How does SSL Certificate works in a Full(strict) mode

I need to understand the working of SSL , when i move my website’s DNS on Cloudflare.

Currently i have an SSL cert on my website, and when i added Site’s DNS over CF, i notice certs in Cyrpto Tab, however i want CF to use my cert.
Is it possible by Full(strict) mode ?
Also, what is the downtime i should see if i keep SSL-always option on.

You can’t use your certificate for your visitors to see unless you are on the Business plan or higher where you can upload a custom cert.

The certificate on your server is still required though, as you need to use Full (strict) to make it fully secure. The cert on the server is needed for Cloudflare to connect securely.

Your visitors will see the Cloudflare certificate to connect there, but Cloudflare will use the certificate on your server to connnect securely there.

On the free plan, the certificates can take up to 24hrs to issue, but normally it is less than that, on the higher plans I believe they issue in around 15 minutes. The cert will only start issuing after you change the nameservers and this is detected by Cloudflare. I would recommend setting all your DNS entries to :grey: to keep your site functioning as normal. Once the cert is issued, you can set to :orange: to enable all the Cloudflare services.

I am using Pro Plan, where i was issued a cert from CF, now how do i use it?
I need to put that cert on my server?

Also,

so am i suppose to leave my cert or put the cert issued by CF on server?

1 Like

You leave the certificate on the server as it is. (If you are currently paying for it, you can switch to a free Cloudflare Origin Certificate (this will only work when the connection is proxied through Cloudflare, or a free Let’s Encrypt certificate).

You change the nameservers for your domain to point to Cloudflare, once they do and the certificate is issued by Cloudflare, you set the DNS records for your website to :orange: (leaving and for mail or other services as :grey:). Once the DNS has propagated, you will be using Cloudflare for your domain and visitors will see the CF certificate.

1 Like

Thanks for the response.

One more thing, during this process of issuing certificate (15 mins) from CF and propagating it in the network, do i observe any downtime on the website, keeping origin cert intact on the server.

The websites i want to move on the CF are very critical, so i need to plan accordingly.

1 Like

Firstly, make sure that all the DNS records on Cloudflare match your existing ones.

You should keep everything set to :grey: until the certificate has issued (you can see the status on the crypto tab) and you have the ‘active’ status.

Once you do, you should then switch to :orange: to use the Cloudflare services.

Doing everything in this order, I can’t see any issues and you shouldn’t get any downtime. Your nameserver change will gradually propagate and it should all go OK.

Maybe someone else can check that I am not talking nonsense here given this is critical :joy:. Think this is all OK though :slightly_smiling_face:

1 Like

Yeah , sounds good , I will try this and let you know if it goes well :stuck_out_tongue_winking_eye:

Thanks for the Support :slight_smile:

1 Like

@domjh I Checked the option, the only thing i was not sure was about the cert issuance.

So this is how it was possible with no downtime:

  1. Get CF to detect the DNS
  2. Then change nameservers to CF nameservers only then SSL will be enabled, since i waited for a complete day however SSL status remained inactive cuz nameserver were not changed to CF (my most possible guess)
  3. Once SSL status was active, i changed the :grey: to :orange: and within seconds the DNS records changed to CF DNS. :slight_smile:

I did not observed any downtime, and i have both SSL and NON-SSL Websites.

Thanks for the support.

*CF= CloudFlare

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.