Upload Domain Origin Root Cert for Origin Trust

It would be really convenient to be able to use the same internal CA certs that you’re already using internally to authenticate the origin to Cloudflare. It would have the added benefit that if you need to turn off the proxy for whatever reason, then clients connecting from domain joined machines would still be able to connect without TLS errors.

You mean when we generate an Cloudflare Origin CA certificate and install it at our host/origin server?

Moreover, do you maybe mean on Cloudflare CA Origin root certificate?

If I understood it correctly, this is currently not possible. You want to use Cloudflare CA certificate for either hostnames which are :grey: cloud (not being proxied via Cloudflare) and want that connection to be without error?

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

Something else, when using Cloudflare Authenticated Origin Pulls, then the SSL request is verified and anyone not connecting to your origin via a hostname which is not being proxied by Cloudflare (:orange: cloud at DNS dashboard) would get error 400:

If I understood it correctly, this is currently not possible. You want to use Cloudflare CA certificate for either hostnames which are :grey: cloud (not being proxied via Cloudflare) and want that connection to be without error?

Origin CA certificates only encrypt traffic between Cloudflare and your origin web server and are not trusted by client browsers when directly accessing your origin website outside of Cloudflare. For subdomains that utilize Origin CA certificates, pausing or disabling Cloudflare causes untrusted certificate errors for site visitors.

In case a customer needs an SSL certificate, he/she can always:

  1. Purchase an SSL certificate at some reseller like NameCheap, Comodo, etc.
  2. Purchase an Dedicated SSL certificate (using Advanced Certificate Manager) at Cloudflare
  3. Generate free Let’s Encrypt SSL certificate
  4. or generate and use an CF Origin CA certificate in that case (as already stated purpose of it)

CloudFlare’s Origin CA is working as intended. It’s not trusted by browsers. It’s only trusted by CloudFlare’s servers. Its purpose is to secure communications between CloudFlare and your origin, not for general usage.

Source:

I believe, if we want a free, publicly trusted certificate, we should look at Let’s Encrypt. (It’s a legitimate and widely-used CA. It’s a non-profit founded by the EFF, Mozilla, and several universities and Internet companies.)

Obviously, the SSL warnings should go away if we turn on Cloudflare’s reverse proxy (:orange: cloud for records).

When pausing CloudFlare or gray-clouding individual zones, be aware that you and your visitors may receive errors in their browsers until you orange-cloud (reverse proxy) them again.

Hmm, could it be (depends on the perspective and view point)? :wink:

A Cloudflare Origin Certificate is the equivalent of a Self-Signed certificate.

Not entirely. An Origin certificate is signed by another certificate, it’s just not a publicly recognised one.

2 Likes

For Authenticated Origin Pull you can use a custom CA. What the OP wants is to have a Custom CA for SSL Full Strict.

This would have some advantages. Even a compromise of a public CA would not impact on the trust of your private CA. Some businesses see the public CT logs as an information disclosure, so prefer not to use them.

But you are assuming that somebody manages to have a mis-issued cert from a public CA that does not get logged in the CT logs, and simultaneously insert that cert between Cloudflare and your origin. Private certs typically have long lives, so in the event somebody does compromise your private CA you may never know about it.

Probably easier to automate the deployment of LE certs, and rely on the public CA trust environment.

3 Likes

In a private CA infrastructure, (at least for windows servers) it’s trivial to have short lifetime auto renewing certs, in which case setting up trust for your internal root could in some ways be more secure; assuming of course that it’s not the internal root itself that gets compromised, which would have much bigger implications than just compromised traffic to cloudflare.
In windows-based infrastructures it’s harder to set up LE interfaces than it is to use GPO to auto-enroll your servers for internal certs.

I wonder if it might make sense to allow only for the upload of private subordinate CAs full chains to trust, since it wouldn’t be that hard to maintain for companies with internal PKI, but would make it a lot harder for someone to accidentally or intentionally misuse it. Making sure that there’s at least one subordinate would be a good indicator that their internal root is isolated, and at the very least that they won’t be able to sign certs for their origin servers directly with a root.