Install new SSL

I have a wildcard in another company that is expiring *

Should I generate a new CSR for the new wildcard?
Can I use your ssl certificate for wildcard - * Can you please explain me how?

If you are looking for a new SSL certificate for your Cloudflare site, Cloudflare offers free Universal SSL certificates which work between user and Cloudflare. You need another SSL certificate between Cloudflare and your origin. You can either use origin certificate which is only good between Cloudflare and your server or a service like Let’s Encrypt to auto generate fully validate SSL certificates.


I don’t understand please.
I have in cloudflare only dns records for my website “example[.]com”

Can I use cloudflare for ssl certificate for “example[.]com”? I don’t understand what it means:
“only good between Cloudflare and your server”


Certificates issued by the Cloudflare Origin CA are not publicly trusted. Web browsers will display an Unknown Issuer warning if you connect directly to a server using one. The Cloudflare proxy trusts these certificates, making them suitable for use in sites that are :orange: proxied.

2 posts were split to a new topic: How to use Origin CA certificate?


1 Like

Same question - Where can I find the ca bundle?

Please open a new post regarding your issue.

I have a few inquiries for which I would greatly appreciate your guidance:

  1. Could you please advise on the appropriate scenarios for using universal versus origin certificates? Specifically, I am curious about the best choice for a public-facing website and, separately, for internal servers handling sensitive data. What factors should I consider in making this decision?

  2. In the event that an origin certificate is necessary, should the universal certificate be disabled prior to manually installing the origin certificate?

  3. Is it possible for a universal certificate and an origin certificate to function concurrently? I understand that typically, two certificates cannot coexist on the same server. If it is feasible, could you kindly explain the process?

Thank you for your time and assistance in these matters.

The Universal certificate is automatically deployed by Cloudflare at the edge, this is the certificate that clients’ browsers will see and use when connecting to your website. Updates are automatic and you need to do nothing other than ensure Universal SSL is enabled for the zone.

The origin certificate is to be deployed on your origin server so that Cloudflare’s proxy servers can connect to your origin using HTTPS. This certificate could be your own self-signed one (using SSL/TLS mode “Full” - not recommended), a certificate from another CA (using “Full (strict)”), such as LetsEncrypt, or you can download an origin certificate from Cloudflare for this. Note that the latter is only valid for Cloudflare to origin connections and will throw an warning if you connect direct to your origin.

As IT manager how can I know if to use universal certificate or origin from Cloudflare? What are the considrations for me?

Also they can be both used in the same server?


בתאריך יום ה׳, 23 בנוב׳ 2023, 11:36, מאת sjr via Cloudflare Community ‏<[email protected]>:

You need both.

The full request path is user → Cloudflare → origin server.

Universal certificate covers user → Cloudflare

Origin certificate covers Cloudflare → origin server

1 Like

So how can I apply both?
I understand that universal os automaticlly applied,
But how can I apply the origin together?

בתאריך יום ה׳, 23 בנוב׳ 2023, 17:02, מאת Cyb3r-Jak3 via Cloudflare Community ‏<[email protected]>:

You create an origin certificate here and then install that certificate on your origin server.

Thats always the procedure to install both together on same server?
What would happen if always universal will be apply and not origin?

בתאריך יום ה׳, 23 בנוב׳ 2023, 17:31, מאת Cyb3r-Jak3 via Cloudflare Community ‏<[email protected]>:

You do not install the Universal Certificate, as the private key is managed by Cloudflare.

You will get a 526 error with an invalid certificate on your origin server.

1 Like

I dont understand please.

  1. My domain for example is:

Now I see that universal certificate is applied. When I access the website when I check the certificate I see the certificate of universal and not date expirion of origin - certificate of origin

So it means that only universal certificate applied?
2. And again I want to ask please if for every case of install certificate of universal I need origin too?

  1. And does it mean that I need to renew anyway the certificate of origin even though that universal certificate is installed?


בתאריך יום ה׳, 23 בנוב׳ 2023, 18:59, מאת Cyb3r-Jak3 via Cloudflare Community ‏<[email protected]>:

I have a qurstion regrding if to configure ssl setting full or strict or flexible.

If my main domain for example example[.]com includes origin certificate but other sub domains (for example test[.]example[.]com) dont have certificates at all what should I chooce?

Flexible? And why?


בתאריך יום ה׳, 23 בנוב׳ 2023, 23:12, מאת via Cloudflare Community ‏<[email protected]>:

1 Like