Use of Full Strict for Web Access

If I enable full strict for SSL does that mean I need to send an edge certificate to those who access my web server being proxied by Cloudflare? Is this how you ensure full strict?

Full Strict means you have an in date SSL certificate on your origin and is from a trusted CA including Cloudflare’s Origin CA. Cloudflare will issue an SSL for sites being proxied automatically - you just need to make sure your origin is configured to handle TLS connections.

You should force HTTPs on Cloudflare to make sure connections are always over HTTPs from the client to Cloudflare.

2 Likes

Ok that makes sense but then what is the concept of the edge certificate. I think thats where I am getting messed up.

So when you proxy you have two TLS connections

User request (we call this the eyeball) to Cloudflare - this connection is a TLS connection (when using https) using a cloudflare issued certificate. this can be a Universal Certificate Free Universal SSL/TLS certificates · Cloudflare SSL/TLS docs

Then there is a connection from Cloudflare to your origin - this connection is what the full-strict (and other settings control) for this one you need a certificate on the origin - i.e the origin certs.

Matt

Ahhh…so if I use a universal certificate for the eyeball side do I need to send this to my clients or will they receive the certificate when accessing a website protected by Cloudflare?

1 Like

While the following question as an answer may sound snarky and seem to deride your question, I assure that it is not, and the answer may surprise you.

Do you need a web site to send you their certificate before you visit their site using HTTPS?

Reveal answer

Yes! The good news is that this all happens automatically as part of the HTTPS connection.

It’s not sparky at all. I thought there would be a certificate exchange, at initial access time.

1 Like

If i have both an edge cert and an origin cert is this overkill?

Not at all, in fact that is the recommended and secure setup.

2 Likes

Ok so setting Full Strict, along with an edge and an origin certificate is the most secure method.

New question…is there any reason to have a Lets Encrypt certificate in this mix? I thought any certificate i generate from Cloudflare is actually Lets Encrypt? Am i misstating this?

Not most, only secure.

1 Like

Origin cert and edge cert could both be Let’s Encrypt, or only one, or neither. As long as the origin cert is trusted by Cloudflare and the edge cert is trusted by the browser, you’re all set.

There are others, the list is here:

1 Like

I would prefer to have any certs come from Let’s Encrypt. I know my edge certs are from Let’s Encrypt. How do I do this with my origin cert? I guess the default generation of an origin cert is not from Let’s Encrypt.

The same way you would with any other setup:

The origin certs provided by Cloudflare are issued by Cloudflare and are only trusted by Cloudflare. They are convenient if you don’t want to setup renewal for your own certificates. You can also use any other Certificate Authority.

1 Like

So then using the CF certs as origin certs are fine since only CF will trust them. Edge are outside of the CF infrastructure, and thus would be better for Let’s Encrypt.

Is this a fair and accurate statement?

The available issuing CAs for Edge certificates were already covered earlier. The linked article in the reply highlighted below explains in detail.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.