Saat proxy pada record DNS diaktifkan, Cloudflare akan otomatis menerbitkan Universal SSL sehingga domain atau subdomain dapat diakses melalui https://.
Secara default, sertifikat SSL biasanya diterbitkan menggunakan CA Let’s Encrypt, namun Cloudflare menyediakan opsi CA lain seperti Google Trust Services, Sectigo, dan SSL.com (tergantung ketersediaan akun/zone).
ZONE_ID=ID
AUTH_KEY=KEY
AUTH_EMAIL=EMAIL
curl -X GET \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL"Mengubah Certificate Authority (CA) #
DigiCert #
curl -sX PATCH \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"digicert"}'Google Trust Services #
curl -sX PATCH \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"google"}'Sectigo #
curl -sX PATCH \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"sectigo"}'SSL.com #
curl -sX PATCH \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"ssl_com"}'Let’s Encrypt #
curl -sX PATCH \
"https://api.cloudflare.com/client/v4/zones/$ZONE_ID/ssl/universal/settings" \
-H "X-Auth-Key: $AUTH_KEY" \
-H "X-Auth-Email: $AUTH_EMAIL" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"lets_encrypt"}'Setelah CA diganti, sertifikat SSL yang sedang aktif tidak selalu langsung berubah ke CA baru. Cloudflare dapat tetap menggunakan sertifikat lama hingga masa berlaku habis atau sampai dilakukan re-issuance otomatis.
Namun, jika Anda menambahkan subdomain baru dengan status proxy aktif, biasanya sertifikat baru akan langsung diterbitkan menggunakan CA yang saat itu sedang dipilih.
Referensi:
