Managing Cloudflare Origin CA certificates

Managing Cloudflare Origin CA certificates

2020-01-07 03:21:45

Understand how to use a Cloudflare Origin CA certificate to encrypt traffic between Cloudflare and your origin web server. Learn how to manage Origin CA certificates via Cloudflare and receive advi...

Managing Cloudflare Origin CA certificates

()

Understand how to use a Cloudflare Origin CA certificate to encrypt traffic between Cloudflare and your origin web server. Learn how to manage Origin CA certificates via Cloudflare and receive advice to install Origin CA certificates at your origin web server.

Overview

Use Origin CA certificates to encrypt traffic between Cloudflare and your origin web server.

To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Full and Full(strict) SSL modes in the Cloudflare SSL/TLS app without first purchasing a certificate from a Certificate Authority to install at your origin web server.

Deploying Origin CA certificates typically requires three steps:

  1. Create an Origin CA certificate
  2. Install an Origin CA certificate at your origin web server
  3. Configure the SSL mode in the Cloudflare SSL/TLS app

Step 1 - Create an Origin CA certificate

You can generate your own Origin CA certificate in the Cloudflare dashboard:

  1. Log in to Cloudflare.
  2. Select the appropriate account for the domain requiring an Origin CA certificate.
  3. Select the domain.
  4. Click the SSL/TLS app.
  5. Click the Origin Server tab.
  6. Click Create Certificate to open the Origin Certificate Installation window.
  7. In the Origin Certificate Installation window, choose either:
    • Let Cloudflare generate a private key and a CSR - requires specifying whether the Private key type is RSA or ECDSA.
    • I have my own private key and CSR - requires pasting the Certificate Signing Request into the text field.
  1. List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone root and first level wildcard hostname are included by default.
  1. Choose the certificate expiration. The default is 15 years and the minimum is 7 days.
  1. Click Next.
  2. Select the Key Format. Select the key pair format that best matches your environment. Most OpenSSL-based web servers such as Apache and NGINX expect PEM files (Base64 encoded ASCII), but also work with binary DER files. Windows and Apache Tomcat users must opt for PKCS#7.
  3. Copy the signed Origin Certificate and Private key details into separate files as instructed by the Origin Certificate Installation window.
  1. Click OK.

Step 2 - Install an Origin CA certificate at your origin web server

Adding an Origin CA certificate to an origin web server requires several general steps:

  1. Upload the Origin CA certificate (created above in Step 1) to your origin web server.
  2. Use the linked installation guides below to update your web server configuration to point to the certificate.
  3. (Optional for most origin web servers) Upload Cloudflare's CA root certificate to your origin web server.
  1. Enable SSL and port 443 at your origin web server.
  2. Check that your origin server firewall doesn't block connections to port 443.

Review the list of links below for installation instructions specific to your origin web server. For further assistance installing an Origin CA certificate, contact your hosting provider, web administrator, or web server vendor.

Step 3 - Configure the SSL mode in the Cloudflare SSL/TLS app

Instruct Cloudflare to encrypt traffic to your origin web server after you install the Cloudflare Origin CA certificate at your origin web server. Set the SSL mode in the Cloudflare SSL/TLS app to either Full or Full(strict)to enable encryption between Cloudflare and your origin web server.

(optional) Step 4 - Add Cloudflare Origin CA root certificates

Some origin web servers require uploading the Cloudflare Origin CA root certificate. See below for an RSA and ECC version of the Cloudflare Origin CA root certificate. Click on a link to download a file:

Alternatively, click to expand the root certificate contents for copy and paste into your origin web server configuration:

-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP
cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA
xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5
tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E
AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL
XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=
-----END CERTIFICATE-----

Remove an Origin CA certificate

Follow these steps to revoke an Origin CA certificate:

  1. Log in to Cloudflare.
  1. Select the appropriate account for the domain where the Origin CA certificate needs revoked.
  1. Select the domain.
  1. Click the SSL/TLS app and scroll down to Origin Certificates.
  1. Click the X icon to the right of the certificate name in the list of Origin CA certificates.
  1. The Revoke Origin Certificate confirmation window appears.
  1. Check the confirmation box and click Revoke.

Related resources