Learn how to use Cloudflare Origin CA certificates to encrypt traffic between Cloudflare and your origin web server, manage Origin CA certificates via Cloudflare, and receive advice to install Origin CA certificates at your origin web server.
Overview
Use Origin CA certificates to encrypt traffic between Cloudflare and your origin web server.
To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Full and Full(strict) SSL/TLS encryption mode in the Cloudflare SSL/TLS app without first purchasing a certificate from a Certificate Authority to install at your origin web server.
Deploying Origin CA certificates typically requires three steps:
- Create an Origin CA certificate
- Install an Origin CA certificate at your origin web server
- Configure the SSL/TLS mode in the Cloudflare SSL/TLS app
Step 1 - Create an Origin CA certificate
Cloudflareのダッシュボードで独自のオリジンCA証明書を作成することができます。
- Log in to Cloudflare.
- Select the appropriate account for the domain requiring an Origin CA certificate.
- Select the domain.
- Click the SSL/TLS app.
- Click the Origin Server tab.
- Click Create Certificate to open the Origin Certificate Installation window.
- In the Origin Certificate Installation window, choose either:
- Let Cloudflare generate a private key and a CSR - requires specifying whether the Private key type is RSA or ECDSA.
- I have my own private key and CSR - requires pasting the Certificate Signing Request into the text field.
- 証明書がSSL暗号化を使って保護しなければならないホスト名(ワイルドカードを含める)を一覧化します。ゾーンルートと第一レベルワイルドカードホスト名は、デフォルトに含まれています。
9. 証明書の有効期限を選択します。デフォルトは15年で、最小値は7日間です
10. 次へをクリックします。
11. キーフォーマットを選択します。環境に最も適したキーペアフォーマットを選択します。ApacheやNGINXなどのOpenSSLをベースとしたWebサーバーの多くが、PEMファイル (Base64でエンコードされたASCII)を想定していますが、バイナリDERファイルでも動作できます。WindowsとApache Tomcatのユーザーは、PKCS#7を選択しなければなりません。
12. 署名されたオリジン証明書とプライベート キーの詳細を、オリジン証明書のインストールウィンドウの指示通りに別々のファイルにコピーします。
13. OKをクリックします。
Step 2 - Install an Origin CA certificate at your origin server
Adding an Origin CA certificate to an origin web server requires several general steps:
- Upload the Origin CA certificate (created above in Step 1) to your origin web server.
- Use the linked installation guides below to update your web server configuration to point to the certificate.
- (Optional for most origin web servers) Upload Cloudflare's CA root certificate to your origin web server. type: embedded-entry-inline id: 5oi7FdUVG0YjUXJvfK27Ck
- Enable SSL and port 443 at your origin web server.
- Check that your origin server firewall doesn't block connections to port 443.
Review the list of links below for installation instructions specific to your origin web server. For further assistance installing an Origin CA certificate, contact your hosting provider, web administrator, or web server vendor.
- Apache httpd
- GoDaddy Hosting (with cPanel)
- Microsoft IIS 7
- Microsoft IIS 8 and 8.5
- Microsoft IIS 10
- NGINX
- Tomcat
- Amazon Web Services
- Apache cPanel
- Ubuntu Server with Apache2
Step 3 - Configure the SSL/TLS mode in the Cloudflare SSL/TLS app
Instruct Cloudflare to encrypt traffic to your origin web server after you install the Cloudflare Origin CA certificate at your origin web server. Set the SSL/TLS encryption mode in the Cloudflare SSL/TLS app to either Full or Full(strict)to enable encryption between Cloudflare and your origin web server.
(Optional) Step 4 - Add Cloudflare Origin CA root certificates
Some origin web servers require uploading the Cloudflare Origin CA root certificate. See below for an RSA and ECC version of the Cloudflare Origin CA root certificate. Click on a link to download a file:
Alternatively, click to expand the root certificate contents for copy and paste into your origin web server configuration:
-----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91 ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8 VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6 0iykLhH1trywrKRMVw67F44IE8Y= -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5 tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ= -----END CERTIFICATE-----
Remove an Origin CA certificate
Follow these steps to revoke an Origin CA certificate:
- Log in to Cloudflare.
- Select the appropriate account for the domain where the Origin CA certificate needs to be revoked.
- Select the domain.
- Click the SSL/TLS app and scroll down to Origin Certificates. type: embedded-entry-inline id: mdJO30UrQ5xhK46OC6wml
- Click the X icon to the right of the certificate name in the list of Origin CA certificates.
- The Revoke Origin Certificate confirmation window appears.
- Check the confirmation box and click Revoke.
Related resources