Can I generate CSR for Origin CA using the API?

When I do it in the website Cloudflare offers to do it using my browser… there is no API similar call for this, I guess…?

I don’t think Cloudflare ever sends out the CSR it generates.

Is there a reason you’re trying to get Cloudflare’s CSR? It’s just for generating origin certs, and you get those once they’re generated.

Well I don’t need the CSR but the private key used to generate the CSR (to add the cert in Heroku)
Using the web interface, If you let Cloudflare handle the CSR generation that private key in shown only once (obviously), but it seems this is not possible using the API.
I’ve tried skipping the CSR parameter or with empty string value… but it doesn’t work.

Oh, so you actually just need the Origin cert and private key. That is strange that it’s not returned by the API. I suggest you open a ticket via email to support AT cloudflare DOT com and post the ticket number here as soon as you get a reply so we can escalate it.

Will ask for it, thanks.
Actually, it’s quite easy to generate my own CSR with a on-off pkey in a script and use that to obtain the certificate via post.

I can reproduce this issue. While the API docs indicate that csr is an optional parameter, it appears that csr and request_type are actually mandatory.

I suspect the issue here is a documentation update. As you are already using the API, it can be assumed that you can run the one-liner needed to generate a key/CSR, and it is much safer that the key is never transmitted over a network. CF probably decided not to expose keys via the API.

1 Like

Yes, 3 of that params seems to be mandatory… I can’t see how to generate a certificate without hostnames, request_type or CSR.
requested_validity has a default value… Maybe it can be omitted.
Cloudflare says that it generates the pkey and CSR in the browser so it is the same approach: the pkey does not go through the network. API client libraries could offer a side extra functionality to achieve this, but i think nobody would like to have to mantain that.

If there is a Common Name/SAN specified in the CSR you can omit the parameter to the API.

I would have thought that the API could detect RSA/ECC from the CSR, but it does not, so that does need to be specified.

haven’t tried it myself, but I guess you could upload your own custom CA via API to Cloudflare Custom Origin Trust Store so you control/access to the private key and CSR you generate and can then sign any server side SSL certificates with the custom CA Cloudflare API v4 Documentation

What is an origin server trust store?

By default, our edge maintains a set of common public certificate authorities as well as our own Origin CA which are considered trusted. This means that when using Full(strict) encryption mode, Cloudflare will only trust origin server certificates issued by a CA in this trust store.

Why use custom origin server trust store?

If you prefer to use a privately trusted certificate authority or want to limit trust to specific public CAs, you may upload one or more CAs that you desire Cloudflare to deem as trusted when connecting to your origin server.

What happens to the default trust store when I upload my private CA?

When a CA has been uploaded to Custom Origin Server Trust Store, Cloudflare will ignore all default publicly trusted CAs and exclusively use the CA or CAs that have been uploaded to authenticate the origin server.

What happens when my uploaded CA expires?

If no alternative CAs are valid within the trust store, Cloudflare will not be able to properly authenticate connections to the origin server with Full(strict) encryption mode enabled.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.