Understanding "Origin Server" and "Origin CA Certificates"

I am confused about the Cloudflare “Origin Server” certificate feature and I have several questions:

  1. Terminology - When I go to my Cloudflare dashboard for a domain and then click the “SSL/TLS” section, one of the options is “Origin Server”. On that page there is a documentation link that goes to https://developers.cloudflare.com/origin-configuration/. On that page the Origin Server certificates feature appears to be called “Origin CA certificates”. My first question is, are “Origin Server” certificates and “Origin CA certificates” the same thing? If so, this should be modified in the website because it’s confusing to call them 2 different names.

  2. The “Origin Server” configuration page under “SSL/TLS” says, “Origin Certificates are only valid for encryption between Cloudflare and your origin server.” Does this mean that these certificates are NOT for encrypting client traffic to the host (origin server)?

  3. Finally, I am confused about the benefit/functionality of these Origin Certs vs me having my own SSL certificate on my host. In both cases I can get “Strict SSL”. Can you point me to documentation which explains more about the purpose and benefits of Origin Certs?

thank you

An origin certificate is any certificate that is installed on your origin server and used to encrypt traffic between Cloudflare and your origin server - this can be an Origin CA Certificate or a publicly trusted certificate from e.g. Let’s Encrypt. An Origin CA Certificate is a certificate generated in the Cloudflare dashboard, and it is made specifically to secure the connection between Cloudflare and your origin server.

The edge certificate is used to encrypting traffic between the client and Cloudflare, while the origin certificate is used to encrypt traffic between Cloudflare and your origin server.

Edge Certificate     Origin Certificate
        |                    |
Client ---> Cloudflare Edge ---> Origin Server

Origin CA Certificates are meant for users who can’t / don’t want to automate certificate issuance with e.g. Let’s Encrypt and certbot. Origin CA Certificates work just like regular SSL certificates, but they can only be used between Cloudflare and your Origin Server. This means the DNS record must be proxied :orange: if you want to use an Origin CA Certificate.

The words “Origin Certificate” and “Origin CA Certificate” often refer to the same thing (a certificate generated in the Cloudflare dashboard), but note that an “origin certificate” can also just be a regular SSL certificate installed on your origin server.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.