Nexcess Logo

Cloudflare SSL with Cloudflare origin certificate

Knowledge Base Home

Notice anything different?

We've enhanced the appearance of our portal and we're working on updating screenshots. Things might look different, but the functionality remains the same.
December 06, 2022


Are you using Cloudflare on your website? Suppose you do not want to purchase a commercial SSL certificate authority or use a free Let’s Encrypt SSL. In that case, you can install a Cloudflare origin certificate on your hosting server to maintain end-to-end encryption without paying a dime.

Using Cloudflare on your website? And if you do not want to purchase a Commercial SSL Certificate Authority or use a Free Let’s Encrypt SSL, you can install Cloudflare Origin Certificate on your hosting server to maintain End to End encryption without paying a dime.



This tutorial will show you how to create a free Cloudflare origin certificate for SSL and how to install it.

Cloudflare origin certificate prerequisites


To complete this tutorial, you will need the following:

  • A Cloudflare account.
  • A registered domain that is live and added to your Cloudflare account. The registered domain should point to your Nexcess hosting server.



Cloudflare is one of the world's largest cloud network platforms, speeding up and protecting millions of websites. It also offers free Content Delivery Networks (CDNs), as well as encryption and fraud prevention.

By creating a free account with Cloudflare and adding your website, you can use Cloudflare for free. It takes about 24 hours for your website to be enabled for HTTPS. Learn how to do it here.

Cloudflare offers three modes of SSL encryption options that are Flexible, Full, and Full (strict). Visit their site for more information.

Cloudflare SSL modes


Cloudfare SSL has several modes that have different characteristics:

  • Off — Choose this option if you don't want to use SSL certificates. This option is not recommended.
  • Flexible SSL — This option secures the traffic between Cloudflare and your visitor but not between Cloudflare and your web origin server.
  • Full SSL — Ensures end-to-end protection between Cloudflare and your visitors, as well as Cloudflare and your web server.
  • Full (Strict) SSL — This option also gives you a wholly secure connection with the added benefits of authentication. It is issued by a publicly trusted certificate authority or Cloudflare’s origin certificate authority.

As long as you’re using Cloudflare’s free SSL in Full SSL or Full SSL (Strict) mode, the connection between the client and your server will be secured properly.

To enable HTTPS encryption on your website, log in to your Cloudflare account and choose the domain name. Now, go to the SSL tab and select Flexible SSL mode from the dropdown:

To enable HTTPS encryption on your website, log in to your Cloudflare account and choose the domain name. Now, go to the SSL tab and select Flexible SSL mode from the dropdown.



This Flexible SSL configuration will allow your site to be accessed over HTTPS (for example, https://example.com/).

Despite turning on the Flexible SSL encryption, you have not accomplished the more secure full end-to-end encryption. Flexible SSL will only encrypt data your visitors send to the Cloudflare server, not data that travels from the Cloudflare server to your hosting server.

To achieve full end-to-end encryption, you will need to use Full SSL or Full (Strict) SSL mode. Both will require you to create an origin certificate or purchase a dedicated certificate:

Despite doing this, you have not accomplished full end-to-end encryption. This will only encrypt data that your visitors send to the Cloudflare server, but not data that travels from the CloudFlare server to your hosting server.


Follow the instructions below on how to get a free Cloudflare origin certificate and install it on our hosting server.

How to configure Cloudflare origin certificate


When it comes to configuring you Cloudflare origin certificate, let's review the three main steps in the sections that follow:

  1. Configuring your Cloudflare origin certificate step #1: Generate certificate and private key.
  2. Configuring your Cloudflare origin certificate step #2: Install Cloudflare SSL on your domain.
  3. Configuring your Cloudflare origin certificate step #3: Review DNS and SSL settings.

Configuring your Cloudflare origin certificate step #1: Generate certificate and private key


To generate a Cloudflare origin certificate, Log in to your Cloudflare account. Select the domain and navigate to the SSL/TLS icon > Origin Server tab option > Create Certificate button:

To generate a Cloudflare Origin Certificate, Log in to your Cloudflare account > Select the domain > Navigate to SSL/TLS tab > Origin Server option > Create Certificate.



By clicking on the Create Certificate button, you will be taken to the next page, where you will need to follow these steps:

1a. Generate a private key and Certificate Signing Request (CSR) with Cloudflare.

1b. Make sure your domain name is listed in the Hostnames field.

1c. Decide how long the SSL certificate should be valid for.

1d. If all of the above steps are done, click the Create button:

If all of the above steps are done. Click on Create.



Upon creating the Cloudflare origin certificate, you will be directed to a page where you can copy the Cloudflare origin certificate and private key. This information is required to install SSL on your web origin server, and the Key Format should be PEM:

Upon creating the Cloudflare Origin Certificate, you will be directed to a page where you will be able to Copy the Origin Certificate and Private Key. This information is required to install SSL on your web origin server and the Key format should be PEM.

You will also need the Cloudflare CA Bundle to establish the full chain of trust. You can download the Cloudflare CA root certificate here:

Add Cloudflare Origin CA Root Certificates

You must choose the Cloudflare Origin RSA PEM format:

To establish the full chain of trust, you will also need the Cloudflare CA Bundle. You can download the Cloudflare CA root certificate here > Add Cloudflare Origin CA root certificates. You must choose the Cloudflare Origin RSA PEM format.

Thus, you will need these three pieces of SSL to install an SSL certificate:

  • A private key
  • Origin certificate (CSR)
  • Origin CA root certificate (Cloudflare Origin RSA PEM)


Configuring your Cloudflare origin certificate step #2: Install Cloudflare SSL on your domain


Here is how you can install Cloudflare SSL within your Nexcess Client Portal:

2a. Navigate to the SSL tab in the Nexcess Client Portal by following the below instructions.

2b. From the homepage select the Domain Name on which you want to install SSL, by going to Plans > Plan Dashboard > Sites > Domain Name.

2c. Choose SSL from the menu options.

2d. If Let's Encrypt SSL is enabled on your domain, you will need to turn it off by toggling the switch left to see the Upload New Certificate section.

2e. Now in the Upload New Certificate section, fill in the fields for Private Key, Certificate (Origin Certificate), and Chain Certificate (Cloudflare CA Root Certificate) to upload the new certificate.

2f. Click Install when ready.

Here is how you can install Cloudflare SSL on your Nexcess client portal.


In just a few minutes, your SSL certificate should be installed. Please note that this certificate is renewed/revoked at Cloudflare's end.

Configuring your Cloudflare origin certificate step #3: Review DNS and SSL settings


To ensure the SSL works correctly on your domain, there are couple of last steps to take:

3a. You must ensure the domain's DNS A record is proxied behind Cloudflare:

To ensure the SSL works correctly on your domain, you need to make sure the domain's DNS A record is proxied behind Cloudflare.



3b. You will also need to ensure the SSL/TLS encryption mode is set to Full (Strict) mode:

You will also need to make sure the SSL/TLS encryption mode is set to Full (strict) mode.



There you go! Congratulations! Your domain is secured with Cloudflare SSL, which uses the Cloudflare origin certificate.

Limitations of Cloudflare's origin certificate


Usually, SSL certificates are a bit costly, so why is this SSL certificate from Cloudflare free? It comes with a catch, but it is so minor that it shouldn't bother most website admins.

About the requirement to use the Cloudflare proxy when using Cloudflare's origin certificate

So Cloudflare enforces the requirement to use the Cloudflare proxy when using Cloudflare's origin certificate. For it to work properly, your domain must always use the Cloudflare proxy on which you have installed the SSL certificate.

The Cloudflare origin certificate becomes useless if you stop using Cloudflare's protection on your domain. If you bypass Cloudflare for some reason, the self-signed certificate will warn any user trying to connect to your website, indicating that the site is not secure.

It is recommended that you always use Cloudflare's proxy, as that's how they cache your assets. However, using this certificate essentially locks you into using Cloudflare until you decide to pay for an SSL certificate.

About the alternatives to using Cloudflare's origin certificate


Alternatively, you can always switch back to the free Let’s Encrypt SSL certificate available in your Nexcess Client Portal. Instead of using a Cloudflare origin certificate, you can use the Let’s Encrypt SSL certificate or Purchase a Paid CA-signed SSL certificate from the beginning:

Wrapping up your Cloudflare SSL with Cloudflare origin certificate setup


It's a wrap — setup is complete! It's that simple. You have now learned how to protect your website by encrypting the traffic between Cloudflare and the origin server using a Cloudflare origin certificate.

Installing the Cloudflare origin certificate on your domain means you do not have to worry about renewing the Let’s Encrypt certificate every 90 days or paying for yearly commercial SSL renewals.

Consider Hosting With Nexcess


Still waiting to be a Nexcess customer yet? Check out our various hosting solutions. Nexcess offers a fully Managed WordPress/WooCommerce hosting and Managed Magento hosting service for speed, security, and scale.

Flexible Cloud Hosting

Our ultra-flexible cloud power and optimize your application with gusto. Perfect of experienced users.

Out solutions suitable for both small and large businesses with plans that are right sized to suit your needs. Our plans include Varnish, PHP 7+, an integrated CDN, and image compression for superior performance.

SSL-Related Resources at Nexcess


For you benefit, we have compiled the following list of SSL-related resources that you may find useful:

Library of related blog and help articles


Robust websites run on Nexcess to leverage our platform performance. Indeed, our hosting platform delivers on its promise of speed and reliability. Join with us as your technology partner for enhancing site in an ongoing fashion. The Nexcess Blog and Nexcess Knowledge Base can assist you in this effort.

Beyond support at Nexcess


Nexcess web hosting means you’re in good hands — all technical aspects of your website are covered, enabling you to focus on the core of your business. Nexcess also offers 24/7/365 customer and technical support for all your questions or issues.

Our support teams have skilled staff with in-depth knowledge of multiple web hosting applications, especially those discussed in this article. Reach out to our team today to learn more.



Check out the fully managed hosting plans from Nexcess to get started today.

Recent articles

Related articles

Edith Fernandez
Edith Fernandez


Edith Fernandez works with the Managed Applications Chat Support team. As a Managed Applications Chat Support Supervisor for over 50 technicians, Fernandez leads, coaches, trains, and encourages her team. “I love taking ownership, diving deep to find areas of improvement within the department, and contributing ideas that can benefit both the team and the company,” she says.


Fernandez loves the fast pace of the tech field and the rapidity with which change occurs. Of her work accomplishments, Fernandez is most proud of her work collaborating with the Nexcess leadership team. Fernandez is happy to inspire other women, especially Indian women and girls. Caring deeply about her customers has made all the difference in Fernandez’s career.


Her advice to women interested in pursuing a career in tech is to create a vision of what they want to become. “IT is a vast field. There are so many areas and opportunities where women can excel,” she says. “There is nothing that cannot be achieved. So dream about it, work towards it, don’t be afraid to ask for help, and go after what you want.”

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.