This tutorial shows you how to set up the Origin CA certificate from Cloudflare on your web server.
Once you’ve done that, you’ll save yourself the hassle of the Let’s Encrypt ACME Challenge with Cloudflare.
Cloudflare’s documentation for setting up the Cloudflare origin certificate is unfortunately very fuzzy and incomplete, which is why I decided to publish this guide. By the way, the Origin certificate has been around since 2016.
The best part is, the certificate lasts 15 years and is free!
The Cloudflare Origin certificate encrypts the traffic between your web host and the Cloudflare server.
This means you no longer need to set up a paid, or Let’s Encrypt certificate on your web server.
Instead we install the Cloudflare Origin CA certificate, which does not need to be renewed for 15 years.
- How do I install the origin server certificate at the web host?
- Where can I find the CA certificate?
What do I need from Cloudflare?
- SSL/TLS certificate
- Private key
- CA Certificate (See step 12)
Instructions: Set up Cloudflare Origin CA Certificate
For this tutorial you need a free Cloudflare account where you install the Origin CA certificate.
You also need sufficient rights on your webspace or webserver to create the certificate.
If some terms confuse you, please scroll down to the explanation.
- SSL/TLS origin server certificate
In the Cloudflare backend for the desired domain, go to the menu SSL/TLS > Origin server.
- Click on“Create Certificate“.
- In the new window, you can accept all default settings and click on “Create“.
Select “Generate private key and CSR with Cloudflare”.
Make sure that
domain.comis entered under Hostnames.
Pre-selected is also the 15 years validity of the certificate.
- Copy and save the certificate and the private key!
Attention: As soon as you have clicked on “OK”, you can no longer access the private key!
You can save the key codes in .PEM or .CRT files. It doesn’t matter because we will insert the keys in text form at the hoster afterwards anyway.
- From now on, the tutorial continues mainly for the Plesk web hosting panel. For CPanel go to the Security > SSL/TLS menu. For all other providers and panels, the procedures are very similar.
- In Plesk, go to “Websites & Domains” and click on“SSL/TLS Certificates“.
- In the following menu you might see your current certificate active. In my case, Let’s Encrypt was installed.
But please switch to the “Advanced Settings” tab in the top right menu right away.
- In the window “Add SSL/TLS certificate” you have to enter a name at the top. You have free choice, for me it is called “Cloudflare Origin bp”, where “bp” simply stands for BloggerPilot.
Please fill in all remaining fields marked with a red star to the best of your knowledge. For Bit I chose 2048 because Cloudflare also specified it that way.
Do not click on request!
- Still in the “Add SSL/TLS certificate” window, scroll down to the bottom, where you will see three empty fields under the heading “Upload certificate as text“. Now insert your keys here:
- Private key (*.key) *: Insert Cloudflare > Origin server > Private Key.
- Certificate (*.crt): Insert Cloudflare > origin server > Origin Certificate.
- CA certificate (*-ca.crt): Cloudflare > Cloudflare Origin RSA PEM download from here, open in editor and paste here.
- click “Upload Certificate.”
This will install the certificate.
- Back in “SSL/TLS certificates for domain.com” you can select the new certificate and protect your webmail and emails with it.
- Switch back to “Websites & Domains“, at the desired domain click on the tab “Hosting & DNS” and then on “Hosting Settings“.
- In the “Hosting settings for domain.com” window, leave everything as it was and only select the newly created Cloudflare Origin certificate (Cloudflare Origin bp) next to Certificate and save with “OK”.
- With this, your new Cloudflare Origin certificate is active for your domain.
- Finally, you can check again in the menu “Websites & Domains” > “SSL/TLS Certificates” whether everything has gone well.
- In Cloudflare > SSL/TLS > Overview you can now select the encryption to “Full (strict)” if it was not already.
- Optional: If you had another certificate installed before, you can delete it now in the “Advanced settings” menu. Back in Cloudflare > DNS, I then deleted the TXT entry “_acme-challenge”, as this was only necessary for the old Let’s Encrypt certificate.
Pat yourself on the back, you have successfully set up your SSL certificate with your web host!
Now test your website in the browser to see if the certificate is active.
Explanation of terms
Origin CA certificate
Origin CA certificat = origin certificate
The Origin Certificate Authority (CA) certificate is used to encrypt traffic between Cloudflare and your origin web server and reduce the bandwidth consumption of the origin server. Once deployed, these certificates are compatible with Strict SSL mode.
What is an Origin Server? (Origin Server)
Origin Server = Web Hosting / Web Server
The purpose of an origin server is to process and respond to incoming Internet requests from Internet clients. The concept of an origin server is usually used in conjunction with the concept of an edge server. At its core, an origin server is a computer running one or more programs designed to listen to and process incoming Internet requests.
What is an edge server?
Edge Server = Cloudflare / CDN / Cache Server
A CDN edge server is a computer located at the logical end or “edge” of a network. An edge server often serves as a connection between separate networks. The main purpose of an edge server is to store content as close as possible to a requesting client computer, thereby reducing latency and improving page load times.