Accepted formats for CSR in Origin Certificate Installation?

I’m trying to upload a CSR from my server using the Origin Certificate Installation dialog box.

However, after pasting the CSR in and clicking ‘Next’, all that happens is the ‘Next’ button blinks for a moment and nothing changes.

How can I figure out what format or key types are acceptable? For the key I tried to match the Cloudflare key (for a different domain), which Qualys reports is EC 256 bits key with SHA256withECDSA signature algorithm.

Is there some format I need to paste it in as? I don’t find many details on this and interface doesn’t tell me what I’ve done wrong.

You want to upload your own SSL certificate to your Cloudflare account for your domain?
Are you on the Business or higher Cloudflare Plan?

This is only for the certificate that goes from my server to Cloudflare to support Authenticated Origin Pulls:

Origin Certificates

Generate a free TLS certificate signed by Cloudflare to install on your origin server.

Origin Certificates are only valid for encryption between Cloudflare and your origin server.

What are Origin Certificates?

Cloudflare Origin Certificates are free TLS certificates issued by Cloudflare that can be installed on your origin server to facilitate end-to-end encryption for your visitors using HTTPS. Click “Create Certificate” and follow the instructions provided to generate and install a certificate. If not already set, you can now optionally change the SSL setting about to use “Full (strict)” mode.

Hostname/Wildcard Coverage

Certificates may be generated with up to 100 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (www.example.com) or a wildcard ( .example.com); IP addresses are not permitted as SANs on Cloudflare Origin Certificates. Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (e.g., .example.com and *.secure.example.com may co-exist).

Expiration

Note that by default, newly generated certificates are valid for 15 years. If you wish to generate shorter-lived certificates (e.g., as short as 7 days), you should use the API or CLI tools provided.

Revocation

If you misplace your key material or wish to indicate that a certificate should otherwise no longer be trusted, you can click the “x” icon to the far-right of the Origin Certificate and click “OK”. This process cannot be undone.

Automated Issuance

If you wish to automate the issuance of Origin Certificates, click the CLI or API links to the right of the Help link to see additional instructions.

Very interested in whether you ever solved this mystery as I too am experiencing the same problem.

I am trying to generate an Origin Certificate Installation request per the instructions found on the Cloudflare website at https://www.notion.so/stupr/Cloudflare-SSL-Cert-recommendation-112a94c4213c43648ca3d463be83194e#8fdcb3921b7343429b7b071c67527a93 but after pasting in the CSR (from an AWS EC2 instance whose DNS entry is managed by Cloudflare) and selecting 15 years for the Certificate Validity length, I click Next and nothing happens. I already turned in a ticket but I thought I’d check here also…

1 Like

No, never got it to work. Tried a few different keys and CSRs using various options in openssl but got nada from the Cloudflare GUI, which makes me sad. :frowning_face:

Ended up using the Cloudflare generated key pair.

The generated CSR of Cloudflare Origin CA is actually a certificate, not “request” to generate one.

So, you would need to save it as .crt or .pem at your host/origin.
Also, save/add a generated private key as a .key file.
Then link/call and use both of them at your apache or nginx config for your website.
Also make sure to have 443 port open for HTTPS at your origin.

Authenticated Origin Pulls - will work when you add Cloudflare’s (Client Certificate) which is used as SSL to verify the connection between Cloudflare and your origin.

  • this is not a certificate which contains your domain or sub-domain hostname

Moreover, in that case, you could use Full SSL or even Full SSL (Strict) as an SSL option at Cloudflare dashboard.

I think you have somehow misread my question. The question is about generating a CSR with my server and submitting it to Cloudflare to receive a crt. There are two options in the interface, which you can see by just opening up the option in the dashboard. The option you seem to be describing is the one already stated as working, and that is to use the key pair generated by Cloudflare.

In regards to the additional provided information in your reply, please note that nginx can accept any filename as a key, so long as the file contents are in the correct format.

Due to CSR, if you’re going to use that, make sure you feed it into Cloudflare so everything validates.

What format did you tried to put it at Cloudflare?
The default rsa2048 (RSA 2048 bit) will be used; the other option is p256v1 (NIST P-256).

But you are aware that Cloudflare does offer free origin certificates, which you can install on your server?

  • in case you want to use that …

If you’re trying to get a custom certificate on CF, custom certificates are only allowed on the business/enterprise plans and require you generate your own CSR and get the certificate issued yourself.

Due to, if some, validation errors, you can check at https://www.sslshopper.com/csr-decoder.html if your CSR is valid. Alternatively, you can also post it here.

I’m very sorry, but it seems you need to either read carefully my question or understand the concepts in the question better, but when I stated I formatted the generated keys based on the Cloudflare public keys as reported by Qualys, that is what I meant.

So, the reason I am asking this question is to find out what format Cloudflare needs, thus, I cannot submit a CSR “so everything validates” as that is the question I am attempting to find an answer to by posting here.

This topic was automatically closed after 30 days. New replies are no longer allowed.