How Many SSL Certs can/should I have per domain?

Hi All,

I’m still new here in the industry. Right now I’m trying to figure out the “right” or best SSL setup. The end goal being: Domains as secure as possible without causing disruption to our users.

I have 5 domains routed through CF Pro and have been using the free Universal certificates CF provides. I let all the origin server certificates expire because my tech support and Liquid Web told me I couldn’t have SSL certs on both CF and their servers.

I just upgraded and order Advanced Certificates (3 months) for all domains. I now 2 “edge certs” for each domain: 1 advanced, 1 universal.

Is this okay? Will this cause a problem? Should I delete the universal certs now?

Additionally I see that CF has three certificate sections: “Edge”, “Client”, and “Origin”…Is it a good practice to have certificates under all of these sections?

Thanks in advance for your expertise!

Jake

Your Web host actually told you not to secure your origin server with an SSL certificate‽

What encryption mode do you have set with Cloudflare, Flexible? Ideally, you’d want for it to be set to Full (Strict).

If you’re not going to be bypassing Cloudflare, and connecting directly to your origin server, you can use a Cloudflare origin certificate on your origin server.

2 Likes

Thanks @jwds1978 for your quick reply.

Yes. I’m not sure why, but they just said it would create issues to install on both the server and CF, but it was just a frontline support tech (who knows, maybe they were knew?). I’m green enough to just trust whatever my host is telling me unless it sounds totally insane.

I’m currently set to “full” encryption mode. But now that we have Advanced Dedicated Certs perhaps I should do “full (strict)”

Your recommendation makes sense. We don’t plan on bypassing Cloudflare with any regularity, so it sounds like having Edge and Cloudflare origin certs is

This is a very bad reccomendation. I’d suggest changing host. They are sacrificing yours and your users’ security to reduce their work, by not implementing a standard industry practice that they should implement.

Any specific reason to do that? The Universal Certificate covers the root (example.com) and all first level subdomains (*.example.com). If you want to cover anything else or have different certificate lengths/certificate providers, then upgrade. Otherwise is mostly just a waste of money.

No actual issues, no need, but you can provided you a substitute certificate was added and is present in the list.

They have different scopes.

Edge These are the normal ones, that users see. This section need to have one, at least, so that HTTPS from Cloudflare to your users works.
Client These are used for the clients to authenticate themselves to Cloudflare, are normally used for advanced setups, and require actual control of the device (imagine IoT devices connecting to your APIs, etc.). I doubt you’ll need one.
Origin These can be installed on your server (or your host server) to provide actual encryption between the origin server and Cloudflare. The benefit (compared to other free certificates, e.g. Let’s Encrypt) is that they can be longer (up to 15 years) and you can revoke them instantaneously, making them actually unusable. These will not be accepted by anyone except Cloudflare, but for proxied servers won’t get any legitimate visitors outside of Cloudflare.

It’s usually company policy, but maybe not… The fact you are on full makes it slightly (but just slightly) better than other providers in which HTTPS requests show different content.

The Advanced Certificate Manager won’t alter this. It applies only to the Cloudflare to user side of the connection.

4 Likes

@matteo Thanks for taking the time to so thoroughly help me understand this! I truly appreciate that.

We are currently in talks with our hosts about our future and I’m adding this to our discussion list. Each of your points is actionable and incredibly helpful!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.