The "key" in Keyless SSL

Hello.

I have recently put up a webpage on CloudFlare and im interested in how to best secure traffic from browsers to my site. I am currently using the Full(strict) SSL option (as recommended by the community), but i just read an article on Keyless SSL, which confused my understanding of the (regular)SSL provided by CloudFlare. How can they know my private key anyway (assuming i dont use keyless). I never gave it to them, so i find this suspicious. Did i misunderstand the idea behind keyless SSL (id admit their explaination got a bit technical).

Was supeised how useful this community was when i had worries about the SSL before. Hope you guys will help me understand the problem mentioned😊

That is a good point. My earlier response about Spectrum was not entirely accurate as Keyless SSL would be an option as well, however it will still require an Enterprise plan.

https://www.cloudflare.com/learning/ssl/keyless-ssl/ and https://blog.cloudflare.com/keyless-ssl-the-nitty-gritty-technical-details/ share more details on that feature.

Hi again Sandro. What buggles me is how my private key is being hosted on CloudFlares proxy servers. I can see that the universal CloudFlare certificate is there. Have they somehow acquired the private key on my origin server when i set it up (i assume while making the change in the registrar)? Is this what the keyless function can avoid or does it simply put the universal key on my own server?

Thanks for taking time to help!

Currently or with Keyless SSL?

Currently, they do not have your private key and it would be concerning if they had. There are two certificates in place right now. One on Cloudflare’s proxies and one - your own - on your server. Your own certificate is only used for the connection between Cloudflare and your server, the user never gets to use that certificate.

Agree! that would be worrying.
Say i change to “Keyless SSL”. Which key is “less” in that scenario? (how can they move the private key to my own server if it was there in the first place).

With Keyless SSL there shouldnt be an additional certificate but only your server certificate, but again, this requires Enterprise. Are you planning to upgrade to that plan?

1 Like

Thanks for the clearification. As long as they dont have my private key I can be content with the free version

They do not have your key, unless you provide it in the context of custom certificates (which require at least a Business plan). However - as mentioned in the other thread - all transferred data is still visibible to Cloudflare.

2 Likes