Cannot understand SSL Options

Hi all,

Sorry if this has been asked 100 times before! - but I just cannot get my head around SSL and Cloudflare.

I managed to install an SSL certificate on a website before - but it was a nightmare - and I’m dreading when it needs renewing - as I don’t know how I did it.

I’m a business Cloudflare user - and I just want the easiest option for getting SSL onto my site. Auto-renewing is better - but the main thing - users need to trust the site. We don’t take payments, but we are quite a popular site, used a lot in universities, schools, etc.

The “Origin CA” option looks the best to me - just install Cloudflare certificate on the sever (then forget about that for 15 years) while Cloudflare just bills me for the certificate everyone sees. But if this is so easy, and good - why the other options? Why buy your own certificate, why doesn’t everyone just use Origin CA - what’s the disadvantage. Is it true SSL security for the users? Will the user see any errors?

Also - in my business account - I see “Edge Certificates” - which I’ve googled, and read the help - but I don’t understand.

I’m sorry - but SSL is just over my head! If anyone could just help with the best, easiest, and still secure way of getting that little padlock - that would be amazing!

Thanks for the help!

1 Like

@saltpot I feel your pain. SSL can be confusing and getting a certificate installed? It’s a wonder I haven’t pulled out my gun and shot a server or two in the process (that might seem overly dramatic, but I live in Texas… why carry a gun if you can’t shoot a server?).

So let’s describe how Cloudflare works re: SSL at a high level. You’re on the right track I think. There are two places (in the general case) where we care SSL.

The first is at Cloudflare’s edge. When a user connects to Cloudflare we present an SSL certificate tot he user for your domain. This certificate should be signed by a trusted certificate authority and valid (not revoked and not expired).

Cloudflare gives everyone this for free (Universal SSL) and we automagically manage the renewal process. There are a couple of other certificates we offer where we manage the renewal process (dedicated and dedicated + custom host names). These certificates are very similar to the universal certificates; the biggest difference is that unlike Universal SSL certs which are shared certificates with other domain names on them, with dedicated your domain(s) will be be the only ones listed on your certificates.

Since you are on the business plan you also have the option to buy a dedicated SSL cert from any CA you wish and upload it. But you are responsible to renew it and then upload the renewed version. UI is pretty simple so it’s not too painful. In general, this option is primarily for people who want EV certificates (I don’t think they have any real value for 99.99% of folks, but what do I know).

Ok so that’s our edge. What about the origin?

We want to make sure that the connection from Cloudflare to your origin server is secure as well. There are a number of ways to achieve that, but as you note Cloudflare offers a free origin certificate which can fit the bill (and with a long expiration time makes it simple to set and forget).

The key thing to understand is this certificate is intended to be used by /Cloudflare/ to establish a connection to your origin. It is a certificate issued by Cloudflare, so our edge trusts it… but if a normal user were to go to the site for some reason, bypassing Cloudflare they would receive a warning the certificate isn’t trusted (because it isn’t signed by a public CA like Comodo… just by us).

If users aren’t accessing the site directly (bypassing Cloudflare) this isn’t an issue.

So Edge Certificate is the one everyone sees (universal, dedicated, or custom uploaded) when they hit Cloudflare. And Origin certificate is intended to secure the connection between our Edge and your origin.

I usually work with our Enterprise customers and deploying origin certificates that no one has to refresh every year is a pretty big selling point… simplifies the work of the operations team managing the physical/virtual servers. And on our edge they buy or deploy whatever certificate the business wants for the user to see in their browser (usually just the dedicated that I think shows up for you at $5/mo).

Does that make things clearer or did I muddle it up even more?


How do we fix that problem?
I don’t think all my visitors are served from Cloudflare. If I understood the analytics on my dashboard, it indicates upto 60% or so traffic is served from Cloudflare CDN.
So, the rest will see “certificate warning” when I implement SSL and origin certificate?


That’s not what the % stat means (though I can see how it’s confusing).

To bypass Cloudflare the visitor would need to use your origin IP. If you are setup correctly on CF your visitors wouldn’t ever touch your origin.

The 60% reflects data served directly from our CDN without having to pull from your origin. The other 40% was still routed through us back to your visitor, but it required you to use some bandwidth to relay the origin content to us before it goes to the user.

To sum up, unless your visitors are using your IP instead of your domain, they wouldn’t even interact with the origin :cert:. It’s strictly to secure what transfers between your origin and our edge.


Thanks so much for the replies - this does really help clear things up

The key thing to understand is this certificate is intended to be used by /Cloudflare/ to establish a connection to your origin. It is a certificate issued by Cloudflare, so our edge trusts it… but if a normal user were to go to the site for some reason, bypassing Cloudflare they would receive a warning the certificate isn’t trusted (because it isn’t signed by a public CA like Comodo… just by us).

Just to check - If I enabled development mode - will the site still be server through Cloudflare ssl - or will users see a certificate error for 2 hours?

Thanks again!

Thanks so much! That was much easier then I thought it would be!

I searched and replaced all mention of http: on my site to https:

Then I ticked the “Always use HTTPS” feature - as I’m not great with htaccess. And its giving correct 301 redirects everywhere.


Now I’ve just got to hope that Google finds all my new https pages - and my site doesn’t drop down the rankings.

Thanks again for the help!


As long as a record is orange clouded it goes through Cloudflare. Only changing the record from orange to gray in DNS would cause a user to go directly to the origin.

That’s the only thing missing on the first stage of your explanation to bypass Cloudflare they need to visit the site via IP not by domain name. That clear the question if I read it right…

Excellent we should post this in the Help Center section of SSL I went thru the same ordeal and after reading and exploring understood the implementation. For those needing to install the SSL themselves and have the courage, cpanel or console Cloudflare offers instructions to dive into depending what server your running which was another experience of it’s own to figure out but summiting a ticket will have support confirm your server with there secret command line tools; DUM DUM HERE STILL USES GUI I retired from assembly, basic and batch codes a long time ago but here’s the article that can help you install the SSL on appache:

I’ll stick to the easy part and pay for the SSL when the time comes in the mean time thanks for the explanation and just add the additional details of how visitors could bypass Cloudflare in your amazing scholar summary; DUM DUM IS GETTING SCHOOLED!! here’s a complement to your details via a graphical view if it comes close to what I visualized in my head from reading your summary ooohhh and by the way you don’t need a gun to shoot a server; JUST UNPLUG IT :wink:

Cloudflare origin