Using Origin Certificate publicly (shows up in client's browser)

Is there any recommendation against installing Cloudflare Origin Certificates to a public webserver (as opposed to an origin only CF can access)? I.e. the Origin Certificate would show up in users’ browsers.

The reason I’m asking because I’d possibly create a wildcard Origin Certificate for a site that needs to serve sub-sites under a wildcard domain (i.e. there are dynamically created sub-sites under * Without an Enterprise Plan the proxy feature is not available for such sub-sites, but it would still possible to make use of the Origin Certificate available.

Thank you!

CF origin certs aren’t web browser trusted so like self-signed SSL certs will show warnings to visitors who run into them if you install them on front facing web sites. CF origin certs like the name suggests are for CF to origin usage only.

In that case why not use Letsencrypt free SSL certificates ? They also support wildcard SSL certs

But then either case it’s bypassing Cloudflare proxy anyway so you loose benefits for Cloudflare accelerated performance and security if you want front facing SSL cert being non-Cloudflare based…

Though if you don’t know before hand what subdomain name is, then instead of wildcard, just issue single subdomain Letsencrypt SSL certs for each dynamically created site and have Cloudflare in front using FULL SSL so CF talks to each origin’s Letsencrypt SSL subdomain cert.

In my understanding for public-facing certificates the shorter the lifetime the better (within reasonable limits). But what about Origin Certificates that are only used between Cloudflare and the origin server? Are there any recommendations on not using the 15 year option? Apparently one shouldn’t really be able to create certificates with an expiry longer than 2 years any way.

Thank you!

Sort of touched on at Using Origin Certificate publicly (shows up in client's browser). CF Origin SSL certs aren’t web browser trusted. Only really meant for CF to origin usage.

1 Like

The main problem with long-lasting certificates is the hassle if you need to revoke them for whatever reason.

I’d rather question the following example given in the article, as browser vendors do not seem to hesitate too long when it comes to disabling certificates which might pose a security risk. Just look at whats happening to Symantec certificates right now.

For example, back when SHA-1 deprecation was first announced, the maximum validity period was 5 years (for DV and OV). This lead to challenges in the migration to SHA-256 because there was this gray area of long-life certificates that had been issued with SHA-1 and could potentially remain in use for years with an outdated algorithm. Shorter validity periods will shrink these gray areas after future guidelines are released and decrease the amount of time it takes for all active certificates to comply with a specified policy.

Thank you, I had a hunch there was something like this behind it.

I don’t know why the second question of mine was moved to this topic after I’ve posted it as a new one: it’s a different question, and it’s about using Origin Certificates as they are intended, as opposed to my first question on using them publicly.

So @sandro thank you for your reply, but my second question is about Origin Certificates seen only by Cloudflare: there’s an option to create these with a 15 year expiration, and while such certificates will not be seen by browsers (just by the CF proxy). While in my understanding there is general consensus on not using long lifetimes for publicly used certificates I’m wondering if similar concerns apply to such “internally” used ones (I guess less so, otherwise why would CF allow it, but I’d like to be sure). So there are no browsers and browser vendors in this setup.

My response was clarifying as to why certificates shouldnt have such a long validity.

As to origin certificates, I am not sure what kind of revocation process Cloudflare would have in this context, but if your certificate gets compromised there might be a chance someone could impersonate your site towards Cloudflare, respectively will be able to decrypt your traffic.

:wave: @zoltan.lehoczky,

Long lived certificates are generally fine in 99.99% of use cases. What are the odds that the current web server instance you have running X piece of software is going to be the same one you have running that same piece of software in 15 years? Generally speaking that is a pretty low number… That would be a Windows 2003 server in Microsoft land and if you were running Ubuntu you’d still have a year until the first version was released.

Could you use a shorter version? Sure. As long as you have internal processes in place to request and update the certificate you could use the 7 day certificate length if you wanted. But my experience has generally been organizations are bad at updating certs on servers and that there’s a greater risk you’ll find out that the cert has to be renewed when you start serving 526 errors to your users. Up to your org to weigh the tradeoffs.


1 Like

^^^ This

The Cloudflare Origin Certificate is not automatically renewed. With that in mind, someone who uses this and then forgets to renew it will have a broken site.

The threat risk of a compromised Origin Certificate is extremely low. It’s not valid in the wild, and if it’s stolen, what good is it?

Only if it is Full strict. Full should still accept it.

Please see my earlier response.

1 Like

If you aren’t using it in Full (strict) the length of the cert can be set to 7 days and it makes no difference and the question about disadvantages becomes pretty moot.


If someone’s going to impersonate your site towards Cloudflare, they don’t need an Origin certificate.

As for revocation, here ya go:

The question was not whether the validity period would or should influence the TLS mode, but whether an expired certificate would break the site.

IMHO Cloudflare should generally only offer Off and strict Full, nothing else, even though the other modes certainly offer a certain convenience.

The validity period is a completely different subject then.

Fair point, though the decryption bit is still on the table.

Alright, thanks.

1 Like

Thanks for all the replies, all clear now!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.