Managing Cloudflare Origin CA certificates

To generate a certificate with Origin CA, navigate to the Crypto section of your Cloudflare dashboard. From there, click the Create Certificate button in the Origin Certificates section:

You will be presented with a dialog to select the certificate creation mechanism, key type, certificate validity period, and hostnames included on the certificate (by default the zone root and first level wildcard hostname). You can include up to 100 hostnames/wildcard hostnames on a single certificate, and can include hostnames for other zones on the same account:

Note that some older browsers will not have the option to generate a private key and CSR, in which case you'll need to create your own key and CSR outside the browser or use a newer browser.

Once you're satisfied with the certificate settings, select Next to generate the certificate. You will see a dialog allowing you to copy the signed certificate and private key if you chose to have Cloudflare generate one for you:

If you prefer to use the API to generate certificates, see

If you need to later revoke a certificate, click the X icon adjacent the certificate name in the list of Origin CA certificates. 

A Cloudflare Origin CA Certificate is only trusted by Cloudflare and therefore should only be used by origin servers that are actively connected to Cloudflare. If at any point you pause or disable Cloudflare, your Origin CA certificate will throw an untrusted certificate error.
Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk