Cloudflare is one of the popular WAF (Web Application Firewall) and reverse proxy services. This service sits between your site visitor and the server, acting as a filter for websites. When opting for their services, you update your default nameservers with their nameservers, point DNS records to them, and then you can also opt to route traffic to your website via Cloudflare.

The advantage of using this setup is that you benefit from Cloudflare's fast DNS resolution and add an extra layer of security by hiding your server identity while ensuring that all the connections pass through Cloudflare. This prevents any malicious requests from reaching the server. Please note that in case Cloudflare incurs any problems, these might also have a domino effect on your website’s availability and stability.

Cloudflare’s other offerings include DNS manager, SSL/TLS certificates, and Content Delivery Network (CDN). Today we are going to talk about securing your application hosted on Cloudways with the Cloudflare Origin CA Certificate to use authenticated origin pull requests. Cloudflare Origin CA provides a secure end-to-end SSL connection between your server (“origin”) and the end-user securing also the paths going to Cloudflare, which sits in between the two. Cloudflare offers this service for free with the ability to extend your validation period up to 15 years.

Authenticated Origin Pulls let origin web servers validate that a web request came from Cloudflare. Cloudflare uses TLS client certificate authentication, a feature supported by most web servers, to present a Cloudflare certificate when establishing a connection between Cloudflare and the origin web server. By validating this Cloudflare certificate at your origin web server, access is limited to Cloudflare connections.

Authenticated Origin Pulls are important when taking advantage of the Cloudflare Web Application Firewall (WAF). Once your origin web server enforces Authenticated Origin Pulls, any HTTPS requests outside of Cloudflare are blocked from reaching your origin.

— Cloudflare

If you stop using the Cloudflare protection on your site, then your Cloudflare Origin Certificate becomes useless, and that is when you can also switch to a Free Let’s Encrypt SSL Certificate available in the Cloudways Platform. Alternatively, you can also choose the Free Let’s Encrypt SSL Certificate from the beginning instead of using Cloudflare’s certificate.

Tips

The Cloudflare Origin CA lets you generate a free SSL/TLS certificate signed by Cloudflare to install on your Cloudways server. To configure the Cloudflare Origin Certificate, you need a CSR first, which can be easily generated from the Cloudways Platform.

Tip

CSR refers to Certificate Signing Request, and it is a small file in which you provide information about the certificate to be created. CSR is required at the time of purchasing/generating an SSL certificate by the Certification Authority.

Here are a few prerequisites for completing this tutorial:

Log in to your Cloudways Platform using your email address and password.

3. Next, click www.

4. Choose your desired application’s name.

5. Under Application Management, select an SSL Certificate.

Now, a dialog box will appear prompting for the following information. This information is asked for the CSR generation.

3. Country: Select your country. In this example, we are inputting the United States.

4. States: Input your state, e.g., California.

5. Locality: Input your locality/city, e.g., Los Angeles.

6. Organization Name: Write your organization/business name.

7. Organizational Unit: Input organizational unit, e.g., sales and marketing.

8. Email: Input your email address.

9. Domain: Now, it is time to add your domains(s), so there are a couple of instructions which are as follows:

Tip

Need help with which to choose?, learn about the difference between single, multiple, and wildcard SSL.

Tip

If you would like to update any of the details provided in the CSR, then click Re-create CSR and update the information.

2. Next, open the downloaded file (.csr file) as you will need it later. You can use any text editor such as Notepad for Windows, or TextEdit for Mac.

4. Switch to the Origin Server tab.

5. Click Create Certificate.

6. Here, select “I have my own private key and CSR”.

7. Paste the entire content of your CSR file.

8. Now, list those domains you want your origin certificate to protect, just like you input at the time of CSR generation.

9. Choose the Certificate Validity period. The shorter validity period may sound inconvenient as you need to re-issue the certificate by following the same process, but it has its benefits as well. The certificate ecosystem keeps changing due to many new emerging threats; a shorter validity certificate can put Certificate Authority (CA) and you as a site owner ahead of those threats in case any vulnerability comes up. Secondly, the shorter validity certificates put you in the practice of updating the cryptographic keys and minimizing the potential impact of a single key compromise.

10. Click Next.

Your Cloudflare Origin Certificate is successfully issued. Now, you need to deploy it on your application.

1. Copy your entire origin certificate, as shown below.

2. Move back to the Cloudways Platform and click Install Certificate.

3. Now, paste your entire certificate content (copied earlier at the beginning of step #5) in the Certificate Code.

4. Also, paste the same certificate content (copied earlier at the beginning of step #5) entirely in CA Chain.

5. Finally, hit Submit.

Your SSL certificate should be deployed in a few minutes. Please be advised that this certificate is renewed/revoked at Cloudflare’s end.

Now, you will see a dialog box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.

Important

Skip forcing HTTPS redirection from the Cloudways Platform if you have:

Multiple redirections will cause your website to run into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, then you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

1. Go back to your Cloudflare dashboard (the same section where you generated your certificate) and toggle on the Authenticated Origin Pulls.

2. Switch to the Overview tab.

3. Finally, choose Full (strict).

You have successfully configured the Cloudflare Origin Certificate on your web application. Let’s move to the next step of verifying the SSL Certificate to ensure that it is properly configured.

Important

The installed certificate is only trusted by Cloudflare and should be used with the configured server actively connected to Cloudflare. If you disable/pause Cloudflare protection or remove proxied DNS records, it will become an untrusted certificate, and internet browsers will generate unwanted warnings.

We highly recommend that you verify your SSL certificate, and we have created a self-explanatory guide for it. Verification is done so you can ensure that the SSL certificate is configured properly. Many issues come up if the SSL certificate is not configured correctly. Your site visitors may also face inconvenience or may see several warnings generated by web browsers.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.