Important Announcement for Cloudflare Enterprise Users
If you have integrated Cloudflare Enterprise with your application, you don't need to install the Cloudflare Origin certificate. This article is only for those customers who are not using the Cloudflare Enterprise add-on.
Table of Contents
Introduction to Cloudflare
Cloudflare is one of the popular WAF (Web Application Firewall) and reverse proxy services. This service sits between your site visitor and the server, acting as a filter for websites. When opting for their services, you update your default nameservers with their nameservers, point DNS records to them, and then you can also opt to route traffic to your website via Cloudflare.
The advantage of using this setup is that you benefit from Cloudflare's fast DNS resolution and add an extra layer of security by hiding your server identity while ensuring that all the connections pass through Cloudflare. This prevents any malicious requests from reaching the server. Please note that in case Cloudflare incurs any problems, these might also have a domino effect on your website’s availability and stability.
Why Choose Cloudflare Origin Certificate
Cloudflare’s other offerings include DNS manager, SSL/TLS certificates, and Content Delivery Network (CDN). Today we are going to talk about securing your application hosted on Cloudways with the Cloudflare Origin CA Certificate to use authenticated origin pull requests. Cloudflare Origin CA provides a secure end-to-end SSL connection between your server (“origin”) and the end-user securing also the paths going to Cloudflare, which sits in between the two. Cloudflare offers this service for free with the ability to extend your validation period up to 15 years.
What is Authenticated Origin Pull
Authenticated Origin Pulls let origin web servers validate that a web request came from Cloudflare. Cloudflare uses TLS client certificate authentication, a feature supported by most web servers, to present a Cloudflare certificate when establishing a connection between Cloudflare and the origin web server. By validating this Cloudflare certificate at your origin web server, access is limited to Cloudflare connections.
Authenticated Origin Pulls are important when taking advantage of the Cloudflare Web Application Firewall (WAF). Once your origin web server enforces Authenticated Origin Pulls, any HTTPS requests outside of Cloudflare are blocked from reaching your origin.
Disadvantages of Using the Cloudflare Origin Certificate
If you stop using the Cloudflare protection on your site, then your Cloudflare Origin Certificate becomes useless, and that is when you can also switch to a Free Let’s Encrypt SSL Certificate available in the Cloudways Platform. Alternatively, you can also choose the Free Let’s Encrypt SSL Certificate from the beginning instead of using Cloudflare’s certificate.
Let’s Encrypt SSL Certificate can be deployed effortlessly using the Cloudways Platform.
It can be set up to renew automatically before the expiry. You can also renew it manually.
How to Configure Cloudflare Origin Certificate
The Cloudflare Origin CA lets you generate a free SSL/TLS certificate signed by Cloudflare to install on your Cloudways server. To configure the Cloudflare Origin Certificate, you need a CSR first, which can be easily generated from the Cloudways Platform.
CSR refers to Certificate Signing Request, and it is a small file in which you provide information about the certificate to be created. CSR is required at the time of purchasing/generating an SSL certificate by the Certification Authority.
Here are a few prerequisites for completing this tutorial:
A Cloudflare account.
The desired domain should be added to your Cloudflare account.
Your website should be live and DNS records hosted over Cloudflare.
Step #1 — Navigate to SSL Certificate
Log in to your Cloudways Platform using your email address and password.
From the top menu bar, open Servers.
Then, choose your target server where your desired application is deployed.
3. Next, click www.
4. Choose your desired application’s name.
5. Under Application Management, select an SSL Certificate.
Step #2 — Navigate to SSL Certificate
Now, choose “I do not have a certificate”.
Then, click Create CSR.
Now, a dialog box will appear prompting for the following information. This information is asked for the CSR generation.
3. Country: Select your country. In this example, we are inputting the United States.
4. States: Input your state, e.g., California.
5. Locality: Input your locality/city, e.g., Los Angeles.
6. Organization Name: Write your organization/business name.
7. Organizational Unit: Input organizational unit, e.g., sales and marketing.
8. Email: Input your email address.
9. Domain: Now, it is time to add your domains(s), so there are a couple of instructions which are as follows:
If you only want one domain to be secured by your SSL certificate, then input a single domain and hit Submit. For demonstration purposes, we have used a root domain (e.g., example.com).
If you want multiple domains to be protected using an SSL certificate, then you need to input your first domain and tick SAN, and then add your domains by clicking Add Domain. Once done, click Submit.
If you are generating a Wildcard SSL certificate, then you need to enter your root domain beginning with an asterisk (e.g., *.example.com) and hit Submit.
Need help with which to choose?, learn about the difference between single, multiple, and wildcard SSL.
Step #3 — Downloading and Opening CSR File
Click Download CSR to download the CSR file locally.
If you would like to update any of the details provided in the CSR, then click Re-create CSR and update the information.
2. Next, open the downloaded file (.csr file) as you will need it later. You can use any text editor such as Notepad for Windows, or TextEdit for Mac.
Step #4 — Generating Cloudflare Origin Certificate
Next, log in to your Cloudflare account and choose your target domain.
Navigate to SSL/TLS.
Select Full mode.
4. Switch to the Origin Server tab.
5. Click Create Certificate.
6. Here, select “I have my own private key and CSR”.
7. Paste the entire content of your CSR file.
8. Now, list those domains you want your origin certificate to protect, just like you input at the time of CSR generation.
9. Choose the Certificate Validity period. The shorter validity period may sound inconvenient as you need to re-issue the certificate by following the same process, but it has its benefits as well. The certificate ecosystem keeps changing due to many new emerging threats; a shorter validity certificate can put Certificate Authority (CA) and you as a site owner ahead of those threats in case any vulnerability comes up. Secondly, the shorter validity certificates put you in the practice of updating the cryptographic keys and minimizing the potential impact of a single key compromise.
10. Click Next.
Step #5 — Deploying Certificate
Your Cloudflare Origin Certificate is successfully issued. Now, you need to deploy it on your application.
1. Copy your entire origin certificate, as shown below.
2. Move back to the Cloudways Platform and click Install Certificate.
3. Now, paste your entire certificate content (copied earlier at the beginning of step #5) in the Certificate Code.
4. Also, paste the same certificate content (copied earlier at the beginning of step #5) entirely in CA Chain.
5. Finally, hit Submit.
Your SSL certificate should be deployed in a few minutes. Please be advised that this certificate is renewed/revoked at Cloudflare’s end.
Step #6 — Forcing HTTPS Redirection
Now, you will see a dialog box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.
Skip forcing HTTPS redirection from the Cloudways Platform if you have:
Implemented HTTPS redirection via Cloudflare or using any application-level plugin.
Modifying the .htaccess file of your application.
Multiple redirections will cause your website to run into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, then you need to disable any redirection mechanism working elsewhere first.
So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.
Step #7 — Enabling Authenticated Origin Pulls
1. Go back to your Cloudflare dashboard (the same section where you generated your certificate) and toggle on the Authenticated Origin Pulls.
2. Switch to the Overview tab.
3. Finally, choose Full (strict).
You have successfully configured the Cloudflare Origin Certificate on your web application. Let’s move to the next step of verifying the SSL Certificate to ensure that it is properly configured.
The installed certificate is only trusted by Cloudflare and should be used with the configured server actively connected to Cloudflare. If you disable/pause Cloudflare protection or remove proxied DNS records, it will become an untrusted certificate, and internet browsers will generate unwanted warnings.
Verifying SSL Certificate
We highly recommend that you verify your SSL certificate, and we have created a self-explanatory guide for it. Verification is done so you can ensure that the SSL certificate is configured properly. Many issues come up if the SSL certificate is not configured correctly. Your site visitors may also face inconvenience or may see several warnings generated by web browsers.
That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.