Do we need SSL Through Host with Cloudflare's Origin Certificate for Authenticated Origin Pulls?

Hi all,

I just enabled Authenticated Origin Pulls and created an Origin Certificate and imported it to SiteGround’s server for our site. We purchase an SSL through SiteGround every year.

Now that we have that SSL imported to our site, do we need to keep renewing our SSL certificate through SiteGround?

Thanks for any help!

You do, but not necessarily through your host. Any valid certificate will do. But you seem to already have discovered that.

I was just talking about the certificate required for Cloudflare to properly execute the Authenticated origin pulls. Since it’s located on the server side, does that replace what we’re paying for? Would it be redundant? Or is this something completely separate in regards to an SSL certificate for the domain?

If I deactivate that function, wouldn’t that invalidate the SSL? Or are you saying that since we do have an SSL through SiteGround, it wouldn’t invalidate the SSL? If so, how would I know the Authenticated Origin Pulls are working?

You asked about your host’s certificate however. How does that play a role here then?

Are you asking about your server certificate or about Cloudflare’s client certificate authentication? In the former case you need the certificate, in the latter it is completely unrelated to your server certificate and the discussion should be continued in the other thread as it’s a different subject in that case.

Yes, in direct relation to Cloudflare’s Origin Certificate. If I have that imported to my host to benefit from the WAF, etc., would I need the SSL certificate we purchase yearly for our site or are the two for different reasons?

Apologies if I’m misunderstanding the whole thing.

You only need one certificate on your server and if you have an Origin certificate already you won’t need an additional one from your host.

Thank you for that. So I’m assuming there is no real way to find out if the Authenticated Origin Pulls are working or not since, when deactivated, it defaults back to our purchased SSL through our host, therefore, not invalidating the SSL?

As I mentioned, authenticated pulls are a completely different issue and you have the other thread here. Your question is about the server certificate, is it not?

Sure do. You quoted that thread earlier, so I just wanted to elaborate further.

I quoted it because you mentioned you set up an Origin certificate and that would touch the topic here. Can you confirm that you got an Origin certificate from Cloudflare and installed it on your server?

Yes, I installed it through the SSL manager; it then removed what my host implemented originally.

In that way you are all set for SSL. Just two things. Double check your encryption mode on Cloudflare is “Full Strict”, otherwise the site would still be insecure. And you need to be aware that you will have to proxy your site now, if you disable the proxying you’ll receive a certificate warning in your browser as Origin certificates are only trusted by the proxies. Not an issue, just something to take into account.

Awesome, thank you for the help and information. You are much appreciated.

It’s on full strict and the DNS settings was configured as proxy when we first started. Not exactly sure if that’s what you’re talking about.

Yes, that’s what I am talking about. You seem to be all good as far as the server certificate is concerned and don’t need to renew your host’s certificate. Just make sure you deploy a new Origin certificate whenever the current one expires.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.