Origin CA certificates
Use Origin Certificate Authority (CA) certificates to encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. Once deployed, these certificates are compatible with Strict SSL mode.
For more background information on Origin CA certificates, refer to the introductory blog post.
Availability
Free | Pro | Business | Enterprise | |
Availability |
Yes | Yes | Yes | Yes |
Deploy an Origin CA certificate
1. Create an Origin CA certificate
To create an Origin CA certificate in the dashboard:
- Log in to the Cloudflare dashboard and select an account.
- Choose a domain.
- Go to SSL/TLS > Origin Server.
- Select Create Certificate.
- Choose either:
- Generate private key and CSR with Cloudflare: Private key type can be RSA or ECC.
- Use my private key and CSR: Paste the Certificate Signing Request into the text field.
- List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default.
- Choose a Certificate Validity period.
- Select Create.
- Choose the Key Format:
- Servers using OpenSSL — like Apache and NGINX — generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files.
- Servers using Windows and Apache Tomcat require PKCS#7 (a
.p7b
file).
- Copy the signed Origin Certificate and Private Key into separate files. For security reasons, you cannot see the Private Key after you exit this screen.
- Select OK.
2. Install Origin CA certificate on origin server
To add an Origin CA certificate to your origin web server
- Upload the Origin CA certificate (created in Step 1) to your origin web server.
- Update your web server configuration:
- Apache httpd
- GoDaddy Hosting
- Microsoft IIS 7
- Microsoft IIS 8 and 8.5
- Microsoft IIS 10
- NGINX
- Apache Tomcat
- Amazon Web Services
- Apache cPanel
- Ubuntu Server with Apache2
- (Required for some) Upload the Cloudflare CA root certificate to your origin server. This can also be referred to as the certificate chain.
- Enable SSL and port
443
at your origin web server.
3. Change SSL/TLS mode
After you have installed the Origin CA certificate on your origin web server, update the SSL/TLS encryption mode for your application.
If all your origin hosts are protected by Origin CA certificates or publicly trusted certificates:
- Go to SSL/TLS.
- For SSL/TLS encryption mode, select Full (strict).
If you have origin hosts that are not protected by certificates, set the SSL/TLS encryption mode for a specific application to Full (strict) by using a Page Rule.
Revoke an Origin CA certificate
If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process.
To prevent visitors from seeing warnings about an insecure certificate, you may want to set your SSL/TLS encryption to Full or Flexible before revoking your certificate. Do this globally via the Cloudflare dashboard or for a specific hostname via a Page Rule.
To revoke a certificate:
- Log in to the Cloudflare dashboard and select an account.
- Choose a domain.
- Go to SSL/TLS > Origin Server.
- In Origin Certificates, choose a certificate.
- Select Revoke.
Additional details
Cloudflare Origin CA root certificate
Some origin web servers require upload of the Cloudflare Origin CA root certificate or certificate chain. Use the following links to download either an ECC or an RSA version and upload to your origin web server:
- Cloudflare Origin ECC PEM (do not use with Apache cPanel)
- Cloudflare Origin RSA PEM
Hostname and wildcard coverage
Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (www.example.com
) or a wildcard (*.example.com
). You cannot use IP addresses as SANs on Cloudflare Origin CA certificates.
Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, *.example.com
and *.secure.example.com
may co-exist).
API calls
To automate processes involving Origin CA certificates, use the following API calls with Origin CA Keys.
Operation | Method | Endpoint |
---|---|---|
List certificates | GET |
certificates?zone_id=<<ZONE_ID>> |
Create certificate | POST |
certificates |
Get certificate | GET |
certificates/<<ID>> |
Revoke certificate | DELETE |
certificates/<<ID>> |
Troubleshooting
Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.