How To Use The Free CloudFlare Origin Certificate

Configure SSL/HTTPS for your domain and sub-domains

How to Use CloudFlare Free Origin Certificate

Ok, so in this post we will configure CloudFlare’s origin certificates to provide full ssl encryption from the browser to our origin server. This provides us with several advantages over using a public certificate authority – as we’ll see.

Login to CloudFlare and click on the domain you want to configure. Configuring the origin certificate is very simple.

One of the things I like about CloudFlare. The interface is clean and simple, basically just point and click.
They do have a full api if you need that but you can just use their gui and knock it right out.

If you open WHM in another tab, you’ll be able to just copy and paste the necessary code between CloudFlare and WHM.
Note that you will need at least a VPS as you won’t be able to install your own certificates on a shared hosting account.

So first you’re going to log into CloudFlare, click on your domain and then click on the Crypto icon.

origin certificate security

Now you can select either Full, which will also accept self-signed certificates or Full (strict) which will only validate third party certificates, in this case the CloudFlare certificate. This is the option I’ll be using.

Once you’ve chosen the type of SSL, scroll down to Origin Certificates and click Create Certificate.

create origin certificate

Now you can use your own private key and signing request – you create these in WHM – or you can just let CloudFlare generate them, which is what we will do.

As you can see, the host names are defaulted to the primary domain as well as all first level sub-domains and you even have the option to include more levels if needed. So we will just leave these at the default for now.

Now here’s where things get interesting, unlike a free public certificate from Let’s Encrypt, we’re not required to renew the certificate every few months. In fact, we can just leave it at the default, which is 15 years! Now, yes you can configure a chron job to auto-renew your Let’s Encrypt certificate but anytime we can keep from using additional server resources, that’s a good thing.

So we just click Next and move on to the next screen.

You can choose the key format depending on the type of web server that you’re using. For Apache and/or NGINX, the default PEM format will work just fine. So what we need to do is just copy and paste ALL the code from the Origin Certificate and paste it over into Certificate field in WHM.

Then we do the same for the Private Key.

whm ssl certificate installation

Now one additional step is we need to add the CloudFlare root certificate to the END of our Origin Certificate. You can find that here.

You want to paste that code into the WHM Certificate Authority Bundle box:

whm certificate bundle

Once that’s done, we click Install and assuming we did everything correctly, we’ll now have the origin certificate installed on our server.

We can now jump back over to CloudFlare and set our SSL options.

Since I’m using strict transport security, I’ll click on Change HSTS Settings to set those options. You can set your HSTS options and then move on to the rest of the crypto options.

If you think you might still have mixed content on your website – content that has http:// embedded in the code, then you’ll definitely want to turn on Automatic HTTPS Rewrites.

And that’s it, pretty simple and now we have full encryption configured not only for our primary domain but also any sub-domains we might have. Our origin certificate does not have to be continually renewed and should provide optimal performance during the SSL handshake.

Are there any disadvantages to using the CloudFlare origin certificate? Only if you stop using CloudFlare, in which case you can simply switch to a Let’s Encrypt free certificate.

Using the Full (strict) origin certificate provides us with top notch security for our website communications. There are also performance benefits which you can read about here:

NOTE:When using the free CloudFlare SSL services, you are presenting a CloudFlare certificate to the browser. So if you need to present your own certificate, say for an EV (extended validation) certificate, you’ll need to have either a paid Business or Enterprise account. These aren’t cheap as a Business account starts at $200/month. This is probably my only complaint with the CloudFlare pricing structure, even the Pro account at $20/month won’t get you this option. But hey, considering all the awesome free performance and security features, it’s hard to complain.

Ok, so in this post we will configure CloudFlare’s origin certificates to provide full ssl encryption from the browser to our origin server. This provides us with several advantages over using a public certificate authority – as we’ll see.

Login to CloudFlare and click on the domain you want to configure. Configuring the origin certificate is very simple.

One of the things I like about CloudFlare. The interface is clean and simple, basically just point and click.
They do have a full api if you need that but you can just use their gui and knock it right out.

If you open WHM in another tab, you’ll be able to just copy and paste the necessary code between CloudFlare and WHM.
Note that you will need at least a VPS as you won’t be able to install your own certificates on a shared hosting account.

So first you’re going to log into CloudFlare, click on your domain and then click on the Crypto icon.

 

Now you can select either Full, which will also accept self-signed certificates or Full (strict) which will only validate third party certificates, in this case the CloudFlare certificate. This is the option I’ll be using.

Once you’ve chosen the type of SSL, scroll down to Origin Certificates and click Create Certificate.

Now you can use your own private key and signing request – you create these in WHM – or you can just let CloudFlare generate them, which is what we will do.

As you can see, the host names are defaulted to the primary domain as well as all first level sub-domains and you even have the option to include more levels if needed. So we will just leave these at the default for now.

Now here’s where things get interesting, unlike a free public certificate from Let’s Encrypt, we’re not required to renew the certificate every few months. In fact, we can just leave it at the default, which is 15 years! Now, yes you can configure a chron job to auto-renew your Let’s Encrypt certificate but anytime we can keep from using additional server resources, that’s a good thing.

So we just click Next and move on to the next screen.

You can choose the key format depending on the type of web server that you’re using. For Apache and/or NGINX, the default PEM format will work just fine. So what we need to do is just copy and paste ALL the code from the Origin Certificate and paste it over into Certificate field in WHM.

Then we do the same for the Private Key.

Now one additional step is we need to add the CloudFlare root certificate to the END of our Origin Certificate. You can find that here.

You want to paste that code into the WHM Certificate Authority Bundle box:

Once that’s done, we click Install and assuming we did everything correctly, we’ll now have the origin certificate installed on our server.

We can now jump back over to CloudFlare and set our SSL options.

Since I’m using strict transport security, I’ll click on Change HSTS Settings to set those options. You can set your HSTS options and then move on to the rest of the crypto options.

If you think you might still have mixed content on your website – content that has http:// embedded in the code, then you’ll definitely want to turn on Automatic HTTPS Rewrites.

And that’s it, pretty simple and now we have full encryption configured not only for our primary domain but also any sub-domains we might have. Our origin certificate does not have to be continually renewed and should provide optimal performance during the SSL handshake.

Are there any disadvantages to using the CloudFlare origin certificate? Only if you stop using CloudFlare, in which case you can simply switch to a Let’s Encrypt free certificate.

Using the Full (strict) origin certificate provides us with top notch security for our website communications. There are also performance benefits which you can read about here:

NOTE:When using the free CloudFlare SSL services, you are presenting a CloudFlare certificate to the browser. So if you need to present your own certificate, say for an EV (extended validation) certificate, you’ll need to have either a paid Business or Enterprise account. These aren’t cheap as a Business account starts at $200/month. This is probably my only complaint with the CloudFlare pricing structure, even the Pro account at $20/month won’t get you this option. But hey, considering all the awesome free performance and security features, it’s hard to complain.

Here’s a quick video that walks you through the above. Please excuse the quality as I have yet to clean it up.

Pin It on Pinterest

Share This
The Edge Newsletter

Give Your Business The Edge

Subscribe to get first access to ..

Checklists for SEO, marketing, design, security and more.

Easy step by step "How to" articles.

Tech tips even technophobes can master.

You have Successfully Subscribed!

twitter checklist

Download the Twitter Marketing Checklist

Just 30 minutes a day to get more leads, sales and brand exposure.

You have successfully subscribed! Please check your email. Download

Best SEO Checklist

Download the Best SEO Checklist

Get more traffic by working faster and more accurately.

Improve on-page and off-page SEO with this free checklist.

You have successfully subscribed! Please check your email. Download

The Edge Newsletter

Give Your Business The Edge

Subscribe to get first access to ..


Checklists for SEO, marketing, design, security and more.

Easy step by step "How to" articles.

Tech tips even technophobes can master.

You have Successfully Subscribed!

Best SEO Checklist

Download the Best SEO Checklist

Get more traffic by working faster and more accurately.

Improve on-page and off-page SEO with this free checklist.

You have successfully subscribed! Please check your email. Download

Pin It on Pinterest

Share This
The Edge Newsletter

Give Your Business The Edge

Subscribe to get first access to ..

Checklists for SEO, marketing, design, security and more.

Easy step by step "How to" articles.

Tech tips even technophobes can master.

You have Successfully Subscribed!

twitter checklist

Download the Twitter Marketing Checklist

Just 30 minutes a day to get more leads, sales and brand exposure.

You have successfully subscribed! Please check your email. Download

Best SEO Checklist

Download the Best SEO Checklist

Get more traffic by working faster and more accurately.

Improve on-page and off-page SEO with this free checklist.

You have successfully subscribed! Please check your email. Download

The Edge Newsletter

Give Your Business The Edge

Subscribe to get first access to ..


Checklists for SEO, marketing, design, security and more.

Easy step by step "How to" articles.

Tech tips even technophobes can master.

You have Successfully Subscribed!

Best SEO Checklist

Download the Best SEO Checklist

Get more traffic by working faster and more accurately.

Improve on-page and off-page SEO with this free checklist.

You have successfully subscribed! Please check your email. Download