Origin Certificates versus third-party certificates

I am using Full(Strict) mode for SSL encryption. I have a third-party CA certificate installed on our server. While checking settings, I saw Origin Certificates.

Is an Origin Certificate the same as an SSL certificate that I would get from a third-party like Sectigo?

I understand it can only be used for traffic between the server and Cloudflare, which is fine because all of our web traffic goes through CF.

Are they any disadvantages of using an Origin certificate?

The main thing with Origin Certificates is that they are not publicily trusted/not signed by a trusted root. Web browsers and such do not trust them. Only Cloudflare’s proxy (:orange: dns record) does. You can’t use it on an unproxied/dns-only hostname.

In the sense that it is a certificate issued for your hostname, sure. Like said above though, they’re not publicly trusted.

As long as you understand that it can’t be used dns-only, and as such you plan to always use Cloudflare, not really. Potentially an argument could be made that using something like Let’s Encrypt with an automatic reissuance program like certbot would be more secure as the certificates could be shorter lived (90 days for Let’s Encrypt) and automagically rotated, but I’m not sure by exactly how much. Some host software may also get upset about the fact it’s not publicly trusted. Other then that, they work well and I use them a lot personally, the longer duration is helpful, they also don’t go into the Public Certificate Logs, which reduces scraping/random traffic by a bit.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.