Cloudflare automatically provisions SSL certificates that are shared by multiple customer domains. Business and Enterprise customers have the option to upload a custom, dedicated SSL certificate that will be presented to end users. This allows the use of extended validation (EV) and organization validated (OV) certificates.
Modern TLS Only
PCI 3.2 compliance requires either TLS 1.2 or 1.3, as there are known vulnerabilities in all earlier versions of TLS and SSL. Cloudflare provides a “Modern TLS Only” option that forces all HTTPS traffic from your website to be served over either TLS 1.2 or 1.3.
Opportunistic Encryption provides HTTP-only domains that can't upgrade to HTTPS, due to mixed content or other legacy issues, the benefits of encryption and web optimization features only available using TLS without changing a single line of code.
TLS Client Auth
Cloudflare’s Mutual Auth (TLS Client Auth) creates a secure connection between a client, like an IoT device or a mobile app, and its origin. When a client attempts to establish a connection with its origin server, Cloudflare validates the device’s certificate to check it has authorized access to the endpoint. If the device has a valid client certificate, like having the correct key to enter a building, the device is able to establish a secure connection. If the device’s certificate is missing, expired, or invalid, the connection is revoked and Cloudflare returns a 403 error.