Origin CA certificates - Couple of questions about this

Hi all

The Flexible SSL option in Cloudflare works well and I use it often for sites that don’t require high security. However, in some cases I need to have SSL available all the way through to the server.

I am looking for a way to get full SSL all the way from the browser to my web server that doesn’t require purchasing and installing dedicated certificates for every website on the server.

I’ve read the KB article on “Origin CA certificates” here:

I understand that this will let me connect my server to Cloudflare securely, and then I can use the Full SSL option to connect from Cloudflare to the browser etc.

This sounds to me like it is creating a sort of two-stage SSL path - First, the normal SSL from browser to Cloudflare and then Cloudflare opens a separate SSL path to the server. This seems like it would be easy to manage once it has been set up.

The article states “You can include up to 100 hostnames or wildcard hostnames on a single certificate…

There are two questions about this:

First - Do I need to provide all of the domains that I want to enable the Full SSL mode on, or do I just need one domain specified and then Cloudflare will use that for the connection to my server, for all my domains in Cloudflare?

Second - If I have to insert all domains that will be using Full SSL mode, then how do I add and remove them over time. Do I have to redo the entire certificate setup and installation process on that page each time I add another domain in Cloudflare?

Appreciate any responses!

It does not. Flexible is insecure and should never be used. It is sugar-coated HTTP.

You specify the domains on which you want to configure that certificate. If you want to use one certificate for all your domains, you’d need to specify all the domains, plus appropriate wildcards if required.

You can also simply have a certificate issued for each domain.

Yes, if you want to add hosts to a certificate you will have to have a new one issued.

Thanks for the reply sandro

Can I clarify one more thing related to this…

If for example, I had a certificate with 50 domains already installed and then I wanted to add another domain, I understand I need to create a new certificate with 51 domains.

As the first 50 domains will have been configured in IIS to point to the first certificate, will I need to repoint all 50 original domains to the new certificate when that is installed?

Or does one simply drop the new certificate into the same place with the same filename and then it retains the certificate setting for all the existing ones?

I would seem to be a lot of extra work for every added domain if it had to be reassigned to all sites every time a new one is added.

For context, I’m familiar with adding individual certificates to my server, and am looking for a way to streamline it, possibly with this method, if it is in fact easier.


That all depends on your IIS configuration, how you save the original certificate and whether you revoke it or not. But overall this will be rather a question for StackExchange.

However it is best you do not add these domains to one single certificate but simply have a certificate issued for each domain separately and configure this separately.

Thanks again Sandro
I’ll investigate this further before I jump in.

This topic was automatically closed after 30 days. New replies are no longer allowed.