Skip to main content
All CollectionsGetting StartedSecuring Website Using SSL
How to Configure Cloudflare Origin Certificate
How to Configure Cloudflare Origin Certificate

Learn how to configure the Cloudflare origin certificate on the Cloudways Platform. Official Cloudways Help Center guide.

Emmad avatar
Written by Emmad
Updated over a week ago

Table of Contents

Important Announcement for Cloudflare Enterprise Users

If you have integrated Cloudflare Enterprise with your application, you don't need to install the Cloudflare Origin certificate. This article is only for those customers who are not using the Cloudflare Enterprise add-on.

Introduction to Cloudflare

Cloudflare is one of the popular WAF (Web Application Firewall) and reverse proxy services. This service sits between your site visitor and the server, acting as a filter for websites. When opting for their services, you update your default nameservers with their nameservers, point DNS records to them, and then you can also opt to route traffic to your website via Cloudflare.

The advantage of using this setup is that you benefit from Cloudflare's fast DNS resolution and add an extra layer of security by hiding your server identity while ensuring that all the connections pass through Cloudflare. This prevents any malicious requests from reaching the server. Please note that in case Cloudflare incurs any problems, these might also have a domino effect on your website’s availability and stability.

Why Choose Cloudflare Origin Certificate

Cloudflare’s other offerings include DNS manager, SSL/TLS certificates, and Content Delivery Network (CDN). Today we are going to talk about securing your application hosted on Cloudways with the Cloudflare Origin CA Certificate to use authenticated origin pull requests. Cloudflare Origin CA provides a secure end-to-end SSL connection between your server (“origin”) and the end-user securing also the paths going to Cloudflare, which sits in between the two. Cloudflare offers this service for free with the ability to extend your validation period up to 15 years.

What is Authenticated Origin Pull

Authenticated Origin Pulls let origin web servers validate that a web request came from Cloudflare. Cloudflare uses TLS client certificate authentication, a feature supported by most web servers, to present a Cloudflare certificate when establishing a connection between Cloudflare and the origin web server. By validating this Cloudflare certificate at your origin web server, access is limited to Cloudflare connections.

Authenticated Origin Pulls are important when taking advantage of the Cloudflare Web Application Firewall (WAF). Once your origin web server enforces Authenticated Origin Pulls, any HTTPS requests outside of Cloudflare are blocked from reaching your origin.

— Cloudflare

Disadvantages of Using the Cloudflare Origin Certificate

If you stop using the Cloudflare protection on your site, then your Cloudflare Origin Certificate becomes useless, and that is when you can also switch to a Free Let’s Encrypt SSL Certificate available in the Cloudways Platform. Alternatively, you can also choose the Free Let’s Encrypt SSL Certificate from the beginning instead of using Cloudflare’s certificate.


  • Let’s Encrypt SSL Certificate can be deployed effortlessly using the Cloudways Platform.

  • It can be set up to renew automatically before the expiry. You can also renew it manually.

How to Configure Cloudflare Origin Certificate

The Cloudflare Origin CA lets you generate a free SSL/TLS certificate signed by Cloudflare to install on your Cloudways server. To configure the Cloudflare Origin Certificate, you need a CSR first, which can be easily generated from any third-party website like CSRGenerator.


CSR refers to Certificate Signing Request, and it is a small file in which you provide information about the certificate to be created. CSR is required at the time of purchasing/generating an SSL certificate by the Certification Authority.


Here are a few prerequisites for completing this tutorial:

  • A Cloudflare account.

  • The desired domain should be added to your Cloudflare account.

  • Your website should be live, and DNS records should be hosted over Cloudflare.

Step #1 — Generate CSR

First of all, you need to generate a CSR; We recommend using a third-party service called CSRGenerator and download the files.

Step #2 — Generating Cloudflare Origin Certificate

  1. Next, log in to your Cloudflare account and choose your target domain.

  2. Navigate to SSL/TLS.

  3. Select Full mode.

4. Switch to the Origin Server tab.

5. Click Create Certificate.

6. Here, select “I have my own private key and CSR”.

7. Paste the entire content of your CSR file.

8. Now, list those domains you want your origin certificate to protect, just like you input at the time of CSR generation.

9. Choose the Certificate Validity period. The shorter validity period may sound inconvenient as you need to re-issue the certificate by following the same process, but it has its benefits as well. The certificate ecosystem keeps changing due to many new emerging threats; a shorter validity certificate can put Certificate Authority (CA) and you as a site owner ahead of those threats in case any vulnerability comes up. Secondly, the shorter validity certificates put you in the practice of updating the cryptographic keys and minimizing the potential impact of a single key compromise.

10. Click Next.

Step #3 — Deploying Certificate

Your Cloudflare Origin Certificate is successfully issued. Now, you need to deploy it on your application.

1. Copy your entire origin certificate, as shown below.

2. Move back to the Cloudways Platform and click Install Certificate.

3. Now, paste your entire certificate content (copied earlier at the beginning of step #5) in the Certificate Code.

4. Also, paste the same certificate content (copied earlier at the beginning of step #5) entirely in CA Chain.

5. Finally, hit Submit.

Your SSL certificate should be deployed in a few minutes. Please be advised that this certificate is renewed/revoked at Cloudflare’s end.

Step #6 — Forcing HTTPS Redirection

Now, you will see a dialog box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.


Skip forcing HTTPS redirection from the Cloudways Platform if you have:

  1. Implemented HTTPS redirection via Cloudflare or using any application-level plugin.

  2. Modifying the .htaccess file of your application.

Multiple redirections will cause your website to run into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, then you need to disable any redirection mechanism working elsewhere first.

So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.

Step #7 — Enabling Authenticated Origin Pulls

1. Go back to your Cloudflare dashboard (the same section where you generated your certificate) and toggle on the Authenticated Origin Pulls.

2. Switch to the Overview tab.

3. Finally, choose Full (strict).

You have successfully configured the Cloudflare Origin Certificate on your web application. Let’s move to the next step of verifying the SSL Certificate to ensure that it is properly configured.


The installed certificate is only trusted by Cloudflare and should be used with the configured server actively connected to Cloudflare. If you disable/pause Cloudflare protection or remove proxied DNS records, it will become an untrusted certificate, and internet browsers will generate unwanted warnings.

Verifying SSL Certificate

We highly recommend that you verify your SSL certificate, and we have created a self-explanatory guide for it. Verification is done so you can ensure that the SSL certificate is configured properly. Many issues come up if the SSL certificate is not configured correctly. Your site visitors may also face inconvenience or may see several warnings generated by web browsers.

That’s it! We hope this article was helpful. If you need any help, then feel free to search your query on Cloudways Support Center or contact us via chat (Need a Hand > Send us a Message). Alternatively, you can also create a support ticket.

Did this answer your question?