I generated the new Cloudflare SSL certificate for free. It looks like this:
I can see Certificate and Private Key. How can I get the CA Budle info? Can it be used without it and how? My server requires 4 files:
domain.ca ← ca_bundle.crt
domain.crt ← certificate.crt
domain.crtca ← certificate.crt + ca_bundle.crt
domain.key ← private.key
Is it possible to get all files of sertificate I need (as it is provided by ZeroSSL or LetsEcrypt)? Very strange here on Cloudflare!
I created Origin Certificate and Private key in SSL → Origin Server. My server uses Apache + Nginx, and I need CA Bundle in addition to the Origin Certificate and Private key I got. Where can I get Cloudflare Root Certificate to create CA bundle?
I downloaded the root certificate and the origin certificate. I believe that domain.crtca consists of root certificate and intermidiate certificate(s). I created domain.crtca like this: Cloudflare origin certificate above and Cloudflare root certificate below. Still Cloudflare states that this SSL cerificate is not valid (526). Where can I check the cerificate itself? Am I dowing wrong?
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIUfHRFt4kcsJNehCBZFShhB29c/UUwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTIzMTEyMjEwMDcwMFoXDTM4MTExODEwMDcwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsrXRomimSK9+p6WuHHHSUJ+6Ju5x69t7ALL+
YbRNzT8z2WyOvas7q+MVNULGvUZ1SE9eNB+EiiNNNBNK4L2OckvEFK+SE2r1YhKz
4FpaQFvz5aG6SneP3qE2K0bZ/JZRXf2EF4varus1VNMIWzQ+/2e6B0vu2t28fq6X
IjLjBW5BAUJ1ygwm0SAV3kyhLy6rgxfe+pHetVvbzvMdqkIwY+2xCUX2o9J71vyM
lPSo57JUFq+AZZVQ6UT2/9o3Wv4H35mBa8WoJf3QoxXXlHBZDltdvEv06eD2IXgz
uBLlu4GO4jKBI02PrI5DOEYY5orqw74xbQECf2KlHBJRXJ/iYQIDAQABo4IBLDCC
ASgwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSyoNw5LRuIOcMIAgIErxI4XEcjJjAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTAtBgNVHREEJjAkggoqLmExMDgubmV0gghhMTA4Lm5ldIIMd3d3LmExMDgubmV0
MDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuY2xvdWRmbGFyZS5jb20vb3Jp
Z2luX2NhLmNybDANBgkqhkiG9w0BAQsFAAOCAQEATIxpJ8mxAS0RZ4ZaAt6bVOHM
B1Kgy32M7gPyVVlTKL+j3XX+syHAvkOU2Xqh1mHClt7xS0gM0fUsKNLdGi+mP4CC
RVrYzVZ+jIwDQ4EGKJvV/3uAqR4KClYZCqzmGwp9+v+BBDIm9ys1QkmPnYkQXzV3
qsav+ZUdG/CeXGktK9VIotEwHuCi0akjj1r4ytAD6kBmtkSmmE7hPfz+9gRgv3y4
21prBVT/L1SomgWxe1bL/kl9ehPj5f3ju2BoW8OQ/zH9vFmCOxabZF1I4SEOBlCa
Il23ii1i3G3YtgsvDdPmmRHzwZSnQBshu8dE+77IGyvT4QIPxfV/8NArL+cTCg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----
It looks like you figured this out. Are you still having trouble with your Cloudflare Origin CA certificate?
Hello there!
Cloudflare does not issue Let’s Encrypt (or any other publicly trusted CA certificate) for use at your origin server.
If you want to use a certificate from Cloudflare on your origin, this would be done with an Origin Certificate. https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin
The Origin Cert is only trusted by Cloudflare. If you are only accessing the origin through Cloudflare, or directly by IP address on local network, this may solve your problem. However, if you’re using an internal DNS resolver, an Origin Cert will throw an insecure certificate warning.
In this case, you may want to consider using something like Certbot to get a Let’s Encrypt certificate. It will still work with Cloudflare, and it will provide secure connections for LAN access.
Please let me know if you have any questions or require further assistance!
root + intermediate + ssl = ca bundle for my Nginx server.
I created 15 years origin ssl certificate (and private key) in the Origin Server section of my free CF account.
Also I got the root (Origin RSA PEM) CF certificate here.
I read that I need the CF intermediate certificate to create the CA Bundle for my server to connect with the Cloudflare server. Somebody told me that there is an intermediate CF certificate here - I found the 48K lines int-bundle.crt file there. I have doubts that this is the proper intermediate CF certificate.
Please, advise. Is there a chance that you will make this process easier in the future, guys?!
You just need the certificate and private key. I’m not sure why you need or want the whole chain.
One of many guides here…
There is no CF intermediate certificate.
You don’t need a CA bundle.
ssl_certificate should be the certificate (public).
ssl_certificate_key is the private key.
There’s no reason you should require more than these 2 files…
If you’re using some panel that absolutely requires this, just use the root certificate as the “bundle”.
Also, the private key is called private for a reason - you really shouldn’t share the key, or even parts of it, on the internet. I recommend you revoke that certificate and create a new one.
Because Nginx server works like this.
Nobody with Nginx server here? Please, stop this “you do not need the intermediate sertificate”.
Actually I used root+ssl as bundle, and seams CF accepts this. But I do not know if it is really correct since I can not check this certificate being behind the Cloudflare strict DNS.
Yes, we’ve used nginx on Cloudflare, although we use Apache for production.
You need to bear in mind that the Cloudflare origin certificate is only for use between Cloudflare and your origin. It won’t be trusted by a browser connecting directly to your origin.
Why not just get a LetsEncrypt certificate if you don’t like the Cloudflare origin certificate?
You do not need to write it again and again that Cloudflare’s certificate works only for Cloudflare ↔ my server connection.
Just tested - the Cloudflare ssl + key works fine. No need for root or intemediate. Seams that I was misled by the lack of information.
Regarding Let’sEncrypt - it is only for 3 months and I receive it manually - tired from that. (Yes, I know about some scripts).
As we said.
How do I check the validity period ot this Cloudflare Origin Server certificate in browser of via ssh client? I set 15 years when I was getting it on Cloudflare. Just want to check if the happiness is finally here.
# for what dates is it valid?
openssl x509 -noout -in cert.pem -dates
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
