As of May 2026, Cloudflare's Universal SSL still ships free on every zone — but the moment you need a custom hostname, a client certificate, or a non-standard cipher policy, the bill jumps to $10/month, $20/month, or $200/month faster than most teams expect. Understanding Cloudflare SSL pricing at the feature boundary level, not just the plan-tier level, is the difference between a clean infrastructure budget and a surprise line item in your next quarterly review. This article gives you the exact per-plan costs as of Q2 2026, a feature-by-feature comparison table, a workload-profile decision matrix you won't find elsewhere, and a clear picture of where Cloudflare's TLS pricing sits relative to alternatives.
Cloudflare bundles SSL/TLS into its broader plan tiers rather than selling standalone certificates. That bundling makes the effective cost of TLS invisible until you need a feature locked behind a higher tier. Here is what each plan actually includes as of Q2 2026.
You get a Universal SSL certificate (DV, issued by Cloudflare's CA partner) covering your apex and one level of subdomain. TLS 1.2 and 1.3 are supported. You can toggle between Flexible, Full, and Full (Strict) modes. There is no option for client certificates, no custom certificate upload, and no Advanced Certificate Manager access. Edge certificate renewal is automatic. For a personal site or a staging environment, this is sufficient. For anything with compliance requirements or multi-level subdomain coverage, it is not.
The Pro tier adds the Web Application Firewall ruleset and improved DDoS mitigation. On the TLS side, the practical upgrade is minor: you still get Universal SSL, still limited to first-level subdomain coverage. The Pro plan does not include Advanced Certificate Manager. If you assumed $20/month buys you custom certificate support, check again. The real TLS unlock at this tier is access to the WAF, which lets you enforce stricter transport policies via custom rules — blocking TLS 1.0/1.1 clients, for example — but the certificate itself is the same DV Universal cert.
This is where Cloudflare SSL certificate pricing changes meaningfully. Business customers can upload their own custom SSL certificates, which means you can bring your OV or EV cert from a third-party CA and terminate it at the Cloudflare edge. You also get priority support and stronger SLA-backed DDoS mitigation. However, even at $200/month, Advanced Certificate Manager is a separate add-on.
Enterprise contracts are negotiated. Published list prices do not exist. In practice, expect annual commitments starting in the low five figures, though the range varies wildly depending on traffic volume, number of zones, and bundled services. Enterprise unlocks dedicated certificates, Keyless SSL, custom cipher suite ordering, and full API control over certificate lifecycle. If your compliance posture requires FIPS 140-2 validated key storage or you run mutual TLS at the edge for service-to-service auth, this is the tier where Cloudflare supports it.
This is the line item most teams miss. ACM is available on any paid plan (Pro, Business, Enterprise) and costs $10/month per zone. It gives you control over certificate authority selection, certificate validity period, cipher suite preference, wildcard coverage, and multi-level subdomain support. If you need a certificate covering *.api.example.com (second-level wildcard), ACM is the minimum required purchase. As of 2026, ACM also supports certificate pinning removal and faster issuance via Cloudflare's own CA.
| Feature | Free ($0) | Pro ($20) | Business ($200) | Enterprise (Custom) |
|---|---|---|---|---|
| Universal SSL (DV) | Yes | Yes | Yes | Yes |
| Custom certificate upload | No | No | Yes | Yes |
| Advanced Certificate Manager | No | +$10/mo | +$10/mo | Included |
| Wildcard on subdomains (multi-level) | No | ACM required | ACM required | Yes |
| Keyless SSL | No | No | No | Yes |
| Dedicated certificates | No | No | No | Yes |
| TLS 1.3 support | Yes | Yes | Yes | Yes |
| Minimum TLS version enforcement | TLS 1.0+ | TLS 1.0+ (WAF rules) | TLS 1.0+ (WAF rules) | Configurable per-hostname |
Cloudflare's model is unusual because TLS is embedded in a platform bundle, not sold as a standalone product. That makes apples-to-apples comparison tricky, but here are the relevant reference points as of 2026:
Let's Encrypt remains free and automated via ACME. It issues DV certificates only, with 90-day lifetimes (soon moving to 6-day short-lived certs under their 2026 roadmap). If you run your own edge infrastructure and have certbot or an ACME client baked into your deployment pipeline, Let's Encrypt costs zero. The trade-off is operational: you own renewal, revocation, and monitoring. No WAF, no DDoS mitigation, no managed edge.
DigiCert remains the dominant choice for OV/EV certificates in regulated industries. Single-domain OV certificates start around $200–$300/year as of 2026. Wildcard OV runs $500–$700/year. You pay for the certificate, then separately for wherever you terminate it. DigiCert does not bundle delivery infrastructure.
AWS Certificate Manager (ACM) issues free public DV certificates when used with AWS services (CloudFront, ALB, API Gateway). If your stack is already AWS-native, the effective TLS cost is $0 for the certificate and whatever you pay for the delivery service. CloudFront pricing starts at $0.085/GB for the first 10 TB, declining with volume.
This is the section missing from every other pricing breakdown. Instead of mapping plans to vague business sizes ("small," "growing," "large"), map them to actual workload characteristics.
| Workload Profile | Recommended Plan | Effective Monthly TLS Cost | Key Constraint |
|---|---|---|---|
| Single-domain marketing site, no compliance requirements | Free | $0 | No custom cert, no multi-level wildcard |
| SaaS product with *.app.example.com subdomains | Pro + ACM | $30 | No custom cert upload; ACM covers wildcard |
| E-commerce with OV/EV cert requirement (PCI DSS) | Business | $200 + third-party cert cost | Upload your own OV/EV; Cloudflare terminates it |
| Multi-tenant platform with custom vanity domains (SSL for SaaS) | Enterprise | Negotiated (typically $5K+/mo with Cloudflare for SaaS) | API-driven cert provisioning per customer domain |
| Financial services with Keyless SSL + HSM integration | Enterprise | Negotiated | Private key never leaves your infrastructure |
The decision pivot is usually not "how big is my company" but rather: do I need multi-level subdomain coverage, and do I need to bring my own certificate? If either answer is yes, you are paying $30/month minimum (Pro + ACM) and likely $200/month or more.
Cloudflare's Free and Pro plans include unmetered bandwidth, which is genuinely unusual and a major cost advantage. But for teams already evaluating CDN spend separately from TLS spend, it is worth noting that the total cost of delivering encrypted traffic is certificate cost plus delivery cost. Cloudflare bundles both. Most other providers do not.
If your architecture splits edge delivery from certificate management — say, you terminate TLS at your own infrastructure or use a dedicated CDN — you can pair Let's Encrypt or ACM certificates with a high-performance CDN at volume-based rates. BlazingCDN delivers stability and fault tolerance comparable to Amazon CloudFront at significantly lower cost, starting at $4/TB ($0.004/GB) and scaling down to $2/TB at 2 PB+ monthly commitment. For teams pushing 100+ TB/month of TLS-terminated traffic, that separation of concerns can cut delivery costs by 50% or more versus an all-in-one platform, while maintaining 100% uptime SLA and flexible configuration for demand spikes.
Two shifts matter for anyone reassessing their TLS posture on Cloudflare this year:
1. ACM now defaults to Cloudflare's own CA for faster issuance. Previously, ACM certificates were primarily issued via Let's Encrypt or DigiCert as backing CAs. As of early 2026, Cloudflare's own publicly trusted CA is the default for ACM-issued certs, reducing issuance latency and giving Cloudflare more control over the certificate lifecycle. This matters if you have automation that checks issuer fields or if you pin to a specific CA chain.
2. TLS 1.0 and 1.1 are now off by default on all plans. Cloudflare previously allowed Free plan users to serve TLS 1.0 clients. As of Q1 2026, the minimum default is TLS 1.2 across all tiers, aligning with browser deprecation timelines. If you had legacy IoT or embedded clients negotiating TLS 1.0, they are now failing on Cloudflare unless you are on Enterprise and have explicitly requested a policy exception.
Zero. The Free plan includes a Universal SSL certificate (DV) covering your apex domain and first-level subdomains. Renewal is automatic. There is no charge for TLS termination or bandwidth on the Free tier as of 2026.
Yes. ACM costs $10/month per zone and is available on any paid plan (Pro, Business, or Enterprise). It is not included in the $20/month Pro plan or the $200/month Business plan by default. Enterprise contracts sometimes bundle it at no additional charge, but this varies by negotiation.
Yes. Business ($200/month) is the lowest tier that allows you to upload your own SSL certificate — OV, EV, or any DV cert issued by a third-party CA. You purchase the certificate separately from your CA and upload it via the Cloudflare dashboard or API.
No. Universal SSL on the Free plan covers only first-level subdomains (e.g., api.example.com). Multi-level subdomains like api.staging.example.com require Advanced Certificate Manager ($10/month) on a paid plan to issue a wildcard or SAN certificate that covers deeper subdomain levels.
Pro ($20/month) plus Advanced Certificate Manager ($10/month) for a total of $30/month per zone. This gives you wildcard coverage including multi-level subdomains. The Free plan does not support wildcard certificates at all.
A DigiCert OV wildcard certificate costs roughly $500–$700/year as of 2026. Cloudflare's Business plan at $200/month ($2,400/year) includes the ability to upload that DigiCert cert plus edge delivery, WAF, and DDoS mitigation. If you only need DV and do not need OV/EV, Cloudflare's Free or Pro + ACM ($30/month) is dramatically cheaper.
Pull up your Cloudflare dashboard and check two things: how many zones have ACM enabled, and how many are on the Free plan but actually serving multi-level subdomains (they are failing silently or falling back to HTTP in some client configurations). Run openssl s_client against your deepest subdomain and verify the cert SAN list covers it. If it does not, you now know exactly which plan boundary you have hit and what the fix costs. If you are running multiple zones, multiply the ACM add-on accordingly — that $10/zone adds up fast at 20+ zones and is worth modeling against alternatives where certificate management and delivery are priced independently.