Managing Cloudflare Origin CA certificates
Use Origin Certificate Authority (CA) certificates to encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. Once deployed, these certificates are compatible with Strict SSL mode.
Deploy an Origin CA certificate
1. Create an Origin CA certificate
To create an Origin CA certificate in the dashboard:
- Log in to the Cloudflare dashboard and select an account.
- Choose a domain.
- Go to SSL/TLS > Origin Server.
- Click Create Certificate.
- Choose either:
- Generate private key and CSR with Cloudflare: Private key type can be RSA or ECDSA.
- Use my private key and CSR: Paste the Certificate Signing Request into the text field.
- List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone root and first level wildcard hostname are included by default.
- Choose the expiration date.
- Click Next.
- Choose the Key Format:
- Servers using OpenSSL — like Apache and NGINX — generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files.
- Servers using Windows and Apache Tomcat require PKCS#7 (a
.p7b
file).
- Copy the signed Origin Certificate and Private Key into separate files. For security reasons, you cannot see the Private Key after you exit this screen.
- Click OK.
2. Install Origin CA certificate on origin server
To add an Origin CA certificate to your origin web server
-
Upload the Origin CA certificate (created in Step 1) to your origin web server.
-
Update your web server configuration:
Configuration guides for popular servers
-
(required for some) Upload the Cloudflare CA root certificate to your origin server.
-
Enable SSL and port 443 at your origin web server.
3. Change SSL/TLS mode
After you have installed the Origin CA certificate on your origin web server, update the SSL/TLS encryption mode for your application.
If all your origin hosts are protected by Origin CA certificates or publicly trusted certificates:
- Go to SSL/TLS.
- For SSL/TLS encryption mode, select Full (strict).
If you have origin hosts that are not protected by certificates, set the SSL/TLS encryption mode for a specific application to Full (strict) by using a Page Rule
.
4. (required for some) Add Cloudflare Origin CA root certificates
Some origin web servers require upload of the Cloudflare Origin CA root certificate. Click a link below to download either an RSA and ECC version of the Cloudflare Origin CA root certificate:
- Cloudflare Origin ECC PEM (do not use with Apache cPanel)
- Cloudflare Origin RSA PEM
Revoke an Origin CA certificate
If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process.
To prevent visitors from seeing warnings about an insecure certificate, you may want to set your SSL/TLS encryption to Full or Flexible before revoking your certificate. Do this globally via the SSL/TLS app or for a specific hostname via a Page Rule.
To revoke a certificate:
- Log in to the Cloudflare dashboard and select an account.
- Choose a domain.
- Go to SSL/TLS > Origin Server.
- In Origin Certificates, choose a certificate.
- Click Revoke.
Additional details
Hostname and wildcard coverage
Certificates may be generated with up to 100 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (www.example.com
) or a wildcard (*.example.com
). You cannot use IP addresses as SANs on Cloudflare Origin CA certificates.
Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, *.example.com
and *.secure.example.com
may co-exist).
Expiration
By default, newly generated certificates are valid for 15 years. If you wish to generate shorter-lived certificates (for example, as short as 7 days), use the API.
API calls
To automate processes involving Origin CA certificates, use the following API calls.
Operation | Method + URL stub | Notes |
---|---|---|
List Certificates |
GET certificates/:zone_id |
|
Create Certificate |
POST certificates/:zone_id |
See the API documentation for a full list of optional parameters, but some are also described in the Details section of this page. |
Get Certificate |
GET certificates/:certificate_id |
|
Revoke Certificate |
DELETE certificates/:certificate_id |
Additional details and warnings in Revoke an Origin CA certificate |
Troubleshooting
Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.