloudflare Dashboard.

On the Dashboard, click on your website.

Cloudflare Dashboard

On the next page, scroll down to the API section, and you will see the Zone ID.

Zone ID

Click on “Click to Copy” beneath Zone ID and store it in a safe place.

Now, you will have to replace <Zone ID> and <API token> with the values copied earlier on the following code (without <>).

 curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<Zone ID>/ssl/universal/settings"  -H "Content-Type: application/json" -H "Authorization: Bearer <API token>" --data '{"certificate_authority": "digicert"}'

You may use cURL on your system to make the request or use an online service such as https://reqbin.com/curl. Either way, which should respond with:

{"result":{"enabled":true,"certificate_authority":"digicert"},"success":true,"errors":[],"messages":[]}

Deleting the token

After making the request, you will have to delete the token. To do so, navigate to API Tokens Section, click on the three-dot menu on the token you created earlier, and click on Delete.

Deleting Token

Verifying if it worked

To verify if the changes have propagated, you may use https://www.ssllabs.com/ssltest/ to test your domain SSL.