#modal-topnav { display:none; }

Why Cloudflare

Solutions

Products

Documentation

Pricing

Partners

Getting Started

Getting Started Options
- Free Options
  Add your Website or App to Cloudflare
  Secure and accelerate personal websites with built-in, DNS, CDN, and DDoS protection.
  Protect Your Team with Cloudflare
  Secure access to Internet, self-hosted and SaaS applications for up to 50 users for free.
  Deploy Serverless Code
  Deploy serverless code, up to 100k requests per day, across all Cloudflare data centers.
  Build and Deploy Modern Web Projects
  JAMstack platform for front-end developers to deploy websites on the Cloudflare edge network.
  Paid Monthly Plans
  For Applications and Websites
  For small and medium businesses that need more than the basic security and peformance features.
  Cloudflare's Zero Trust Platform
  For workforces larger than 50 people that want the full stack of security with enhanced visibility and customer support.
  Serverless Code
  For developers and business that need more than 100k requests per day, the lowest latency, and additional Workers KV edge storage.
  Pages (JAMstack Platform)
  Paid plans allow 5+ concurrent builds and 5,000+ builds per month on the Cloudflare edge network.
  Domain Registration
  Securely register and manage your domain names with transparent, no-markup pricing.
  Annual Contract Plans
  Enterprise Plan
  Comprehensive security, performance, and reliability platform for mission-critical infrastructure with fine grained controls, analytics, SLAs, and premium support.
Welcome Center
- Welcome Center
Learning Center
- Learning Center
  Resources on cyber security and how the Internet works from Cloudflare.
- Security
  Learn about common web application vulnerabilities and how they can be mitigated.
- DDoS
  Explore details about how DDoS attacks function, and how they can be stopped.
- Bot Management
  Some bots are good. Some bots are bad. Learn the difference and how to stop the bad ones.
- SSL
  What is SSL? What's the difference between SSL and TLS? Learn it all here.
- Protect Users and Applications
  Identity and access management (IAM) systems verify user identities and control user privileges.
- Performance
  Understand why fast site speed is crucial and what hurts and improves site performance.
- CDN
  Explore how a CDN works under the hood to deliver fast, efficient and secure delivery of content to websites and Internet services.
- DNS
  DNS is what lets users connect to websites using domain names instead of IP addresses. Learn how DNS works.
- Cloud
  The cloud is made up of servers in data centers all over the world. Moving to the cloud can save companies money and add convenience for users.
- Serverless
  What is serverless computing and what are the advantages? Explore that here.
- Email Security
  Email security is the practice of preventing email-based cyber attacks, protecting email accounts from takeover, and securing the contents of emails.
- Network Layer
  The network layer is layer 3 in the OSI model, and it is responsible for connections between different networks.
Get Help
- Get Help
Contact Sales

Sign Up

Under Attack?

Support

Log In

Overview of Keyless SSL

Keyless SSL lets sites use Cloudflare’s SSL service while retaining on-premise custody of their private keys. This is a brand-new security technology, developed by a team of cryptographers, systems engineers, and network specialists at Cloudflare.

The standard Cloudflare SSL service requires a customer to share their site’s SSL key with Cloudflare. Cloudflare takes extensive technical measures to safeguard customer key information. However, for some customers there are policy or technical obstacles preventing them from sharing their site’s SSL key with Cloudflare. This is why we are excited to introduce Keyless SSL.

Already a Cloudflare customer? Log In

Why Use Keyless SSL?

While most customers are comfortable with Cloudflare managing their private keys, some have unique security requirements making this impossible. Keyless SSL allows users to retain control of keys while still routing encrypted traffic through Cloudflare’s global network.

With Keyless SSL, for the first time ever, an organization can use a solution such as Cloudflare, that is infinitely scalable and infinitely elastic, without sharing their SSL key. Companies are able to get all of the benefits of the cloud (DDoS attack mitigation, load balancing, WAN optimization), without having to choose between encrypting web traffic or giving their SSL private keys to a 3rd party cloud provider.

How Keyless SSL Works

Note: Keyless SSL requires that Cloudflare decrypt, inspect and re-encrypt traffic for transmission back to a customer’s origin.

For non-SSL traffic through Cloudflare there are 3 parties: Client (e.g., web browser), Cloudflare edge node and Customer origin server.

For SSL traffic with Keyless SSL enabled, there is one additional endpoint involved in the initial SSL session creation, after which normal transmission resumes.

The request flow for Keyless SSL transactions is as follows:

1a. Client (e.g., web browser) connects to the Cloudflare edge node closest to the customer, via Anycast routing. The client sends a secret to the edge server encrypted with the site’s public key.

1b. The edge server contacts the key server, authenticating itself with a certificate. The edge server sends the encrypted secret to the key server to decrypt it. The key server returns the decrypted secret over an encrypted tunnel.

2a. Both client and server use the shared secret to establish a secure connection. Client (e.g., web browser) makes request over HTTPS for Cloudflare-powered customer resource.

2b. Cloudflare edge node (the Session Server) decrypts, inspects, and processes the original request.

The authentication step happens only once per session; additional requests within the session do not require the extra check to the Key Server. The customer can modify the default SSL session TTL (time to live) from 18 hours to as low as 5 minutes or as high as 48 hours.

For more details on Keyless SSL see this blog post.

Third Party Security Audits

Cloudflare’s Keyless SSL cryptography has been reviewed by iSEC Partners in conjunction with Matasano Security, and each part of NCC Group — world leaders in application security and cryptographic review.

How to Get Access to Keyless SSL

Keyless SSL will initially be available only to customers on the Enterprise plan. For more information on the Enterprise plan and Keyless SSL, contact our sales team.

Setting Up Cloudflare Is Easy

Set up a domain in less than 5 minutes. Keep your hosting provider. No code changes required.

Trusted by millions of Internet properties

View case studies