Custom ssl certificate user defined bundle

I’ve been trying to get answer from cloudflare support for a week, but since there is no answer, I’m trying the forums.

We need to upload a new custom ssl certificate. The certificate is issued by “Gandi RSA Domain Validation Secure Server CA 3”. I found info about bundling here: https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/bundling-methodologies/ but can’t find that intermediate certificate from the linked git repository. Does this mean that we need to use “User defined” bundle and import the full chain?

If so, in what format exactly does the certificate need to be? The article says “You must specify any intermediates you wish to use, followed by the leaf”, but just to verify, we should use this format in this order?:

-----BEGIN CERTIFICATE-----
(e.g. Gandi CA 3)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(e.g. *.example.com)
-----END CERTIFICATE-----

I’m asking, because it is very important that there are no issues with the certificate update and incoming traffic. Is there some validation in place, that we don’t accidentally upload a “broken” certificate?

The current expiring certificate was imported without the intermediate certificate, but it has a different intermediate cert (Gandi V2) that is available in the github repo. I assume that is why it works correctly.

We are planning to use Terraform to update the cert…might not matter, but just mentioning it in case it does.

We are using the custom certificate, since we have some legacy devices that can only handle 2048bit keys.

Has anyone here used the custom ssl certificate with “user defined” bundling?

Correct, but that is something that needs to be provided by whomever sold you the certificate, respectively the (intermediate) certificate authority. If this is a Gandi certificate, you need to contact them for details. Maybe this has some information.

That is correct.

Thanks, I also got a reply from cloudflare support after talking with them through their chat system:

Hello there,

Thank you for your patience.

Please do ahead with the format:

* *-----BEGIN CERTIFICATE-----* *<intermediate> (e.g. Gandi CA 3)* *-----END CERTIFICATE-----* *-----BEGIN CERTIFICATE-----* *<leaf> (e.g. *.exampl.com)* *-----END CERTIFICATE-----* *

Using “User defined”.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.