@someguyUSA Hope below helps in your case. Worked for me 1-2 hours ago and still working.
I am sharing what I’ve checked, tested and done in past hour-two.
Since my Namecheap Sectigo is expiring on Sept 22 this year (1 month), I’ve gone again through this and done it as follows to achieve it working (at least in my case).
You can download my converted and used Cloudflare Origin CA Root (RSA) and Authenticated Origin Pull (RSA) as .p7b
from link below (step 22-23):
Sharing step-by-step and screenshoots:
- Port 80 and 443 are open for inbound and outbound traffic on Fortigate router in Firewall Policy along with other ports needed (custom RDP, etc.)
- Running Windows Server 2012 R2 x64
- Ports 80 and 443 allowed inbound and outbound on Windows Firewall
- Running IIS 8.5
- Under IIS, selected My Server → Server Certificates
- Right sidebar → Create Certificate Request
- Filled-in Common name (
sub.domain.hr
), Organization, unit, city, state country … - Selected “Microsoft RSA” and “2048” bit
- Saved the CSR output to a
csr.txt
file - Copied the output
- Went to CF Dashboard → SSL/TLS → Origin Server → Create Certificate
- Selected Use my private key and CSR, Hostnames →
sub.domain.hr
(only that one particular, nothing else), 15 years and hit “Create” button - Saved the output as PKCS7
- Renamed it to the subdomainhr.cer
- Went to the IIS → selected my Server → Server Certificates → Complete Certificate Request from right sidebar
- Selected the
subdomainhr.cer
file, added friendly name and selected “Personal” - Opened certlm (Certificates - Local Computer)
- Under “Personal” I can see my Cloudflare Origin CA certificate
- Under “Trusted Root Certification Authorities” I go to right click All Tasks → Import
- Selected “Local Machine”
- Downloaded:
a) Cloudflare Origin RSA PEM (Origin CA certificates | Cloudflare SSL/TLS docs)
b) Cloudflare Authenticated Origin Pull PEM (https://developers.cloudflare.com/ssl/static/authenticated_origin_pull_ca.pem) - Converted both PEM certs via SSL Converter (SSL Converter - Convert SSL Certificates to different formats) from “Standard PEM” to “P7B/PKCS#7” (made sure to upload them one by one only under the field “Certificate File to Convert”)
- Downloaded the convereted ones as
.p7b
- Went back to the “Certificates” → Trusted Root Certification Authorities
- Right Click → All Tasks → Import and imported each one by one here with double-checking to place them into the “Trusted Root Certification Authorities” certificate store
- Went to IIS, selected my Website
sub.domain.hr
- Went to SSL Settings → Require SSL (not checked), Client Certificates is “Ignore”
- Right sidebar → Bindings
- Having http
sub.domain.hr
port 80 and public IP - Added https
sub.domain.hr
port 443 and public IP - Selected https and clicked “Edit”
- Type https, IP is IPv4, port is 443, host name is
sub.domain.hr
, “Require Server Name Indication” is checked and SSL certificate selected the one which I’ve added (only) - Saved
- I got warning message “No default SSL site has been created. To support browser withoutn SNI capabilities …”
- Made sure Full (Strict) SSL is selected under the SSL/TLS tab of Cloudflare dashboard for the whole zone (no additional Rules configured to separate the sub-domain, except no cache)
- Made Sure Authenticate Origin Pulls is enabled
- Stopped and started (restart) Web server
- Checking HTTP and HTTPS via Chrome on Windows server gives HTTP 404 not found error, however loads fine without any issue and on the “lock icon” I can see Cloudflare Origin Certificate, Origin CA, expiring 2039. (15 years)
- Checking via hostname from my home network and mobile phone sub.domain.hr/some-path/phpinfo.php, it’s loading fine and working over HTTPS; no warning, no issue
- When I go check the SSL lock icon, since it’s proxied , it’s showing Let’s Encrypt Cloudflare certificate
- Nothing changed in the Apache config file for SSL.
In pictures:
What I can offer is, voluntarily I could help you with this on demand, however remotely only or via AnyDesk or something if it’s easier for you also to see.