Origin CA certificates

Use Origin Certificate Authority (CA) certificates to encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. Once deployed, these certificates are compatible with Strict SSL mode.

For more background information on Origin CA certificates, refer to the introductory blog post ↗.

Note

Using Cloudflare Origin CA certificates do not prevent you from using delegated DCV.

Availability

	Free	Pro	Business	Enterprise
Availability	Yes	Yes	Yes	Yes

---

Deploy an Origin CA certificate

1. Create an Origin CA certificate

To create an Origin CA certificate in the dashboard:

1. Log in to the Cloudflare dashboard and select an account.
2. Choose a domain.
3. Go to SSL/TLS > Origin Server.
4. Select Create Certificate.
5. Choose either:
   • Generate private key and CSR with Cloudflare: Private key type can be RSA or ECC.
   • Use my private key and CSR: Paste the Certificate Signing Request into the text field.
6. List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default.
7. Choose a Certificate Validity period.
8. Select Create.
9. Choose the Key Format:
   • Servers using OpenSSL — like Apache and NGINX — generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files.
   • Servers using Windows and Apache Tomcat require PKCS#7 (a .p7b file).
10. Copy the signed Origin Certificate and Private Key into separate files. For security reasons, you cannot see the Private Key after you exit this screen.
11. Select OK.

Note

For details about working with certificates programmatically, refer to API calls.

2. Install Origin CA certificate on origin server

To add an Origin CA certificate to your origin web server

1. Upload the Origin CA certificate (created in Step 1) to your origin web server.
2. Update your web server configuration:

• Apache httpd ↗
• GoDaddy Hosting ↗
• Microsoft IIS 7 ↗
• Microsoft IIS 8 and 8.5 ↗
• Microsoft IIS 10 ↗
• NGINX ↗
• Apache Tomcat ↗
• Amazon Web Services ↗
• Apache cPanel ↗
• Ubuntu Server with Apache2 ↗

Note

If you do not see your server in the list above, search the DigiCert documentation ↗ or contact your hosting provider, web admin, or server vendor.

3. (Required for some) Upload the Cloudflare CA root certificate to your origin server. This can also be referred to as the certificate chain.
4. Enable SSL and port 443 at your origin web server.

3. Change SSL/TLS mode

After you have installed the Origin CA certificate on your origin web server, update the SSL/TLS encryption mode for your application.

If all your origin hosts are protected by Origin CA certificates or publicly trusted certificates:

1. Go to SSL/TLS.
2. For SSL/TLS encryption mode, select Full (strict).

If you have origin hosts that are not protected by certificates, set the SSL/TLS encryption mode for a specific application to Full (strict) by using a Page Rule.

Revoke an Origin CA certificate

If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process.

To prevent visitors from seeing warnings about an insecure certificate, you may want to set your SSL/TLS encryption to Full or Flexible before revoking your certificate. Do this globally via the Cloudflare dashboard ↗ or for a specific hostname via a Page Rule.

To revoke a certificate:

1. Log in to the Cloudflare dashboard and select an account.
2. Choose a domain.
3. Go to SSL/TLS > Origin Server.
4. In Origin Certificates, choose a certificate.
5. Select Revoke.

Additional details

Cloudflare Origin CA root certificate

Some origin web servers require upload of the Cloudflare Origin CA root certificate or certificate chain. Use the following links to download either an ECC or an RSA version and upload to your origin web server:

• Cloudflare Origin ECC PEM (do not use with Apache cPanel)
• Cloudflare Origin RSA PEM

Hostname and wildcard coverage

Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (www.example.com) or a wildcard (*.example.com). You cannot use IP addresses as SANs on Cloudflare Origin CA certificates.

Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, *.example.com and *.secure.example.com may co-exist).

API calls

To automate processes involving Origin CA certificates, use the following API calls. To authenticate, use either Origin CA Keys or an API token with Permissions that include Zone-SSL and Certificates-Edit.

Operation	Method	Endpoint
List certificates	GET	certificates?zone_id=<<ZONE_ID>>
Create certificate	POST	certificates
Get certificate	GET	certificates/<<ID>>
Revoke certificate	DELETE	certificates/<<ID>>

Troubleshooting

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.