Can we use CF Origin ECC PEM for Authenticated Origin Pulls

Website, Application, Performance Security
1

Goal is to use the fastest ECC cert created in the dashboard:
would it work if we upload the created Edge Cert “CF Origin ECC PEM” to the nginx server and add
ssl_client_certificate /etc/nginx/certs/Cloudflare.crt;
ssl_verify_client on;

or for the Authenticated Origin Pulls, it should only be this cert
https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem

2

For Authenticated Origin Pulls, it is only the cert you have the link to. The other origin certificates is for Origin CAs which is different.

3

@Cyb3r-Jak3
am i correct that if Authenticated Origin Pulls cert is used, there will be no need for any other Origin cert ?

4

There are 3 methods outlined for Origin Authenticated Pull https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull/set-up/:

  1. The default method which is can be worked around/flawed as all CF sites use same CF root cert so protection is bypassed for any other CF site pointing to your real server IP - Zone-Level Authenticated Origin Pull using Cloudflare certificates
  2. Using custom CA Root/client TLS at apex domain top level i.e. domain.com - Zone-Level Authenticated Origin Pull using customer certificates
  3. Using custom CA Root/client TLS at custom subdomain level i.e. sub.domain.com - Per-Hostname Authenticated Origin Pull using customer certificates {#per-hostname}

So technically, with 2nd and 3rd method you can script your own custom CA root/CA Intermediate and use it to sign your own client TLS certs using ECC PEM for Cloudflare Authenticated Origin Pull configurations and upload them via CF API. So you can automate revocation/renewal.

Note: one important note is that you remember to record the id of your custom client TLS uploaded certificate from CF API upload command’s output. The reason is CF does not have an API endpoint to list custom client TLS uploaded certificates. So you won’t be able to update or remove the custom uploaded client TLS certificate without that id.

I create my own custom CA Root certificate/signed client TLS certs for custom hostnames via my own custom scripted process at https://github.com/centminmod/cfssl-ca-ssl (gen-client mode) using Cloudflare’s own cfssl as the underlying tool. The script is also used for my own Centmin Mod Nginx client TLS authentication processes outside of Cloudflare proxied configurations :smiley:

Example for creating ECC client TLS certificated signed with my own CA Root/Intermediate for use with Cloudflare Authenticated Origin pull config for Nginx GitHub - centminmod/cfssl-ca-ssl for apex domain GitHub - centminmod/cfssl-ca-ssl and for custom hostname/subdomain GitHub - centminmod/cfssl-ca-ssl

Hope that helps

1 Like
5

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.