BrandSSL vs Cloudflare SSL for SaaS: What's the Difference?


3 min read

The challenge of securing custom domain names can not be overstated. Before we founded BrandSSL, we were facing a common custom domain problem and the only solution we found on the market was Cloudflare's SSL for SaaS service.

While Cloudflare's role in safeguarding the web (via DDOS mitigation, CDN availability, Speed enhancements, and a ton of other services) is something we should all be thankful for, it's pricing for the "SSL for SaaS" solution is unrealistic for a growing SaaS company.

When speaking with their sales team we realized the SSL for SaaS product was only available to enterprise customers, and we got a quote for whom pricing starts in the “low four figures” monthly.

For many SaaS companies, that’s an extremely high price to pay for SSL certificates – especially as Cloudflare’s basic package offers most of the features on the enterprise plan. Hence, we needed to build a reliable, cost-effective alternative, and BrandSSL was born.

BrandSSL vs Cloudflare SSL for SaaS - The main differences.

1) Technical Simplicity: API calls optional

To set up Cloudflare's SSL for SaaS product, SaaS companies will need to instruct their clients to point a CNAME record (eg. at their Cloudflare-protected endpoint (eg. and then pinging the Clouflare API to request SSL certificate issuance.

The query itself looks like this:

Having to do this every single time isn’t ideal if you’re running a globally-available app.

BrandSSL works in almost the same way, but API calls are optional. When BrandSSL detects a new domain sending traffic to your BrandSSL-configured endpoint (eg., our service tries to secure it automatically in seconds without an API call.

For our customers, this implies zero setup whatsoever, we will issue the certificate as soon as traffic from a new domain is detected, and we will then transition non-HTTPS connections to HTTPS automatically as soon as the certificate is issued.

2) Shorter Certificate Validity Periods

Cloudflare's SSL for SaaS service issues certificates valid for 365 days. This is better than a two-year minimum, but it is not comparable to a shorter duration.

By default, we use let's encrypt on our backend, which requires a ninety-day lifetime for certificates. This is for two main reasons.

  • To limit damage in the event of a compromise
  • To encourage certificate rotation

BrandSSL takes care of your certificate rotation for all your domains, so your certificates are safer and easier to manage.

3) Pricing

BrandSSL pricing is designed for small, growing and enterprise companies - we're fully transparent about our cost and you can find everything you need to know on the pricing page

enterprise-only-768x158.png Cloudflare SSL for SaaS service. Enterprise only.

Cloudflare’s SSL for SaaS pricing, however, isn’t really designed for small businesses. From our inquiry, we were told that the SSL for SaaS product is only available on the enterprise plan, which starts from “four figures monthly” (that’s USD).

The advantage of using BrandSSL, is that you do not loose any of Cloudflare's extra services (DDOS mitigation and CDN services) as you can use your Cloudflare (free plan) proxied endpoint with BrandSSL.


Securing your customer's custom domain name is non-negotiable, It’s better for you, better for them, and better for the web in general.