Setup a Cloudflare Origin Certificate for use on a backend server
-
-
Sign in to Cloudflare and click on your domain.
-
Click on SSL/TLS
-
On the overview tab, click on Strict
-
Click on Origin Server
-
Click on Create Certificate
-
Change the key type to ECDSA as that is better than RSA overall and should be more future proof.
-
If needed, add any other domain names to the certificate. Cloudflare automatically has it accepting
*.domain.comanddomain.com. You can add whatever, but obviously things will only work if you also own it and have it on Cloudflare. But it is common to have mutiple TLD on the same server.
-
Leave the validity at 15 years and click next.
-
Save the certificate information to a file typically named
domain.crtordomain.pem. You will be able to get this information again.
-
Save the private key to a file typically named
domain.key. Then click OK.
You will never be able to see this information again. So it is absolutely critical that you do not lose it.
-
-
This is what I did for my personal site. GitLab pages did support Let'sEncrypt but not automated renewals so it was kind of pointless to use that. So I set one of these up. I need to go back and change it now that fully automated renewals are available.
-
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
This is what I did for my personal site. GitLab pages did support Let'sEncrypt but not automated renewals so it was kind of pointless to use that. So I set one of these up. I need to go back and change it now that fully automated renewals are available.
My question would be why use LE for that if you are using Cloudflare in front anyway? There is zero wrong with this type of origin certificate. If you are using Cloudflare, then it is a simple solution.
-
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
This is what I did for my personal site. GitLab pages did support Let'sEncrypt but not automated renewals so it was kind of pointless to use that. So I set one of these up. I need to go back and change it now that fully automated renewals are available.
My question would be why use LE for that if you are using Cloudflare in front anyway? There is zero wrong with this type of origin certificate. If you are using Cloudflare, then it is a simple solution.
Oh it's just so I don't ever have to worry about renewing it. With GitLab Pages, I just check the box and it gives me a cert and auto renews for me. That's all.
-
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
This is what I did for my personal site. GitLab pages did support Let'sEncrypt but not automated renewals so it was kind of pointless to use that. So I set one of these up. I need to go back and change it now that fully automated renewals are available.
My question would be why use LE for that if you are using Cloudflare in front anyway? There is zero wrong with this type of origin certificate. If you are using Cloudflare, then it is a simple solution.
Oh it's just so I don't ever have to worry about renewing it. With GitLab Pages, I just check the box and it gives me a cert and auto renews for me. That's all.
Obviously nothing wrong with what you are doing. But since you had something in place, I was wondering why change.
Origin certs from Cloudflare have a default (and max) lifespan of 15 years. Since it should only be trusted by Cloudflare, there should be no need to use a shorter span cert.
-
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
This is what I did for my personal site. GitLab pages did support Let'sEncrypt but not automated renewals so it was kind of pointless to use that. So I set one of these up. I need to go back and change it now that fully automated renewals are available.
My question would be why use LE for that if you are using Cloudflare in front anyway? There is zero wrong with this type of origin certificate. If you are using Cloudflare, then it is a simple solution.
Oh it's just so I don't ever have to worry about renewing it. With GitLab Pages, I just check the box and it gives me a cert and auto renews for me. That's all.
Obviously nothing wrong with what you are doing. But since you had something in place, I was wondering why change.
Origin certs from Cloudflare have a default (and max) lifespan of 15 years. Since it should only be trusted by Cloudflare, there should be no need to use a shorter span cert.
Yeah I changed it to 5 when I did mine. I've always "preached" short cert life span since that's been a thing so it's dogfooding also (even though it's not needed with this).
-
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
@stacksofplates said in Setup a Cloudflare Origin Certificate for use on a backend server:
This is what I did for my personal site. GitLab pages did support Let'sEncrypt but not automated renewals so it was kind of pointless to use that. So I set one of these up. I need to go back and change it now that fully automated renewals are available.
My question would be why use LE for that if you are using Cloudflare in front anyway? There is zero wrong with this type of origin certificate. If you are using Cloudflare, then it is a simple solution.
Oh it's just so I don't ever have to worry about renewing it. With GitLab Pages, I just check the box and it gives me a cert and auto renews for me. That's all.
Obviously nothing wrong with what you are doing. But since you had something in place, I was wondering why change.
Origin certs from Cloudflare have a default (and max) lifespan of 15 years. Since it should only be trusted by Cloudflare, there should be no need to use a shorter span cert.
Yeah I changed it to 5 when I did mine. I've always "preached" short cert life span since that's been a thing so it's dogfooding also.
I don't argue short lifespan is a good thing for frontend. but a backend origin cert? Especially is you validate the origin pull (not in my guide).
-
There is one concern (not for me). The alt names can sometimes be not great (Unless they've changed that recently). Not many people would notice but for a business that might be an issue (not my site obviously).
-
looks pretty easy actually.
-
@JaredBusch said in Setup a Cloudflare Origin Certificate for use on a backend server:
looks pretty easy actually.
oh nice, that does look simple. I had to paste the different sections of the cert into the config page for GitLab Pages.
-
So likely when I need to renew my cert it will be less work to just flip that toggle than to generate the cert from cloudflare and paste it into GitLab. I won't need to do that for another year or two though.
-
@stacksofplates Since I setup my origin cert as a 15 year cert, I went ahead used it on GitLab pages. Totally get the point that it is simple either way though.
-
As an addendum to the original post.
- If you are using GitLab pages to host your site, as I am with my Hugo version of jaredbusch.com
- And you want to use the Cloudflare origin certificate, then you need to get Cloudflare's root CA cert also.
Cloudflare has an article about it that you can read here.
If you followed my guide above, you need to get the "ECC" version of the cert.
-
noob question here:
If you're hosting on Cloudflare, this should be used instead of LE? -
@FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:
noob question here:
If you're hosting on Cloudflare, this should be used instead of LE?The website is hosted on GitLab Pages.
My DNS is on Cloudflare.Technically, these are unrelated things. Aside from the DNS needing to point to a server someplace.
If you turn off the proxy (orange cloud) on Cloudflare, then you can use the LE certificate on GitLab. GitLab should not be able to use an LE certificate if you have the proxy on, because Cloudflare is the MitM and the auth request should not pass through.
-
@FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:
noob question here:
If you're hosting on Cloudflare, this should be used instead of LE?Not about "should", it's about which makes more sense for you in a given situation.
-
@scottalanmiller said in Setup a Cloudflare Origin Certificate for use on a backend server:
@FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:
noob question here:
If you're hosting on Cloudflare, this should be used instead of LE?Not about "should", it's about which makes more sense for you in a given situation.
"could" would probably have been a better word choice.
-
@FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:
@scottalanmiller said in Setup a Cloudflare Origin Certificate for use on a backend server:
@FATeknollogee said in Setup a Cloudflare Origin Certificate for use on a backend server:
noob question here:
If you're hosting on Cloudflare, this should be used instead of LE?Not about "should", it's about which makes more sense for you in a given situation.
"could" would probably have been a better word choice.
Yup, you definitely can
