@saltpot I feel your pain. SSL can be confusing and getting a certificate installed? It’s a wonder I haven’t pulled out my gun and shot a server or two in the process (that might seem overly dramatic, but I live in Texas… why carry a gun if you can’t shoot a server?).
So let’s describe how Cloudflare works re: SSL at a high level. You’re on the right track I think. There are two places (in the general case) where we care SSL.
The first is at Cloudflare’s edge. When a user connects to Cloudflare we present an SSL certificate tot he user for your domain. This certificate should be signed by a trusted certificate authority and valid (not revoked and not expired).
Cloudflare gives everyone this for free (Universal SSL) and we automagically manage the renewal process. There are a couple of other certificates we offer where we manage the renewal process (dedicated and dedicated + custom host names). These certificates are very similar to the universal certificates; the biggest difference is that unlike Universal SSL certs which are shared certificates with other domain names on them, with dedicated your domain(s) will be be the only ones listed on your certificates.
Since you are on the business plan you also have the option to buy a dedicated SSL cert from any CA you wish and upload it. But you are responsible to renew it and then upload the renewed version. UI is pretty simple so it’s not too painful. In general, this option is primarily for people who want EV certificates (I don’t think they have any real value for 99.99% of folks, but what do I know).
Ok so that’s our edge. What about the origin?
We want to make sure that the connection from Cloudflare to your origin server is secure as well. There are a number of ways to achieve that, but as you note Cloudflare offers a free origin certificate which can fit the bill (and with a long expiration time makes it simple to set and forget).
The key thing to understand is this certificate is intended to be used by /Cloudflare/ to establish a connection to your origin. It is a certificate issued by Cloudflare, so our edge trusts it… but if a normal user were to go to the site for some reason, bypassing Cloudflare they would receive a warning the certificate isn’t trusted (because it isn’t signed by a public CA like Comodo… just by us).
If users aren’t accessing the site directly (bypassing Cloudflare) this isn’t an issue.
So Edge Certificate is the one everyone sees (universal, dedicated, or custom uploaded) when they hit Cloudflare. And Origin certificate is intended to secure the connection between our Edge and your origin.
I usually work with our Enterprise customers and deploying origin certificates that no one has to refresh every year is a pretty big selling point… simplifies the work of the operations team managing the physical/virtual servers. And on our edge they buy or deploy whatever certificate the business wants for the user to see in their browser (usually just the dedicated that I think shows up for you at $5/mo).
Does that make things clearer or did I muddle it up even more?