Cloudflare SSL for SaaS Providers

The adoption of SSL/TLS encryption for online organizations has become a security best practice, and is increasingly becoming a requirement due to pressures by large technology companies aspiring to build a safer Internet. For example, the Google Chrome web browser began visibly labeling websites not using HTTPS as “Not Secure” for their users at the end of 2016. In parallel, Mozilla’s FireFox web browser began issuing even graver warnings to users who attempt to submit information info forms not protected by HTTPS.2

http treatment

Cloudflare SSL for SaaS allows a SaaS company’s end customer to continue using a custom vanity domain, while securing its communication through SSL. End customer benefits include a branded visitor experience, improved trust, SEO rankings, and the ability to use HTTP/2 for greater speed improvements. Cloudflare automates the entire SSL lifecycle, from purchasing to deploying, and to renewing certificates, which is done in minutes, allowing SaaS companies to offer this benefit as part of their customer onboarding flow.

There are three scenarios in which SaaS provider can find themselves in, when addressing SSL end customer needs:

ssl for saas scenario 1

Unencrypted but branded vanity domain

Custom vanity domains without SSL lack performance benefits of SSL and secure data transfer, making them vulnerable to snooping and content being modified or injected before reaching visitors.

ssl for saas scenario 2

Encrypted but unbranded domain

Domains which have SSL enabled through a SaaS provider lack a custom vanity domain, resulting in brand degradation and lower SEO rankings.

ssl for saas scenario 3

Challenging in-house approach

Saas providers who want encrypted branded vanity domains can either manually manage SSL lifecycles, resulting in long deployment times and overhead costs or build a complex automated in-house solution.

“With SSL for SaaS we have implemented a simpler flow because Cloudflare’s API handles the provisioning, serving, automated renewal and maintenance of our customers’ SSL certificates. Plus, end-to-end HTTPS now means we have bolstered privacy and performance for our customers, and can leverage browser features, like Local Storage, that we couldn’t use before.”
Andrew Murray
CTO of Olo

Get in touch with Cloudflare.

Branded Visitor Experiences

Branded Visitor Experiences

SaaS providers offering end customers the option of bringing a branded custom domain can continue to do so, while enjoying the added benefits of a fully managed SSL certificate. Branded domains offer end customers higher SEO rankings and improved visitor trust.

Secure and Performant Customer Assets

Secure and Performant Customer Assets

SSL/TLS certificates on end customer domains ensure the secure transport of sensitive customer data, protecting against on-path attacker attacks and network snooping. Additionally, the HTTP/2 protocol becomes available for even greater speed improvements.

Automated SSL Lifecycle Management

Automated SSL Lifecycle Management

Cloudflare manages the entire SSL lifecycle for a SaaS provider’s customer vanity domain, from private key creation and protection through domain validation, issuance, renewal, and reissuance.

Rapid Global SSL Deployments

Rapid Global SSL Deployments

During the SSL issuance process, Cloudflare deploys new certificates across its global network of data centers in 200 cities, bringing HTTPS online within minutes, as close as possible to visitors.

Challenges of Building an In-House SSL Solution

There are two paths which can be taken in order to build an in-house SSL solution for custom vanity domains, both of which require extensive efforts for both the SaaS provider and end customer. The automated path (upper) in the below diagram automates the SSL process but requires ample engineering efforts and dealing with complex security challenges. The manual path (lower) requires efforts by both the SaaS provider teams and their end customers, with higher potential for missed certificate expiration deadlines and outages. Regardless which of these paths is chosen, it’s likely performance will suffer unless SSL certificates can be deployed on a large scale global distribution network.

  HTTP-only CNAMEs Manually upload certificates Manually manage certificate lifecycles Build and train customer contact team Custom API integration (e.g. using Let’s Encrypt ) Time Engineering Effort Automated Path Manual Path As # of websites grows Global certificate distribution network Manual renewals with required customer effort Advanced challenges Securely handle encryption keys Ongoing maintenance and continued support efforts Cloudflare Path Easy Cloudflare API / UI integration


Starting out, SaaS provider end customers are only sending and receiving HTTP traffic on their CNAME’d custom vanity domains.

Manually Upload Certificates

To initiate the processes of adding SSL to custom CNAME’d vanity domains, a process is setup by which customers buy and send purchased certificates to the SaaS provider for manual upload.

Manually Manage Certificate Lifecycles

Upon uploading customer certificates, manual management is required in order to handle the lifecycle of said certificates. This includes private key issuance/protection through domain validation, issuance, renewal, and reissuance.

Build API Integration (e.g. using Let’s Encrypt)

As the total number of websites and customers using a SaaS provider’s services starts to scale, a decision will be required to be made: Automate the SSL lifecycle process for custom domains, which takes a higher level of engineering effort, or continue to build-out a manual lifecycle management, which requires less engineering effort but places a burden on internal teams and end customers.

Securely handle encryption keys

Private keys are required to have secure storage, encryption at rest, and never written to disk in plaintext. Encrypting keys is easy, but decrypting them on-the-fly is difficult, as it either requires manual effort or considerable engineering work. Private key management best practices have been published here on Cloudflare is expert at generating and protecting private keys for millions of domains through our Universal SSL, Dedicated Certificates, and SSL for SaaS products.

Global certificate distribution network

Systematically distributing certificates around the world, making them available as close to your customers’ visitors as possible, is required to mitigate performance losses. The further an end customer’s visitor’s request must travel, the slower their page load times will become. With TLS 1.2, an initial TLS handshake requires 2 round trips; if this handshake can only end up at a few locations, performance will suffer.

Ongoing maintenance and continued support efforts (Automated Path)

For SaaS companies who’ve chosen an automated approach to building an in-house SSL solution, the majority of maintenance will consist of keeping code bases updated and compatible with certificate authority integrations and standards.

Build and train customer contact team

A new or existing team within the SaaS provider company will be required to manually manage the certificate lifecycles for end customers. Customer contact teams will be required to reach out to customers, offering updates on certificate expiration and requesting the renewal of new certificates.

Manual renewals with required customer effort

Customers are required to take part in the certificate renewal process by renewing and re-sending these certificates to the team in charge of managing the upload process. Additionally, they must conduct this renewal process prior to the existing certificate expiration. If expiration of existing certificates happens, the customer’s Internet assets will go likely go offline unless preventative steps are taken.

Global certificate distribution network

Systematically distributing certificates around the world, making them available as close to your customers’ visitors as possible, is required to mitigate performance losses. The further an end customer’s visitor’s request must travel, the slower their page load times will become. With TLS 1.2, an initial TLS handshake requires 2 round trips; if this handshake can only end up at a few locations, performance will suffer.

Ongoing maintenance and continued support efforts (Manual Path)

For SaaS companies who’ve chosen the manual approach to building an in-house SSL solution, a majority of maintenance will consist of continued manual efforts by SaaS providers to securely protect private keys, manage certificate lifecycles, remind customers to renew, and re-upload new certificates; SaaS provider end customers will be burdened by having to take part in the certificate lifecycle process by renewing and re-sending certificates on a regular cadence.

Easy Cloudflare API / UI Integration

Cloudflare’s SSL for SaaS solution requires minimal engineering efforts, and removes the burden of managing the SSL lifecycle for both SaaS providers and their end customers.

How does SSL for SaaS work?

The SSL for SaaS process is entirely handled by Cloudflare, and only requires SaaS providers to send a single API call — or make a few clicks in the Cloudflare dashboard — as part of an end customer custom domain onboarding workflow. After which, SaaS provider end customers need only to add the initial CNAME into the SaaS provider’s domain. Cloudflare manages the rest of the custom domain onboarding process entirely.

The rest of this process is managed by Cloudflare and includes:

  • Requesting the certificate authority to validate the end customer’s custom domain for SSL certificate issuance.
  • Receive a validation token from the certificate authority and makes it accessible from Cloudflare’s edge.
  • Instructs the certificate authority to complete HTTP validation and then requests that the certificate authority issue SSL certificates.
  • Receive certificates and pushes them to Cloudflare’s network edge of data centers in 200 cities around the world, optimizing for latency and TLS performance.

Frequently Asked Questions

Q: How is my customers’ traffic sent to my origin? Is it secured?

A: Yes, Cloudflare encourages you to use the Full or Strict SSL mode so that traffic sent to your origin utilizes HTTPS. This option can be configured in the Crypto tab of your zone. If you’re using Strict mode, you must ensure that the certificates on your origin contain a Subject Alternative Names (SAN) that matches your customer’s hostname, e.g. Our Origin CA product can be used to generate these certificates for use with Strict mode.

Q: How long does it take to issue a certificate and have it ready for use?

A: Certificates are typically validated, issued, and pushed to our edge within a few minutes. You are able to monitor progress through the various states—Initializing, Pending Validation, Pending Issuance, Pending Deployment, Active—by making a GET call.

$ curl -sXGET -H "X-Auth-Key: [YOUR KEY]" -H "X-Auth-Email: [YOUR EMAIL]"[ZONE ID]/custom_hostnames?
"result": {
"id": "cdc2a12a-99b3-48b8-9039-ad1b48c639e5",
"hostname": "",
"ssl": {
"id": "3463325d-8116-48f3-ab4e-a75fb9727326",
"type": "dv",
"method": "http",
"status": "active"
"success": true

Q: What about renewals or reissuances? Do I or my customers have to do anything?

A: No, Cloudflare take care of all of this for you. The certificates we issue are valid for one full year (365 days) and will be renewed automatically at least 30 days prior to expiration. These certificates are uniquely issued in your customer’s hostname and, so as long as the CNAME is still in place, we can continue to easily renew by demonstrating “domain validation control” of that hostname. If the customer has churned, we encourage you to send Cloudflare a DELETE request so Cloudflare can pull the certificate from the edge and not attempt to renew.

Q: What benefits of Cloudflare will my customers enjoy?

A: With the exception of protecting your customers’ DNS infrastructure (unless they’re also using Cloudflare for authoritative nameservice), the short answer is: all of them. Once their traffic is pointed to your white label hostname, Cloudflare is able to provide industry leading DDoS protection, CDN, WAF, HTTP/2, load balancing, and more.

Q: What if my customer is already using HTTPS on their custom hostname? Is there a way to avoid downtime while migrating?

A: In some cases, you may have already pieced together a solution internally based on customer provided key material. Or your customer is using their desired hostname with a competitor (or internal solution) that provides HTTPS and cannot tolerate a short maintenance window.

For these cases, we have extended the two alternative “pre-validation” methods available in Dedicated Certificates to our SSL for SaaS offering: email and CNAME. Simply change the SSL method in the API call above from “http” to “email” or “cname” and send the request. See the API documentation for more information.

The other alternative method, CNAME token, is typically used when you control DNS for the vanity names (some of our SaaS customers, especially those providing website building and hosting services, allow the custom domain to be registered as part of the workflow).

Lastly, you’re free to serve the HTTP token returned by the “http” validation method on your origin (instead of letting Cloudflare insert it during the reverse proxy) and our automated retry queue will detect it once it is in place. If you’d like to tell Cloudflare once it’s in place and have it retry immediately, you can always send a PATCH to the endpoint with the same SSL body as you sent during POST and we’ll immediately check for it.

Get in touch with Cloudflare.