Is 15 Years for Origin Certificates Safe or to Long?

Hi,

The default Origin CA validity is 15 years. Would it be more secure to do 2 or 3 years instead?

Maybe I am just not fully understanding the secure communication between Cloudflare and my origin. I am thinking it could be brute-forced unless there are measures taken to prevent it, such as Cloudflare being the only one to communicate while denying any attempts from the outside? It has to be worth it to brute-force the CA and the chances are pretty low, but I am curious, nonetheless.

Thanks!
Tug

If you can automatic renewals i.e. via CF API, then shorter the better :slight_smile:

3 Likes

Those certificates are only valid for connections between Cloudflare and an origin. The certificate can be revoked from your Cloudflare dashboard.

4 Likes

Appreciate your responses.

That answers my question in regards to brute-force attempts and the validity length (shouldn’t matter at all).

I could do that indeed, I never thought of that nor did I even think that could be possible. Cloudflare should include that in the GUI for the Origin CA. I have Linux so I could do that fairly easily. I will look into that. And I completely agree, the shorter the better. However, since nothing can connect to my origin unless it’s Cloudflare, I am not sure why I would need to go shorter? I think I’ll do it anyway just for the fun of it.

Appreciate the expertise!

Have a look at Managing Cloudflare Origin CA certificates · Cloudflare SSL docs

1 Like

Will do. Thank you for that!

And since I have SiteGround and manually install it in their Tools Dashboard, the API can renew it automatically or will I still need to manually install the certificates?

I’ve never hosted with SiteGround myself, but I’d imagine your installation options for SSL certificates would vary with your type of hosting with them. Regardless, the new certificate would need to be installed on the origin server when it’s generated.

Thought so. I’ll probably just leave it be.

Usual reasons for revoking/switching certs would apply - i.e. private key compromise. But in this case for CF origin certs probably not.

Don’t use SiteGround so not sure how you do it there. Usually, you’d have to script CF Origin certificate issuance. I script it to issue CF Origin certificates via CF API i.e. GitHub - centminmod/cfssl-ca-ssl. But then you’d need to install/auto installation of the CF Origin certificate your obtained.

Thanks for that info, I appreciate the help. It seems that, in my case, using the GUI and manually installing it sounds like the easiest route. Since it’s only recognized by Cloudflare’s proxy servers I don’t see the point of making the validity shorter as you stated as well.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.