Are you using Cloudflare on your website? Suppose you do not want to purchase a commercial SSL certificate authority or use a free Let’s Encrypt SSL. In that case, you can install a Cloudflare origin certificate on your hosting server to maintain end-to-end encryption without paying a dime.
This tutorial will show you how to create a free Cloudflare origin certificate for SSL and how to install it.
Cloudflare origin certificate prerequisites
To complete this tutorial, you will need the following:
- A Cloudflare account.
- A registered domain that is live and added to your Cloudflare account. The registered domain should point to your Nexcess hosting server.
Cloudflare is one of the world's largest cloud network platforms, speeding up and protecting millions of websites. It also offers free Content Delivery Networks (CDNs), as well as encryption and fraud prevention.
By creating a free account with Cloudflare and adding your website, you can use Cloudflare for free. It takes about 24 hours for your website to be enabled for HTTPS. Learn how to do it here.
Cloudflare offers three modes of SSL encryption options that are Flexible, Full, and Full (strict). Visit their site for more information.
Cloudflare SSL modes
Cloudfare SSL has several modes that have different characteristics:
- Off — Choose this option if you don't want to use SSL certificates. This option is not recommended.
- Flexible SSL — This option secures the traffic between Cloudflare and your visitor but not between Cloudflare and your web origin server.
- Full SSL — Ensures end-to-end protection between Cloudflare and your visitors, as well as Cloudflare and your web server.
- Full (Strict) SSL — This option also gives you a wholly secure connection with the added benefits of authentication. It is issued by a publicly trusted certificate authority or Cloudflare’s origin certificate authority.
As long as you’re using Cloudflare’s free SSL in Full SSL or Full SSL (Strict) mode, the connection between the client and your server will be secured properly.
To enable HTTPS encryption on your website, log in to your Cloudflare account and choose the domain name. Now, go to the SSL tab and select Flexible SSL mode from the dropdown:
This Flexible SSL configuration will allow your site to be accessed over HTTPS (for example, https://example.com/).
Despite turning on the Flexible SSL encryption, you have not accomplished the more secure full end-to-end encryption. Flexible SSL will only encrypt data your visitors send to the Cloudflare server, not data that travels from the Cloudflare server to your hosting server.
To achieve full end-to-end encryption, you will need to use Full SSL or Full (Strict) SSL mode. Both will require you to create an origin certificate or purchase a dedicated certificate:
Follow the instructions below on how to get a free Cloudflare origin certificate and install it on our hosting server.
How to configure Cloudflare origin certificate
When it comes to configuring you Cloudflare origin certificate, let's review the three main steps in the sections that follow:
- Configuring your Cloudflare origin certificate step #1: Generate certificate and private key.
- Configuring your Cloudflare origin certificate step #2: Install Cloudflare SSL on your domain.
- Configuring your Cloudflare origin certificate step #3: Review DNS and SSL settings.
Configuring your Cloudflare origin certificate step #1: Generate certificate and private key
To generate a Cloudflare origin certificate, Log in to your Cloudflare account. Select the domain and navigate to the SSL/TLS icon > Origin Server tab option > Create Certificate button:
By clicking on the Create Certificate button, you will be taken to the next page, where you will need to follow these steps:
1a. Generate a private key and Certificate Signing Request (CSR) with Cloudflare.
1b. Make sure your domain name is listed in the Hostnames field.
1c. Decide how long the SSL certificate should be valid for.
1d. If all of the above steps are done, click the Create button:
Upon creating the Cloudflare origin certificate, you will be directed to a page where you can copy the Cloudflare origin certificate and private key. This information is required to install SSL on your web origin server, and the Key Format should be PEM:
You will also need the Cloudflare CA Bundle to establish the full chain of trust. You can download the Cloudflare CA root certificate here:
Add Cloudflare Origin CA Root Certificates
You must choose the Cloudflare Origin RSA PEM format:
Thus, you will need these three pieces of SSL to install an SSL certificate:
- A private key
- Origin certificate (CSR)
- Origin CA root certificate (Cloudflare Origin RSA PEM)
Configuring your Cloudflare origin certificate step #2: Install Cloudflare SSL on your domain
Here is how you can install Cloudflare SSL within your Nexcess Client Portal:
2a. Navigate to the SSL tab in the Nexcess Client Portal by following the below instructions.
2b. From the homepage select the Domain Name on which you want to install SSL, by going to Plans > Plan Dashboard > Sites > Domain Name.
2c. Choose SSL from the menu options.
2d. If Let's Encrypt SSL is enabled on your domain, you will need to turn it off by toggling the switch left to see the Upload New Certificate section.
2e. Now in the Upload New Certificate section, fill in the fields for Private Key, Certificate (Origin Certificate), and Chain Certificate (Cloudflare CA Root Certificate) to upload the new certificate.
2f. Click Install when ready.
In just a few minutes, your SSL certificate should be installed. Please note that this certificate is renewed/revoked at Cloudflare's end.
Configuring your Cloudflare origin certificate step #3: Review DNS and SSL settings
To ensure the SSL works correctly on your domain, there are couple of last steps to take:
3a. You must ensure the domain's DNS A record is proxied behind Cloudflare:
3b. You will also need to ensure the SSL/TLS encryption mode is set to Full (Strict) mode:
There you go! Congratulations! Your domain is secured with Cloudflare SSL, which uses the Cloudflare origin certificate.
Limitations of Cloudflare's origin certificate
Usually, SSL certificates are a bit costly, so why is this SSL certificate from Cloudflare free? It comes with a catch, but it is so minor that it shouldn't bother most website admins.
About the requirement to use the Cloudflare proxy when using Cloudflare's origin certificate
So Cloudflare enforces the requirement to use the Cloudflare proxy when using Cloudflare's origin certificate. For it to work properly, your domain must always use the Cloudflare proxy on which you have installed the SSL certificate.
The Cloudflare origin certificate becomes useless if you stop using Cloudflare's protection on your domain. If you bypass Cloudflare for some reason, the self-signed certificate will warn any user trying to connect to your website, indicating that the site is not secure.
It is recommended that you always use Cloudflare's proxy, as that's how they cache your assets. However, using this certificate essentially locks you into using Cloudflare until you decide to pay for an SSL certificate.
About the alternatives to using Cloudflare's origin certificate
Alternatively, you can always switch back to the free Let’s Encrypt SSL certificate available in your Nexcess Client Portal. Instead of using a Cloudflare origin certificate, you can use the Let’s Encrypt SSL certificate or Purchase a Paid CA-signed SSL certificate from the beginning:
- Free Let’s Encrypt SSL Certificates are valid for 90 days and can be renewed effortlessly using the Nexcess Client Portal as long as the DNS on the origin server points to Nexcess.
- If you would like to renew the Let's Encrypt SSL, you will have to temporarily disable the Cloudflare protection until a Let's Encrypt SSL certificate is deployed
Wrapping up your Cloudflare SSL with Cloudflare origin certificate setup
It's a wrap — setup is complete! It's that simple. You have now learned how to protect your website by encrypting the traffic between Cloudflare and the origin server using a Cloudflare origin certificate.
Installing the Cloudflare origin certificate on your domain means you do not have to worry about renewing the Let’s Encrypt certificate every 90 days or paying for yearly commercial SSL renewals.
Consider Hosting With Nexcess
Still waiting to be a Nexcess customer yet? Check out our various hosting solutions. Nexcess offers a fully Managed WordPress/WooCommerce hosting and Managed Magento hosting service for speed, security, and scale.
Flexible Cloud Hosting
Our ultra-flexible cloud power and optimize your application with gusto. Perfect of experienced users.
Out solutions suitable for both small and large businesses with plans that are right sized to suit your needs. Our plans include Varnish, PHP 7+, an integrated CDN, and image compression for superior performance.
SSL-Related Resources at Nexcess
For you benefit, we have compiled the following list of SSL-related resources that you may find useful:
- What are SSL certificates?
- How to enable Let’s Encrypt
- How to purchase SSL certificates from your Nexcess Client Portal
- How to install SSL certificates in SiteWorx
- How to install SSL certificates in Nexcess Cloud
- How to import SSL certificates in your Nexcess Client Portal
- How to cancel an SSL certificate
- Standard SSL: What is a standard SSL certificate?
Library of related blog and help articles
Robust websites run on Nexcess to leverage our platform performance. Indeed, our hosting platform delivers on its promise of speed and reliability. Join with us as your technology partner for enhancing site in an ongoing fashion. The Nexcess Blog and Nexcess Knowledge Base can assist you in this effort.
Beyond support at Nexcess
Nexcess web hosting means you’re in good hands — all technical aspects of your website are covered, enabling you to focus on the core of your business. Nexcess also offers 24/7/365 customer and technical support for all your questions or issues.
Our support teams have skilled staff with in-depth knowledge of multiple web hosting applications, especially those discussed in this article. Reach out to our team today to learn more.
Check out the fully managed hosting plans from Nexcess to get started today.
- How to configure web hosting teams in the Nexcess Client Portal
- Nexcess hosting and Nexcess Client Portal guide
- Transfer from Bluehost hosting to Nexcess hosting