SSL from GlobalSign


#1

Hi,

I have a SSL Certificate from GlobalSign and hoping to see the SSL Certificate outside our internal network. I have set the Crypto SSL settings to Full strict in order for the SSL Certificate to take effect but it has been 2 days since I have set Crypto SSL settings to Full strict and still I see Cloudflare’s Comodo SSL Certificate. I have already read all support article before going here in the cloudflare community but no to avail.

So I want to know how can we solve the problem regarding this problem.


#2

Cloudflare is a reverse proxy. It pulls content from your server, then delivers it using Cloudflare’s server network, using Cloudflare’s Comodo SSL certificate.


#3

So, it means that I could not use my own SSL Certificate from GlobalSign, as there is no clear or straight to the point information regarding this matter at the support articles.


#4

It’s something that’s good to have. It lets you run in Full (Strict) SSL mode. And if you stop using Cloudflare, you still have a valid certificate tied to your domain.


#5

What do you mean? As I do not really get it, what you point at.

From what I have read somewhere which is not very clear, Free users do not have the privilege to use their own SSL Certificate for example provided by GlobalSign.

Do I need to use Cloudflare as DNS only per sub-domain on my domain?

Or something else that I need to configure?


#6

Because Cloudflare resides in between your origin servers and your site visitors there are two connections that can be secured. Between your visitor and Cloudflare, and between Cloudflare and your origin servers.

Depends on which connection you are referring to. To bring your own :cert: to secure the connection between Cloudflare and your visitors you need to be on a BIZ or ENT account. But to secure the connection between Cloudflare and the origin you can use your own.

There is a lot of helpful information located here:


#7

Hi mjhvillareal.ddb,

Hi all.

I have a similar situation. I have a Globalsign cert. and am trying to get it to show on my website but it just returns a transparent image.

I have been on to Globalsign support live chat but response has been very poor.
Confusingly the support at Globalsign say I should use the alphassl code.

I know this must be a Cloudflare “problem” but all the answers are coming from Cloudflare experts and do not seem to explain the problem at a level that the beginner can understand.

Can anyone say what effect turning the settings from “Full” to “Full Strict” on the website please.


#8

I cannot identify what the cloudflare moderators mean, as it is not direct to the point.

What I can tell from the facts are:

  1. Free users are given a Free Universal SSL Certificate from Comodo.
  2. Free users are not given privilege to use their own SSL Certificate like for example from GlobalSign.
  3. Free users cannot upload their own SSL Certificate like for example from GlobalSign, you need to be on Business or Enterprise plan.
  4. If Free users wants to use their own SSL Certificate like for example from GlobalSign, you need to turn Crypto SSL mode to Off and Grey out all DNS records, the only disadvantage of using your own SSL Certificate like for example from GlobalSign is you are prone to DDoS and hacking attacks.
  5. Free users cannot have any other options besides what is specified in number 4.

Correct me if I am wrong here, as I cannot find any other solutions from the support articles regarding on my problem.


#9

Short answer - Full means that the connection between us and your origin has a :cert: but we do not verify the authenticity of that :cert:. Full “Strict” means that the :cert: has to be signed by a certificate authority. Longer answer is below.

Full SSL: secure connection between your visitor and Cloudflare, and secure connection (but not authenticated) between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a self-signed certificate at least. The authenticity of the certificate is not verified: from Cloudflare’s point of view (when we connect to your origin webserver), it’s the equivalent of bypassing this error message. But as long as the address of your origin webserver is correct in your DNS settings, you know that we’re connecting to your webserver, and not someone else’s.

Full SSL (Strict): secure connection between the visitor and Cloudflare, and secure and authenticated connection between Cloudflare and your web server. You will need to have your server configured to answer HTTPS connections, with a valid SSL certificate. This certificate must be signed by a certificate authority, have an expiration date in the future, and respond for the request domain name (hostname).


#10

There is one other option:

Out of curiosity, is the desire for a GlobalSign, or other big name certificate, to have a trust badge on your site?


#11

We are required to have our own SSL Certificate from the likes of GlobalSign as we follow our country’s Republic Act No. 10173 “Data Privacy Act of 2012” and displaying the SSL Certificate from GlobalSign is required.

So, it really seems we have no other option but to turn off the SSL mode and grey out all DNS records.


#12

I’m curious if Universal SSL users can get a Comodo Secure Site Seal.

Or how about the Dedicated SSL Certificate users?


#13

I’m doing some digging and there may be a workaround that we can try. Can you email support[at]cloudflare.com and let me know the ticket number?


#14

Ticket No. 1409796

Hope that we can find the solution regarding this matter.

Note: I just turned off the SSL mode at this moment, due to our SSL Certificate not appearing outside our internal network, Cloudflare Comodo SSL Certificate is displaying by default.


#15

That’s interesting mjhvillareal.ddb.

Thanks for sharing that.


#16

I have the certificate installed on my server and the code from Globalsign but it still will not work.


#17

The support provided me with an answer that states:

Quote:
If you would like to upload your own custom SSL certificate, you would need to upgrade to a Business plan or higher as described in the link below

Quote:
As a one time gesture of goodwill, I have switched your CF Free SSL certificate to a Globalsign SSL certificate.

Well, this is not the result I am expecting and I can no longer do anything but change plan which we needs budgeting on our end that will take years to budget. Based on what the support did they changed the Free Universal SSL Certificate from Comodo to GlobalSign and still it still displays Cloudflare SSL Certificate and not the SSL Certificate we purchase from GlobalSign.

I just turned of the SSL mode for my domain account and grey out all DNS records in order for our purchased SSL Certificate from GlobalSign to appear

The final verdict on this problem is you need to be on Business or Enterprise Plan in order to use your purchased SSL Certificate from GlobalSign.


#18

I just read throughout the act and didn’t see anything requiring the use of a particular Certificate Authority. Do you happen to have a source for that interpretation you could point me to, I’d be interested in understanding more about the requirements for data privacy in the Philippines.


#19

Your certificates need to be on the Cloudflare edge servers facing the web for your visitors to see it… The free plan does not allow you to upload any SSL certificates, but you may order an auto-renewing certificate ($5-$10/mo) or upgrade to the Business plan ($200/mo) to enable the upload feature.

Having your own certificate on your server does allow you to enforce Strict SSL between Cloudflare and your server.


#20

Section 23 (b) (3) of Republic Act 10173:
Encryption – Any technology used to store, transport or access sensitive personal information for purposes of off-site access approved under this subsection shall be secured by the use of the most secure encryption standard recognized by the Commission.
Source: http://www.officialgazette.gov.ph/2012/08/15/republic-act-no-10173/

That is the part of the Data Privacy Act of 2012 in the Philippines where SSL Certificate is required.

What we will do now is turn off the Crypto SSL mode to Off and Grey all DNS record under our domain account. This method will now solve our problems while staying on the Free plan.