Single domain, multi web servers, edge cert., origin cert

Hi all,
Here is the scenario, single domain example.com, we have few web servers web1.example.com; web2.example.com and so on. We need SSL on all web servers (they are different servers).

  1. Do we need advanced certificate for each web server?
  2. How do we maintenance origin certificate on each server? It originally comes with example.com & *.example.com, every time we have new web server in place, we need to keep updating by create CSR on new web server (ex: web5.example,com.), then update origin certificate on Cloudflare? Meaning once update origin certificate, we have to go over all existing web server and complete the certificate request again? I am kind of confused. In our previous experience, each web server create CSR, then generate certificate on the platform like Sectigo, afterward we import or complete the certificate request on the web server. Appreciated if you could give us some direction.

Thanks.

If by advanced you mean the $10 certificate, then no.

What you need is a valid certificate on your server for all your hostnames, though you could also cover that via a wildcard certificate (*.example.com). Check out Origin certificates in that context.

Bottom line, make sure your site loads fine on HTTPS without Cloudflare, then it will work with Cloudflare too.

Hi Sandro,

This is a new domain and we don’t have any certificate on the new web site, we would like to use Cloudflare one and that is why we come across the questions, thx. Still not sure about the part that how to handle both edge and origin cert., as each web server generate a CSR to handle each hostname like web5.example.com, how do we keep updating both cert. to include all hostnames?

You still need a certificate on your server anyhow. Do that first.

Regardless whether you have the free or the paid certificate, the proxy certificate will be managed by Cloudflare. You’ll still need to manage your server certificate, but that will be regular certificate management, just like if you didn’t use Cloudflare. You can also look into Cloudflare’s Origin certificates, as they will be easier to manage and renew, but they will only be trusted by the proxies, so you will have to use the proxy if you use them.

I generate CSR on the 1st IIS server, and create an origin cert. on Cloudflare and complete certificate on the 1st IIS server. Got the edge cert for example.com and *.example.com ready, also proxy A record on DNS settings. On 2nd IIS server and 3rd, 4th…etc, i repeat doing the same?

If you don’t mind Cloudflare “knowing” your private key (though I believe they discard it after generating it) you could also create the certificate right from the dashboard without a CSR. But apart from that, that’s pretty much it.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.