Install new SSL

kepten15 · November 21, 2023, 4:23pm

Hello,
I have a wildcard in another company that is expiring *.example.com

Should I generate a new CSR for the new wildcard?
Can I use your ssl certificate for wildcard - *.example.com? Can you please explain me how?

Cyb3r-Jak3 · November 22, 2023, 12:11am

If you are looking for a new SSL certificate for your Cloudflare site, Cloudflare offers free Universal SSL certificates which work between user and Cloudflare. You need another SSL certificate between Cloudflare and your origin. You can either use origin certificate which is only good between Cloudflare and your server or a service like Let’s Encrypt to auto generate fully validate SSL certificates.

kepten15 · November 22, 2023, 5:30am

I don’t understand please.
I have in cloudflare only dns records for my website “example[.]com”

Can I use cloudflare for ssl certificate for “example[.]com”? I don’t understand what it means:
“only good between Cloudflare and your server”

Thanks

epic.network · November 22, 2023, 5:36am

Certificates issued by the Cloudflare Origin CA are not publicly trusted. Web browsers will display an Unknown Issuer warning if you connect directly to a server using one. The Cloudflare proxy trusts these certificates, making them suitable for use in sites that are proxied.

epic.network · November 22, 2023, 9:26pm

2 posts were split to a new topic: How to use Origin CA certificate?

sjr · November 22, 2023, 11:08am

Here…

kepten15 · November 22, 2023, 11:19am

Same question - Where can I find the ca bundle?
Thanks

kepten15 · November 22, 2023, 2:37pm

Please open a new post regarding your issue.
Thanks

kepten15 · November 23, 2023, 8:28am

Hello,
I have a few inquiries for which I would greatly appreciate your guidance:

Could you please advise on the appropriate scenarios for using universal versus origin certificates? Specifically, I am curious about the best choice for a public-facing website and, separately, for internal servers handling sensitive data. What factors should I consider in making this decision?
In the event that an origin certificate is necessary, should the universal certificate be disabled prior to manually installing the origin certificate?
Is it possible for a universal certificate and an origin certificate to function concurrently? I understand that typically, two certificates cannot coexist on the same server. If it is feasible, could you kindly explain the process?

Thank you for your time and assistance in these matters.

sjr · November 23, 2023, 9:26am

The Universal certificate is automatically deployed by Cloudflare at the edge, this is the certificate that clients’ browsers will see and use when connecting to your website. Updates are automatic and you need to do nothing other than ensure Universal SSL is enabled for the zone.

The origin certificate is to be deployed on your origin server so that Cloudflare’s proxy servers can connect to your origin using HTTPS. This certificate could be your own self-signed one (using SSL/TLS mode “Full” - not recommended), a certificate from another CA (using “Full (strict)”), such as LetsEncrypt, or you can download an origin certificate from Cloudflare for this. Note that the latter is only valid for Cloudflare to origin connections and will throw an warning if you connect direct to your origin.

kepten15 · November 23, 2023, 10:05am

As IT manager how can I know if to use universal certificate or origin from Cloudflare? What are the considrations for me?

Also they can be both used in the same server?

Thanks

בתאריך יום ה׳, 23 בנוב׳ 2023, 11:36, מאת sjr via Cloudflare Community ‏<[email protected]>:

Cyb3r-Jak3 · November 23, 2023, 2:52pm

You need both.

The full request path is user → Cloudflare → origin server.

Universal certificate covers user → Cloudflare

Origin certificate covers Cloudflare → origin server

kepten15 · November 23, 2023, 3:12pm

So how can I apply both?
I understand that universal os automaticlly applied,
But how can I apply the origin together?

בתאריך יום ה׳, 23 בנוב׳ 2023, 17:02, מאת Cyb3r-Jak3 via Cloudflare Community ‏<[email protected]>:

Cyb3r-Jak3 · November 23, 2023, 3:21pm

You create an origin certificate here and then install that certificate on your origin server.

kepten15 · November 23, 2023, 4:26pm

Thats always the procedure to install both together on same server?
What would happen if always universal will be apply and not origin?
Thanks

בתאריך יום ה׳, 23 בנוב׳ 2023, 17:31, מאת Cyb3r-Jak3 via Cloudflare Community ‏<[email protected]>:

Cyb3r-Jak3 · November 23, 2023, 4:49pm

You do not install the Universal Certificate, as the private key is managed by Cloudflare.

You will get a 526 error with an invalid certificate on your origin server.

kepten15 · November 23, 2023, 6:30pm

I dont understand please.

My domain for example is:
Compido[.]com

Now I see that universal certificate is applied. When I access the website when I check the certificate I see the certificate of universal and not date expirion of origin - certificate of origin

So it means that only universal certificate applied?
2. And again I want to ask please if for every case of install certificate of universal I need origin too?

And does it mean that I need to renew anyway the certificate of origin even though that universal certificate is installed?

Thanks

בתאריך יום ה׳, 23 בנוב׳ 2023, 18:59, מאת Cyb3r-Jak3 via Cloudflare Community ‏<[email protected]>:

epic.network · November 23, 2023, 9:02pm

kepten15 · November 23, 2023, 9:22pm

I have a qurstion regrding if to configure ssl setting full or strict or flexible.

If my main domain for example example[.]com includes origin certificate but other sub domains (for example test[.]example[.]com) dont have certificates at all what should I chooce?

Flexible? And why?

Thanks

בתאריך יום ה׳, 23 בנוב׳ 2023, 23:12, מאת epic.network via Cloudflare Community ‏<[email protected]>:

epic.network · November 23, 2023, 9:23pm