Cloudflare SSL certificates CA's

Hello,

We are planning to move our API endpoints to be protected by Cloudflare. All endpoints are accessible using HTTPS using SSL certificates provided by Cloudflare. All applications which will access API should be able to validate these SSL certificates.

Our questions are following:

  1. Which CA should be added to the application keystore in order to validate any SSL certificates provided by Cloudflare?
  2. Is there any documentations about Cloudflare SSL provided certificates?

Thank you!

Are you talking about Origin certificates?

If so, you will find the root certificate at https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates#h_30cc332c-8f6e-42d8-9c59-6c1f06650639

@sandro, thank you fo the reply. When we enable cloud on our DNS record it mean that it will be served by Cloudflare and also it means that SSL connection will be served by Cloudflare also.
In such a case all requests will be served by the endpoint with Cloudflare issued certificate.
It is the Universal SSL?

The question is which CA Root is issued all of these certificates?

Maybe it is on the page Cloudflare SSL cipher, browser, and protocol support --> SSL intermediates and roots used to sign Cloudflare certificates?

That’s not the server certificate but the proxy one and these are standard ones anyhow.

Question is, do you have a certificate on your server? That’s the one you need to configure.

@sandro, yes - my endpoint behind the Cloudflare have SSL certificate. But as we have the follwoing chain: Client --> Cloudflare --> Origin

  1. Client should be able to validate Cloudflare certificate
  2. Cloudflare should be able to validate Origin certificate

My question is about p. 1 - how client will validate Cloudflare certificate? By which CA Root all Cloudflare certificates are issued?

The proxy certificates are regular certificates which are publicly valid. What exactly do you need to clarify. Every browser will trust them.

If you need the certificate chain you can access that via your browser like any other certificate.

Our clients not a browsers. They usually Java application. Java have its own keystore. In order to clarify this question we should check if the client keystore contains Cloudflare certificare CA Root.

From your reply above it states that should flare issue all its ‘regular’ certificates using only one or the same set of the CA Root. It is true?

Any somewhat modern Java truststore should have these root certificates too.

But for specific chains, I addressed it already via that

@sandro, information from the documentation:

Sectigo

SHA-256 ECDSA Certificate Chain

Root: AddTrust External CA Root
Intermediate 1: Sectigo ECC Certification Authority
Intermediate 2: Sectigo ECC Domain Validation Secure Server CA 2

SHA-256 RSA Certificate Chain

Root: AddTrust External CA Root
Intermediate 1: Sectigo RSA Certification Authority
Intermediate 2: Sectigo RSA Domain Validation Secure Server CA 2

Digicert

SHA-256 ECDSA Certificate Chain

Root: Baltimore CyberTrust Root
Intermediate: CloudFlare Inc ECC CA-3

SHA-256 ECDSA Certificate Chain

Root: Baltimore CyberTrust Root
Intermediate: CloudFlare Inc RSA CA-2


Assuming this is complete, it should be the full chain for the certificates, but again, any recent CA store should have them anyhow and if not, you can always download the certificates from the browser by going to your site.

1 Like

I would be very careful in hardcoding a set of potential root CAs into an application where you do not control the issuing of the certificates. The certificate chains will change, some time in 2024 is guaranteed, and Cloudflare will probably not send any notification when that starts happening. If you need a known certificate chain, you should use a custom certificate on a Business or Enterprise plan.

At a minimum, you should set up monitoring of the CT logs so that you know when a new certificate is issued for your hostname, and be ready to make a change at short notice if the chain changes.

1 Like

The whole thing should be a non-issue. If your local trust store does not trust the proxy certificates you better look at that.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.