日本語 Deutsch English (US) Español (España) Français (France) 한국어 Português do Brasil 简体中文

Cloudflareヘルプセンター

Detailed system status >

このセクションの記事

Connect with the Cloudflare Community

Get answers

本記事への添付

Managing Cloudflare Origin CA certificates

  • 更新

Learn how to use Cloudflare Origin CA certificates to encrypt traffic between Cloudflare and your origin web server, manage Origin CA certificates via Cloudflare, and receive advice to install Origin CA certificates at your origin web server.

Overview

Use Origin CA certificates to encrypt traffic between Cloudflare and your origin web server.

To ensure greater convenience, security, and performance, Cloudflare recommends an Origin CA certificate over a self-signed certificate or a certificate purchased from a Certificate Authority. With an Origin CA certificate, you can use Full and Full(strict) SSL/TLS encryption mode in the Cloudflare SSL/TLS app without first purchasing a certificate from a Certificate Authority to install at your origin web server.

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

Deploying Origin CA certificates typically requires three steps:

  1. Create an Origin CA certificate
  2. Install an Origin CA certificate at your origin web server
  3. Configure the SSL/TLS mode in the Cloudflare SSL/TLS app

Step 1 - Create an Origin CA certificate

Cloudflareのダッシュボードで独自のオリジンCA証明書を作成することができます。

  1. Log in to Cloudflare.
  2. Select the appropriate account for the domain requiring an Origin CA certificate.
  3. Select the domain.
  4. Click the SSL/TLS app.
  5. Click the Origin Server tab.
  6. Click Create Certificate to open the Origin Certificate Installation window.
  7. In the Origin Certificate Installation window, choose either:
    • Let Cloudflare generate a private key and a CSR - requires specifying whether the Private key type is RSA or ECDSA.
    • I have my own private key and CSR - requires pasting the Certificate Signing Request into the text field.
  8. 証明書がSSL暗号化を使って保護しなければならないホスト名(ワイルドカードを含める)を一覧化します。ゾーンルートと第一レベルワイルドカードホスト名は、デフォルトに含まれています。

1つの証明書に、ホスト名またはワイルドカードホスト名を最大100件まで含めることができます。同じCloudflareアカウント内に他のドメインに使われるホスト名を含むこともできます。.test.dev.www.example.comなどの複数レベルのサブドメインのサポートを追加することもできます。

9. 証明書の有効期限を選択します。デフォルトは15年で、最小値は7日間です

10. 次へをクリックします。

11. キーフォーマットを選択します。環境に最も適したキーペアフォーマットを選択します。ApacheやNGINXなどのOpenSSLをベースとしたWebサーバーの多くが、PEMファイル (Base64でエンコードされたASCII)を想定していますが、バイナリDERファイルでも動作できます。WindowsとApache Tomcatのユーザーは、PKCS#7を選択しなければなりません。

12. 署名されたオリジン証明書プライベート キーの詳細を、オリジン証明書のインストールウィンドウの指示通りに別々のファイルにコピーします。

OKをクリックする前に、プライベート キー情報を必ずコピーしてください。セキュリティ上の理由から、プライベート キーがオリジン証明書作成後に再度表示されることはありません。

13. OKをクリックします。

It is possible to create Cloudflare Origin CA certificates via the Cloudflare API.

Step 2 - Install an Origin CA certificate at your origin server

Adding an Origin CA certificate to an origin web server requires several general steps:

  1. Upload the Origin CA certificate (created above in Step 1) to your origin web server.
  2. Use the linked installation guides below to update your web server configuration to point to the certificate.
  3. (Optional for most origin web servers) Upload Cloudflare's CA root certificate to your origin web server. type: embedded-entry-inline id: 5oi7FdUVG0YjUXJvfK27Ck
  4. Enable SSL and port 443 at your origin web server.
  5. Check that your origin server firewall doesn't block connections to port 443.

Review the list of links below for installation instructions specific to your origin web server. For further assistance installing an Origin CA certificate, contact your hosting provider, web administrator, or web server vendor.

その他のオリジンWebサーバーで認証をインストールする場合の手順は、Digicertの資料を検索してください。

Step 3 - Configure the SSL/TLS mode in the Cloudflare SSL/TLS app

Instruct Cloudflare to encrypt traffic to your origin web server after you install the Cloudflare Origin CA certificate at your origin web server. Set the SSL/TLS encryption mode in the Cloudflare SSL/TLS app to either Full or Full(strict)to enable encryption between Cloudflare and your origin web server.

Make this change globally via the SSL/TLS app only if all of your origin hosts are protected by Origin CA certificates or publicly trusted certificates. Otherwise, consider setting SSL to Full or Full(strict) via the Cloudflare Page Rules app.
To avoid redirect loop errors, first ensure your origin web server configuration does not redirect HTTPS to HTTP or HTTP to HTTPS in a manner contrary to how the Cloudflare SSL/TLS encryption mode is configured for Cloudflare connections to your origin web server.

(Optional) Step 4 - Add Cloudflare Origin CA root certificates

Some origin web servers require uploading the Cloudflare Origin CA root certificate. See below for an RSA and ECC version of the Cloudflare Origin CA root certificate. Click on a link to download a file:

cPanel does not support ECC certificates. Use the Origin CA root RSA certificate below.

Alternatively, click to expand the root certificate contents for copy and paste into your origin web server configuration: 

-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
    MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw
    gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
    YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
    Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
    eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV
    UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
    MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP
    cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB
    BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA
    xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC
    AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5
    tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E
    AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL
    XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=
    -----END CERTIFICATE-----

Remove an Origin CA certificate

Follow these steps to revoke an Origin CA certificate:

  1. Log in to Cloudflare.
  2. Select the appropriate account for the domain where the Origin CA certificate needs to be revoked.
  3. Select the domain.
  4. Click the SSL/TLS app and scroll down to Origin Certificates. type: embedded-entry-inline id: mdJO30UrQ5xhK46OC6wml
  5. Click the X icon to the right of the certificate name in the list of Origin CA certificates.
  6. The Revoke Origin Certificate confirmation window appears.
  7. Check the confirmation box and click Revoke.

Related resources

必要なものが見つかりませんでしたか?

検索で、サポートに関する質問の95&に回答できます。これは、回答を得るために最速の方法です。

コミュニティに質問する リクエストを送信

関連記事

必要なものが見つかりませんでしたか?

検索で、サポートに関する質問の95&に回答できます。これは、回答を得るために最速の方法です。

コミュニティに質問する リクエストを送信