Origin Certificates and internal clients

Our domain is resolved by Active Directory for internal clients and by Cloudflare for external clients. If I use Origin Certificates, do I need to add the Cloudflare CA as a trusted root to my internal clients?

Nobody has replied, so I’ll say Yes. I know that works in a standalone situation, so if AD lets you do that internally for your org, that should take care of it.

1 Like

If your AD DNS is resolving to the Cloudflare IP then no. If it’s not… why do you trust your users? I don’t trust my users… but yes, adding the origin CA certificate chain would allow them to connect without a certificate error if they are using the origin IP…but users…

2 Likes

I would ideally force my internal users to go through Cloudflare, but I’d have to put in A records to point to the Cloudflare IP address. Is that guaranteed to be static?

No, but you can run a PowerShell script to check and update for the root record. Anything else you can cname by appending cdn.cloudflare.net to the FQDN ex. Foo.example.com.cdn.cloudflare.net

1 Like

I think that’s the solution I should pursue. Is there any situation where .cdn.cloudflare.net will not work as a CNAME?

:wave: @il.oh,

If the ‘target’ record (record less the cname) doesn’t exist it will fail. Otherwise… it should work. Are there /any/ edge cases? Yes. But they are rare (can’t have a TXT record for a CNAME) record for example.

DNS is always full of corner cases, but I have multiple customers using this strategy in prod reliably.

— OG

1 Like

Awesome. I can’t imagine I’d ever point to anything other than an A or CNAME record. I’m assuming LB records are whatever I entered for targets (A or CNAME).

:wave: @il.oh,

Yes… DNS traversal delegates to Cloudfare who ultimately resolves based on your DNS setting.
— OG

1 Like