Performance & Reliability
CDN DNS Argo Smart Routing Load Balancing Web Optimizations China Network
Video Streaming & Delivery
Cloudflare Stream Stream Delivery
Advanced Security
DDoS Protection WAF Rate Limiting SSL / TLS DNSSEC Cloudflare Access Cloudflare Spectrum Argo Tunnel
Insights
Analytics
Cloudflare for Developers
Cloudflare Workers Cloudflare Workers KV Mobile SDK
Domain Registration
Cloudflare Registrar
Cloudflare Marketplace
Cloudflare Apps
Cloudflare for Everyone
1.1.1.1
Performance
Accelerate Internet Applications Accelerate Mobile Experiences Ensure Application Availability
Security
Mitigate DDoS Attacks Prevent Customer Data Breaches Stop Malicious Bot Abuse
Industries
SaaS Publishers Public Sector
Partnerships
Partner Program Hosting Provider Referral Reseller / MSP OEM / Technology Workers Partner Program Peering Portal Bandwidth Alliance
Integrations
IBM Cloud WordPress Google Cloud Magento Acquia Rackspace Microsoft Azure Kubernetes WP Engine
Develop
API Guide Developer Hub Developer Fund Documentation
Explore
Case Studies Cloudflare in China Network Map Webinars Product Updates White Papers GDPR
Learn
DDoS Learning Center CDN Learning Center DNS Learning Center Security Learning Center Performance Learning Center Serverless Learning Center
Connect
Blog Contact Sales Community Support
Contact

Overview of Keyless SSL

Keyless SSL lets sites use Cloudflare’s SSL service while retaining on-premise custody of their private keys. This is a brand-new security technology, developed by a team of cryptographers, systems engineers, and network specialists at Cloudflare.

The standard Cloudflare SSL service requires a customer to share their site’s SSL key with Cloudflare. Cloudflare takes extensive technical measures to safeguard customer key information. However, for some customers there are policy or technical obstacles preventing them from sharing their site’s SSL key with Cloudflare. This is why we are excited to introduce Keyless SSL.

Contact Our Team
Related Products

Why Use Keyless SSL?

While most customers are comfortable with Cloudflare managing their private keys, some have unique security requirements making this impossible. Keyless SSL allows users to retain control of keys while still routing encrypted traffic through Cloudflare’s global network.

With Keyless SSL, for the first time ever, an organization can use a solution such as Cloudflare, that is infinitely scalable and infinitely elastic, without sharing their SSL key. Companies are able to get all of the benefits of the cloud (DDoS attack mitigation, load balancing, WAN optimization), without having to choose between encrypting web traffic or giving their SSL private keys to a 3rd party cloud provider.

How Keyless SSL Works

Keyless SSL

Note: Keyless SSL requires that Cloudflare decrypt, inspect and re-encrypt traffic for transmission back to a customer’s origin.

For non-SSL traffic through Cloudflare there are 3 parties: Client (e.g., web browser), Cloudflare edge node and Customer origin server.

For SSL traffic with Keyless SSL enabled, there is one additional endpoint involved in the initial SSL session creation, after which normal transmission resumes.

The request flow for Keyless SSL transactions is as follows:

1a. Client (e.g., web browser) connects to the Cloudflare edge node closest to the customer, via Anycast routing. The client sends a secret to the edge server encrypted with the site’s public key.

1b. The edge server contacts the key server, authenticating itself with a certificate. The edge server sends the encrypted secret to the key server to decrypt it. The key server returns the decrypted secret over an encrypted tunnel.

2a. Both client and server use the shared secret to establish a secure connection. Client (e.g., web browser) makes request over HTTPS for Cloudflare-powered customer resource.

2b. Cloudflare edge node (the Session Server) decrypts, inspects, and processes the original request.

The authentication step happens only once per session; additional requests within the session do not require the extra check to the Key Server. The customer can modify the default SSL session TTL (time to live) from 18 hours to as low as 5 minutes or as high as 48 hours.

For more details on Keyless SSL see this blog post.

Third Party Security Audits

Cloudflare’s Keyless SSL cryptography has been reviewed by iSEC Partners in conjunction with Matasano Security, and each part of NCC Group — world leaders in application security and cryptographic review.

How to Get Access to Keyless SSL

Keyless SSL will initially be available only to customers on the Enterprise plan. For more information on the Enterprise plan and Keyless SSL, contact our sales team.

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Cloudflare Pricing

Everyone’s Internet application can benefit from using Cloudflare.
Pick a plan that fits your needs.

Free $ 0 /month per website
Select
Expand to see more Hide
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

The Free Plan includes all of these features:
  • Unmetered Mitigation of DDoS
  • Global CDN
  • Shared SSL certificate
  • Access to account Audit Logs
  • 3 page rules
Compare all features
PRO $ 20 /month per website
Select
Expand to see more Hide
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

The Pro Plan includes everything in Free, and:
  • Web application firewall (WAF) with Cloudflare rulesets
  • Image optimizations with Polish™
  • Mobile optimizations with Mirage™
  • I'm Under Attack™ mode
  • Access to account Audit Logs
  • 20 page rules
Compare all features
BUSINESS $ 200 /month per website
Select
Expand to see more Hide
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Learn More

The Business Plan includes everything in Pro, and:
  • Web application firewall (WAF) with 25 custom rulesets
  • Custom SSL certificate upload
  • PCI compliance thanks to Modern TLS Only mode and WAF
  • Bypass Cache on Cookie
  • Accelerate delivery of dynamic content with Railgun™
  • Prioritized email support
  • Access to account Audit Logs
  • 50 page rules
Compare all features
Enterprise contact us
Select
Expand to see more Hide
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Learn More

The Enterprise Plan everything in Business, and:
  • 24/7/365 enterprise-grade phone, email, and chat support
  • 100% uptime guarantee with 25x reimbursement SLA
  • Enterprise-grade DDoS protection with network prioritization
  • Advanced web application firewall (WAF) with unlimited custom rulesets
  • Multiuser role-based account access
  • Multiple custom SSL certificate uploads
  • Access to Raw Logs
  • Access to account Audit Logs
  • Dedicated solution and customer success engineers
  • Access to China CDN data centers (Additional Cost)
  • 100 page rules
Compare all features

Free

$ 0 / month
 
For personal websites, blogs, and anyone who wants to explore Cloudflare.

Learn More

Add a Website

Pro

$ 20 / month
per domain
For professional websites, blogs, and portfolios requiring basic security and performance.

Learn More

Get Pro

Business

$ 200 / month
per domain
For small eCommerce websites and businesses requiring advanced security and performance, PCI compliance, and prioritized email support.

Learn More

Get Business

Enterprise

Contact Us
 
For companies requiring enterprise-grade security and performance, prioritized 24/7/365 phone, email, or chat support, and guaranteed uptime.

Learn More

Get in touch

Trusted By

Read some of our case studies

To provide you with the best possible experience on our website, we may use cookies, as described here.
By clicking accept, closing this banner, or continuing to browse our websites, you consent to the use of such cookies.