Question regarding SSL/TLS certificate (NGINX)


I just have a few questions regarding how the SSL/TLS certificates work. When I go into the “SSL/TLS” category for my site, I have a few different things such as “Edge Certificates” and “Origin Server”. First, when I visit my site I can see it uses “Let’s Encrypt”. So does that mean Cloudflare issues a certificate via Let’s Encrypt? On LE’s website, I see that a certificate is only valid for 90 days and they recommend renewing it every 60 days. Is this done by Cloudflare? And is this the Edge or Origin Server certificate?

Also, I generated an “Origin Server” certificate which created a “.pem” and “.key” file which I placed on my server and linked to in my NGINX config file. But it wasn’t until I did this I saw SSL/TLS enabled on my site. So I am a bit confused. What certificate does what?

What’s the difference between “Edge Certificate” and “Origin Server”? And does Cloudflare renew these within 90 days? I have no idea what any of this is. When I google, people say I should use “certbot” to automatically renew certificates. A lot of people also recommend I create my own private key and generate a “.csr” file and upload that to Cloudflare, because “it is bad practice” that Cloudflare generates both my private key AND certificate.

I’m just so confused. Why are there 2 different certificates? I never installed any Edge certificate to my server (I didn’t receiev any file). And how can Cloudflare issue a 15 year Origin certificate if Let’s Encrypt requires me to renew it every 60 days (or 90 at the latest)? Cloudflare can’t access my server and upload new .pem and .key files. So how does it work?

Everything is just so damn confusing. The site is using https, but how does it actually work?

When proxied, Cloudflare takes the connection from the client using the edge certificate. This is, in your case, generated by Cloudflare using Letsencrypt automatically and it will renew itself. Nothing for you to do there unless you have some special use cases (second level or deeper subdomains, etc).

In order for Cloudflare to connect to your origin using HTTPS, your origin must also have an SSL certificate. You can generate this from Letsencrypt or other CA yourself, or you can download the origin certificates from Cloudflare to put on your server. The Cloudflare origin certificates are only trusted by Cloudflare so accessing your origin server directly without going through Cloudflare will produce a certificate warning in your browser.

Ensure your SSL/TLS settings are set to Full (strict) so that Cloudflare checks the origin certificate is valid.

So if I understood this correctly, the “Edge Certificate” is the SSL/TLS certificate issued by Cloudflare (using Let’s Encrypt). But in order for Cloudflare to manage the SSL/TLS certificate (for example, renewing it), I must install the “Origin Server” certificate (.pem) on my server, to “allow” Cloudflare to handle the SSL/TLS certificate?

The two are separate, but both needed to ensure the connection is encrypted between client and Cloudflare and between Cloudflare and your origin.

The edge certificate manages itself whatever the state of the origin server.

You must install the origin certificate on your server so Cloudflare can connect over an secure encrypted connection to your origin.

This explains a bit better…

If I decide to create my own private key for the “origin server” certificate, do i need to manually renew anything by myself every 90 days?

I heard it is best security practice to create a “.key” (private key) and .csr file. Then I upload the .csr file to Cloudflare and it gives me a .pem file. Instead of doing what I did now; I let Cloudflare generate the .pem and .key file. For best security, only I should have the private key. But if I decide to do this (using openssl on my server), it will still be valid for 15 years or whatever?

Cloudflare doesn’t keep the key once the certificate is generated - once generated you can’t look them up again.

But yes, you can upload your own CSR when creating the certificate.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.