Can't get Advanced Certificate

I have just created an Advanced SSL Certificate with DigiCert as Certificate Authority, but can’t find how to download it.

In fact, I selected TXT as “Validation method” but didn’t receive any string to set in the DNS for validation.

Under “SSL/TLS -> Edge Certificates” menu I can see my certificate listed with “Active” status, however I don’t know how to get it in order to install it on my servers. Should I go to DigiCert website and do something there?

Any insight is highly appreciated, regards.
Nicolas

Certificates managed under the Advanced Certificate Manager are edge certificates and those never leave the Cloudflare premises.

If you want a certificate for your server you can only get an Origin certificate, however keep in mind this is only valid for proxied connections and not trusted by regular browsers.

1 Like

Thanks for your prompt response.
I already have a certificate under the “Origin Server” menu, which is a basic certificate issued by CloudFlare that supports my first level domain and its wildcard (example.com, *.example.com). Now I want to issue another certificate for second level domain (something.example.com) so I upgraded the CloudFlare plan (USD 10 / month) to get that feature through Advanced Certificates. As I said before, I created the extra certificate in the Edge Certificates menu, but don’t have an option to download it. This is different from the Origin Certificate for which you get a link to download.

How can I dowload the edge certificate I created for the second level domain? Should I create another origin certificate?

Precisely.

I don’t think either a new Origin certificate, or an ACM certificate are needed here.

The second level domain is something.example.com, which is covered by the wildcard the OP has on the Origin cert, and is also covered by the Universal Certificate. If the hostname was dev.somethinng.example.com (note the extra level) then you would need to get a new Origin cert, and ACM would also be necessary.

Is something not working as expected here?

@ngarcia, what was the point of the paid certificate in the first place. I assume you wanted a hostname deeper than just one level beneath your domain, right? If not you don’t need a paid certificate and even the standard configuration of an Origin certificate will cover all use cases.

Actually I meant to say the same example @michael provided:

so I need an extra level which I don’t think is covered by the Universal Certificate. In fact, I created it as a new origin certificate (not with ACM) apart from the first level certificate, downloaded and installed it but the browser didn’t recognize it.

In summary, I need a third level domain certificate and as per the ACM documentation:

Compared to Cloudflare’s free Universal certificates, use ACM to:

  • cover more than one level of subdomain

So I upgraded my CloudFlare plan but now I’m struggling to issue the certificate.
Plus, what is ACM exactly? Is it a tool? A separate website from CloudFlare? Again, documentation doesn’t explain much… It says “Understanding Advanced Certificate Manager” but doesn’t give any clue on what it is, how to access it, how it deals with certificates, etc…

Thanks again for your help.

That was exactly my assumption. But you do not need to upgrade your Cloudflare plan for that.

Just get the $10 edge certificate, assign the desired hostnames to it and equally adjust your existing Origin certificate and you are good to go.

That’s what you get via the ACM.

May be there’s a subtlety on my “plan upgrade” statement… I clicked on the “Order Advanced Certificate” and there I was challenged to “upgrade” to a $10/month to be able to use it. That’s what I mean to say.

So are you suggesting that I update my current certificate or create a new one adding the extra level FQDN I want to support and that’s it? Then what’s the Advance Certificate feature for?

My other question remains… What’s ACM exactly?

All right, in that case you did not upgrade the plan but simply ordered a dedicated certificate via the ACM.

The ACM is the successor of the previous $10 dedicated certificate and now comes with more settings but it still is essentially just an upgraded version of the free edge certificate. Typically you don’t need it, unless you need particular SSL settings or support for hostnames deeper than one level, such as in your case.

If you don’t need that additional level you can simply stick to the Universal certificate, otherwise you will need the paid one. But all of that is unrelated to your actual server certificate which also needs to include these hostnames however and this is where the updated Origin certificate comes in.

Ok good. One more comment on something you mentioned:

My intention is to install the certificate on a server whose domain name will be pointed by a DNS record in CloudFlare, but with DNS Only configuration, not proxied.

In other words, I have delegated the subdomain *.something.example.com to another DNS provider. The certificate will be for: one.something.example.com but I will have a CNAME DNS entry that points to it, like: another.example.com -> one.something.example. com

Would it be an issue if the CNAME entry is DNS Only instead of proxied?

Hope it’s clear enough, otherwise please let me know.

In that case you do not need either edge certificate and the Origin certificate won’t help you either.

You best look into the usual suspects such as Lets Encrypt or paid certificates. Cloudflare does not have anything for SSL when it comes to unproxied connections.

The question is whether your CNAME will be proxied. In that case the certificate would come into play again, however that seems to be only one level down, hence you wouldn’t need the paid certificate either.

Ok I get it, but let me ask you something to clarify further.

Even though I understand neither Origin nor Edge certificates will help in my case because I need it for non-proxied, now I have two certificates under “Edge Certificates” menu, one Universal and one Advanced. The Universal is sort of the standard one and corresponds to the Origin certificate (example.com and *.example.com). The Advanced is the one I created with “Order Advanced Certificate” button and has the deeper level domain I intended to support.

In case I wanted to use the Advanced certificate, how do I download it? If you click on the blue arrow on the right hand side you only get the details and the delete option.

Cloudflare are not a Certificate Authority, and any certificates created by Cloudflare (such as Universal, Advanced or Dedicated certificates) cannot be downloaded for use elsewhere. They can only be used within Cloudflare, and the keys are entirely managed by Cloudflare.

You don’t. That’s what I said all along, already in my first response.

Ok makes sense. But note that you can download the Origin Certificate body, and if you have its private key, you can import it in other certificate providers and install it. Don’t you see that as leaving CloudFlare premises?

Origin certificates of course, but that I also addressed in my first response :wink:

Perfect, thanks again for your support!