How to install an Origin CA certificate in Microsoft IIS 10

IIS 10 Origin CA (Certificate Authority) Installation

  1. Obtain private key and origin certificate pair

    Create a certificate signing request in IIS and export it. Note that the instructions are for wildcard certificates but that you can specify any set of hostnames on your zone. Instead of exporting as .pfx, you should export as .pem.

  2. Log into the Cloudflare dashboard and create an Origin Certificate

    In the Crypto app, scroll down to the Origin Certificates card and click 'Create Certificate'. Select 'I have my own private key and CSR', add the hostnames you'd like to be covered by the certificate, choose a validity period, and click 'Next'.

  3. Save the Origin certificate to the desktop of your origin server with the name mydomain.cer

  4. Open Internet Information Services (IIS) Manager and under Connections, select your server's hostname

    In the Windows Start screen, click Administrative Tools, then Internet Information Services (IIS) Manager. Alternatively, you can search for Internet Information Services (IIS) Manager.

  5. Click on the servername, then in the IIS section of the center menu, double click the Server Certificates icon

  6. In the Actions menu, click Complete Certificate Request to open the Complete Certificate Request wizard

    In the Complete Certificate Request wizard on the Specify Certificate Authority Response page under File name containing the certification authority’s response, click to browse to the .cer certificate file that was copied to the desktop, select the file, and then click Open.

  7. In the Friendly name box, enter a friendly name for the certificate

    The friendly name is not part of the certificate. Instead, it is used to identify the certificate. Choose to place the new certificate in the Web Hosting certificate store.

  8. To finish installing the SSL Certificate to the server, click OK

  9. Download the Cloudflare Root CA

    Depending on what type of Origin CA you are creating there are 2 different types of Cloudflare Root CA. RSA and ECC. Browse to the following link to download the latest Cloudflare Root CA from the bottom of the page. Cloudflare KB - What are the root certificate authorities (CAs) used with Cloudflare Origin CA?

  10. Open the Certificates Manager

    In the Windows Start screen, type certmgr.msc Alternatively, you can search for Manage Computer Certificates.

  11. Import the Cloudflare Root CA Certificate

    In the Certificate Manager, open Trusted Root Certification Authorities. Next right click on Certificates. Hover over All Tasks, then click on Import...

  12. When the wizard opens, click Next

  13. Browse to the Cloudflare Origin Root CA

    Browse to the location that the Cloudflare Origin Root CA that was just downloaded. Please note that you will need to change the file filter to All Files (*.*) for the certificate to be displayed.

  14. Click Next, then Next again and click Finish on the wizard

  15. Click Yes on the Security Warning 

    Please note that the Thumbprint for the ECC and RSA certificates are different.

  16. Assign or Bind the certificate to your website

    In Internet Information Services (IIS) Manager under Connections, expand your server’s name, expand Sites, and then select the site that you want to secure with your SSL Certificate.

  17. In the Actions menu under Edit Site, click Bindings

  18. In the Site Binding window, click Add

  19. In the Add Site Bindings window, enter the following information and then, click OK

    Type In the dropdown list, select https
    IP Address In the dropdown list, select all unassigned
    Port Enter 443
    SSL Certificate In the dropdown list, select the friendly name of the certificate you just installed

  20. [OPTIONAL] Configure your SSL certificate to use Server Name Indication (SNI)

    Check the box that states Require Server Name Indication. This is required if you have multiple sites using SSL bound to the same IP address. 

  21. Your Origin CA SSL certificate is now installed, and your website is configured to accept secure connections
Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Powered by Zendesk