Origin pull certificate doesn't match

I have downloaded the pem file from this guide: https://support.cloudflare.com/hc/en-us/articles/204899617 and I have activated Authenticated Origin Pulls for my domain. My webapp is hosted on Azure, and I have set the webapp to forward the client certificate. I have installed the pem file on my webapp, and I now want to check if the client certificate sent by Cloudflare matches this origin-pull-ca.pem downloaded from the above guide, and it doesn’t.

The origin-pull-ca.pem, it is the downloaded pem file from the guide, and number two is what Cloudflare is transmitting on the wire:

  • origin-pull-ca.pem: Thumbprint: 1F5BA8DCF83E6453DD75C47780906710901AD641 (Additional info: CN=origin-pull.cloudflare.net, S=California, L=San Francisco, OU=Origin Pull, O=“CloudFlare, Inc.”, C=US)
  • Sent from Cloudflare: Thumbprint: A27996CBA564D24731BC76439C48920C1F7D4AA3 (Additional info: OU=Origin Pull, O=“Cloudflare, Inc.”, L=San Francisco, S=California, C=US)

Shouldn’t they match?

I just tested this yesterday and it worked. Is it not working for you?

I was looking at this over the weekend but didn’t have time to write a response, and sadly I’m on mobile so I might not be able to go into a ton of detail, but in short, I don’t believe the certificates should match here.

The origin-pull-ca.pem is a certificate authority/root, this certificate is used to sign the actual certificate that Cloudflare uses. The result is that Cloudflare can rotate the client certificates however it wants, as long as they’re always signed by the origin certificate that you installed.

In a more traditional client certificate implementation, I would create a root certificate, Alice and Bob would send me their certificates (public key) which I would sign and return, then they could use their individual private certificates to access any of my resources. When Charlie joins a month later and I sign a certificate for him, he gets instant access to all resources without me having to change the servers/certificates that Alice and Bob are already accessing.

Cloudflare is similar, but the Alice/Bob users are different points of presence or edge servers or whatever technique Cloudflare uses to deploy the certificates, allowing Cloudflare’s edge to identify itself to your origin. Cloudflare handles all of the private keys, rather than you, which greatly simplifies the implementation from your side.

1 Like

It doesn’t work. Maybe I am doing it wrong? How do you get it to work? Shouldn’t the certificate sent by CF match the origin-ca.pem? Does it match in your case?

I really don’t understand how this is used then. Should I install this in the root store on my server? I have done that, and it still won’t let my verify. I always end up with a message that it can’t be trusted.

I am not a wizard in this, but I really want to understand how to use this properly. Everywhere I look, I get a ton of explanations, but nobody really showcase a working solution.

It just dawned to me. All I need to do is to do this programmatically

openssl verify -CAfile origin-pull-ca.pem client.pem


This topic was automatically closed after 30 days. New replies are no longer allowed.