Managing Cloudflare Origin CA certificates

Understand how to use a Cloudflare Origin CA certificate to encrypt traffic between Cloudflare and your origin web server. Learn how to manage Origin CA certificates via Cloudflare and receive advice to install Origin CA certificates at your origin web server.


Use Origin CA certificates to encrypt traffic between Cloudflare and your origin web server.

To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Full and Full(strict) SSL modes in the Cloudflare SSL/TLS app without first purchasing a certificate from a Certificate Authority to install at your origin web server.

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

Deploying Origin CA certificates typically requires three steps:

  1. Create an Origin CA certificate
  2. Install an Origin CA certificate at your origin web server
  3. Configure the SSL mode in the Cloudflare SSL/TLS app
Google App Engine does not support Cloudflare Origin CA certificates. 

Step 1 - Create an Origin CA certificate

You can generate your own Origin CA certificate in the Cloudflare dashboard:

  1. Log in to Cloudflare.
  2. Select the appropriate account for the domain requiring an Origin CA certificate.
  3. Select the domain.
  4. Click the SSL/TLS app.
  5. Click the Origin Server tab.
  6. Click Create Certificate to open the Origin Certificate Installation window.
  7. In the Origin Certificate Installation window, choose either:
    • Let Cloudflare generate a private key and a CSR - requires specifying whether the Private key type is RSA or ECDSA.
    • I have my own private key and CSR - requires pasting the Certificate Signing Request into the text field.
  1. List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone root and first level wildcard hostname are included by default.
You can include up to 100 hostnames or wildcard hostnames on a single certificate and can include hostnames for other domains within the same Cloudflare account. You can also add support for multi-level subdomains such as *
  1. Choose the certificate expiration. The default is 15 years and the minimum is 7 days.
  1. Click Next.
  2. Select the Key Format. Select the key pair format that best matches your environment. Most OpenSSL-based web servers such as Apache and NGINX expect PEM files (Base64 encoded ASCII), but also work with binary DER files. Windows and Apache Tomcat users must opt for PKCS#7.
  3. Copy the signed Origin Certificate and Private key details into separate files as instructed by the Origin Certificate Installation window.
Be sure to copy the Private key information before clicking OK. For security reasons, the Private key is not displayed again after Origin certificate creation.
  1. Click OK.

Step 2 - Install an Origin CA certificate at your origin web server

Adding an Origin CA certificate to an origin web server requires several general steps:

  1. Upload the Origin CA certificate (created above in Step 1) to your origin web server.
  2. Use the linked installation guides below to update your web server configuration to point to the certificate.
  3. (Optional for most origin web servers) Upload Cloudflare's CA root certificate to your origin web server.
Some web servers, such as IIS and cPanel, validate the Origin CA root certificate. Such web servers require Cloudflare’s root RSA certificate during configuration.
  1. Enable SSL and port 443 at your origin web server.
  2. Check that your origin server firewall doesn't block connections to port 443.

Review the list of links below for installation instructions specific to your origin web server. For further assistance installing an Origin CA certificate, contact your hosting provider, web administrator, or web server vendor.


Step 3 - Configure the SSL mode in the Cloudflare SSL/TLS app

Instruct Cloudflare to encrypt traffic to your origin web server after you install the Cloudflare Origin CA certificate at your origin web server. Set the SSL mode in the Cloudflare SSL/TLS app to either Full or Full(strict)to enable encryption between Cloudflare and your origin web server.

Make this change globally via the SSL/TLS app only if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates.  Otherwise, consider setting SSL to Full or Full(strict) via the Cloudflare Page Rules app.
To avoid redirect loop errors, first ensure your origin web server configuration does not redirect HTTPS to HTTP or HTTP to HTTPS in a manner contrary to how the Cloudflare SSL mode is configured for Cloudflare connections to your origin web server.

(optional) Step 4 - Add Cloudflare Origin CA root certificates

Some origin web servers require uploading the Cloudflare Origin CA root certificate. See below for an RSA and ECC version of the Cloudflare Origin CA root certificate. Click on a link to download a file:

cPanel does not support ECC certificates. Use the Origin CA root RSA certificate below.

Alternatively, click to expand the root certificate contents for copy and paste into your origin web server configuration:

The previous version of root certificates expire on 2019-11-14T01:43:50Z for the RSA root and 2021-02-22T00:24:00Z for the ECC root. If your origin web server is using outdated root certificates, you must replace them with the latest version to avoid site disruptions.

Remove an Origin CA certificate

Follow these steps to revoke an Origin CA certificate:

  1. Log in to Cloudflare.
  1. Select the appropriate account for the domain where the Origin CA certificate needs revoked.
  1. Select the domain.
  1. Click the SSL/TLS app and scroll down to Origin Certificates.
Visitors will see errors about site insecurity until an Origin CA certificate is replaced. To avoid errors, ensure that the SSL mode is set to either Full or Flexible and not Full(strict), either globally via the SSL/TLS app or for a specific hostname via the Page Rules app before revoking an Origin CA certificate.
  1. Click the X icon to the right of the certificate name in the list of Origin CA certificates.
  1. The Revoke Origin Certificate confirmation window appears.
  1. Check the confirmation box and click Revoke.

Related resources

Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk