Cloudflare certs

So i have internal servers that i am hoping to not have to use an expensive wildcard cert from comodo any more. These servers do not have an external ip at all. I keep getting not secure on chrome with my edge cert. Is there a way to fix this?

CF Certs are not for public use!

Pls have a read: https://support.cloudflare.com/hc/en-us/articles/115000479507

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

Look into setting up Let’s Encrypt certificates on your internal servers. Cloudflare’s certificates are not useful here, unless your traffic goes out to Cloudflare and back in again.

So your telling me the digicert from cloudflare cert i purchased isnt a web cert?

not everything i have is easy to configure lets encrypt on and actively hates the 90day cert renewal that lets encrypt uses. I generally use 5-10 year certs because of this.

Wait, I have never said that!
Cuz you never mentioned you bought the Cert from CF.

I’m not that common with the Digicerts from CloudFlare you can buy. I use the normal Origin Certs from CF, but not for direct access but for access behind CF.

Pls provide more infos to us:

  1. which Error does get shown exactly?
  2. As you use an internal Server which Domain do you use to access it? Or which Domain do you wanna secure with this Cert?

Also you would not have to buy any Cert if you just want to use it localy!

For local use a self-sign cert does 100% the job of every other Cert.
You could simply create a own Cert (valid for 15 years) and just apply it on any (also local) domain you want.

Chrome anyway complains about it is not able to verify the Cert

Solutions:

  1. just start chrome in -ignore-certificate-errors mode and they will be gone.
  2. import your Certs into Chrome and they will be handled as prooven Certs. (this is reccomended as it gives you still the chance to detect selfsign certs in the Web with Chrome while using your own Certs for local use)

i have internal and external servers. Mainly my citrix delivery controllers.

Certificates you purchase from CF are not certificates that allow you to download or export the private key, their only intent is to change what certificate Cloudflare will present to the browser.

If you need a certificate for your server (without using the Cloudflare proxy), it is recommended to use LetsEncrypt with the DNS challenge to get a wildcard certificate that browsers will trust.

It is a web cert, but that is for use on Cloudflare’s edge exclusively. If you want to use a Cloudflare origin cert on your internal net it is intended to be used for assets proxies by Cloudflare.

You could continue to use an external cert for those objects or I suppose add Cloudflare’s CA chain to the trusted certainly of your managed devices.

1 Like

Yea i figured that would work. Alot of the services i deal with dont like the rapid changing certs that lets encrypt uses. So thats why i was looking at the cloud flare certs that have a high life. I added the root cert on my machine and tested it and that worked so ill just add it to the group policy and call it a day thanks.

The problem with 5-10 year certificates is that things potentially get forgotten about, user error is likely due to infrequent experience and lack of tested formal process, or you may encounter other technical issues at renewal time. This is especially important if you have staff turnover in the meantime and institutional knowledge is lost.

While not quite everything can be automated, most things can (even if it requires hacking at a configuration file), and in my experience the effort is well worth it.

1 Like

my only response to this is i generally have to rebuild the server by that point anyways as this is a windows environment so im generally have that scheduled.