Creating an origin certificate for all zones and host names (more than 100)


#1

I would like to use the API to create a single origin certificate for the more than 100 domains on my server that I’d like to cover. It would be totally unwieldy to manage several such certificates, especially since there doesn’t appear to be the feature in the Go API client library (https://godoc.org/github.com/cloudflare/cloudflare-go) to create and manage origin certificates (please also help with that!).

Why couldn’t the current system be modified to create a wildcard certificate that will only be valid for all and only the zones that are already verified with Cloudflare? This would be extremely useful. I know I can use a self-signed certificate to cover all domains (without a list of applicable host names), but obviously that’s not the same as a Cloudflare-signed origin certificate.


#2

I fail to understand that. How come it’s different (apart of different CA)?


#3

If you’re reliant on cloudflare-go specifically you can keep an eye on the github for this project - I can see someone has already requested that the Origin CA endpoints be implemented here:

That someone is actually a colleague and it also looks like someone is already working on it :slight_smile:


#4

I should’ve been more explicit that I’m asking here primarily if we could have a single origin CA (from Cloudflare) for all the more than 100 domains on my server.


#5

This is important because, if limited to just 100 domains per certificate, I’d have to maintain an internal database of what domains are covered by which certificate. In addition, Go’s TLSlistenandserve function takes only one certificate-key pair of files.


#6

Cloudflare limits the number of names on a SAN certificate to 50. There are RFC limits which are slightly different (it’s based on size), but trying to compute whether the list of domains exceeds the size limit for a SAN is, while technically more correct, more confusing for customers in the general use case. So we opted for a set number of hosts.

I don’t believe there’s anything that prevents you from coding your own implementation to add multiple host names to the same SAN cert, but you’ll want to keep it at 50 host names or under per cert. How/where/why you track that will vary depending on your architecture and implementation scheme.


#7

The problem is that Go’s net/http server takes only one certificate-key pair of files: http://godoc.org/net/http#ListenAndServeTLS


#8

Sorry, I’m not familiar… is this an HTTP server written in Go? Since there’s a hard limit in the RFCs, there are only so many domains which can be added to a single cert. If you need more than that on a single instance of this server you might want to put it behind a more robust http proxy of some kind (e.g. nginx or apache) which can service the request using multiple certificates.