Origin certificate chain in IIS is broken

What is the name of the domain?

example.com

What is the issue you’re encountering

Can’t setup origin certificate in IIS

What steps have you taken to resolve the issue?

I am trying to add an origin Cloudflare certificate to IIS.
First, I added Root CAs from Cloudflare origin CA · Cloudflare SSL/TLS docs as a trusted root certs on the server. Just in case, both of them, RSS and ECC.
Then I created a certificate request in IIS, issued a certificate in Cloudflare, and completed request on the server. The operation went successfully.
But the new certificate has not been added to IIS and is not available for binding. I checked the certificate in the MMC and it is listed there. However, the the certificate is not chained to anything. Rechecked the trusted root certificates and both Cloudflare Origin CAs are there

What is the current SSL/TLS setting?

Full

Screenshot of the error

RSA I guess? :thinking:

Kindly, see my post here with step-by-step instructions where I made it with Cloudflare Origin CA certificate to get it work at first on a public static IP, later currently it’s running behind cloudflared tunnel (no more public static IP and exposing ports):

RSA, of course, you are right it was a typo.
I have no problem with any of the steps in the post you suggested, my problem is very specific and narrow. It turns out the certificates Cloudflare currently provides do not chain to the current trusted root CA certificates from Cloudflare origin CA · Cloudflare SSL/TLS docs . And without the proper authority chain to a trusted root IIS won’t let you use the certificate

Accessing your proxied :orange: hostname from your PC, mobile, et.c, should work fine from your device, despite when you test from the IIS machine itself, you’d get an error, if that’s the case? :thinking:

I am not sure why you see such error. Did you added Cloudflare CA Root certificate to the Trusted Root as well, or?

Cloudflare Origin CA certificate is the self-signed one, and isn’t trusted publicly. For Web traffic HTTP(S) and over proxied :orange: they work.

Did you combine them together or?

The site certificate the Cloudflare issued issuer has these details:
CN = Managed CA 90200c81894e2fe7e7d195850dc4ae57
OU = www.cloudflare.com
O = Cloudflare, Inc.
L = San Francisco
S = California
C = US

to make it work I need to add to the Trusted Root (or as an intermediary) that certificate with CN = Managed CA 90200c81894e2fe7e7d195850dc4ae57

But where is it? I don’t know where to find it on the Cloudflare website

I assume you’ve generated and added Origin CA Certificate for your zone (Website) using Cloudflare dashboard as RSA to the Trusted Root right, may I ask if you’ve got RSA added from below as well?

Did you restarted your IIS upon the changes?

Link:

Yes, both added to the trusted root

1 Like

But maybe the problem is not with the chain but because the cert usage does not include Server Authentication?

Great! Thank you for feedback.

And your generated Cloudflare Origin CA certificate from the Cloudflare dashboard for your zone is added under Personal → Certificate, correct?

slika

Yes, here is the screenshot

1 Like

So seems like the problem is with the Cloudflare dashboard – the certs being currently issued do not include Server Authentication in the key usage and are not issued by their root Cloudflare Origin SSL Certificate CA. I am on a free plan and can’t submit a ticket, unfortunately