Last modified: March 22, 2024
Looks like a undocumented API call mentioned here can do this.
For getting Universal SSL settings for a Zone (API documentation):
ZONE_ID=ID
AUTH_KEY=KEY
AUTH_EMAIL=EMAIL
curl -X GET \
https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL"The response looks like:
{"result":{"enabled":true,"certificate_authority":"lets_encrypt"},"success":true,"errors":[],"messages":[]}
which contains a certificate_authority attribute that doesn't appear in the documentation.
Notice that in the documentation it also doesn't give options for certificate_authority. Looks like viable options are lets_encrypt, google and digicert.
To modify the Universal SSL CA settings for a Zone:
curl -X PATCH \
https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"google"}'
In Certificate authorities · Cloudflare SSL/TLS docs it gave four CAs (see the documentation for details):
- Let’s Encrypt
- Google Trust Services
- Sectigo (formerly Comodo)
- DigiCert
The DigiCert is said to be deprecated soon, and Sectigo is only used for backup certificates; Google Trust Services at Cloudflare currently doesn’t use ECDSA (but it's said to be supported soon).
There might be unexpected issue if you switch it back and forth, see:
You may find more information on CAs at:
https://developers.cloudflare.com/ssl/reference/certificate-authorities/
https://community.cloudflare.com/t/certificate-authorities-used-by-cloudflare/398466
https://community.cloudflare.com/t/change-the-certificate-authority-ca/606430
"Certificate and hostname priority" might also be helpful:
https://developers.cloudflare.com/ssl/reference/certificate-and-hostname-priority/