I have a site with a GoDaddy SSL certificate. I recently started using Cloudflare and pointed the nameservers to Cloudflare. The SSL/TLS encryption mode is currently set to “Full”.
How is traffic encrypted between Cloudflare and my origin server? The “Full” option on the setup screen says it uses a self-signed certificate on the server, but I never set this up. Is that connection somehow using the GoDaddy certificate? If the GoDaddy certificate is being used, I must need to continue renewing it, right?
Is a better option to create an “Origin CA” certificate, install that on my origin server, then switch to Full (Strict) as shown below? It seems like if I could get that working, I could stop renewing through GoDaddy. Is that correct?
“SSL Full” means Cloudflare encrypts the traffic, however Cloudflare doesn’t check the validity of our servers’ SSL self-signed certificate.
Could be it was issued from cPanel or some other way around in the meantime.
Depending on how long period the self-signed certificate is issued, usually yes and it’s a case with any SSL certificate.
If possible, yes, always. At least, at Cloudflare we can set it up to 15 years.
I do think, however if you’re using the same origin host/server to send out emails, then it might be better to renew GoDaddy since Cloudflare’s Origin CA certificate doesn’t work publicly without proxy and works only with HTTP(S) traffic.
This is an IIS server, and I have never done anything with a certificate other than installing/updating the GoDaddy certificate for the past few years.
Are you saying that if I don’t need to send email, and all traffic is https://, I can install Cloudflare’s Origin CA certificate on the origin server, and I don’t need the GoDaddy cert at all? If so, this is good news as I spend a lot of money each year on SSL certs for servers.