Which SSL Cert to Use

Hello all,

I have recently setup a family website using Wordpress. Now I want to secure it properly. Is the unioversal cert provided by CF fine for most things or should I be investing some money in purchasing a cert from CF? I do not like sharing the universal cert with others, so what are my options? Ideally I would like to secure end to end but does that mean I need to provide a client side cert to all users of my website? If yes then that is not scalable, so what is one level down from that?


It is fine for the proxies, but you still need a certificate on your own server. Cloudflare does not have any paid services in this context but offers the Origin certificates which you can install on your server. Otherwise you can use any other valid certificate on your server too.

It’s rare for Universal certs to be shared amongst websites. It was common a while back, but all my new Universal certs only show sni.cloudflaressl.com, example.org, and *.example.org

Since I am using the CF free service can I still buy a dedicated cert and what does this cert cover…jyst origin to CF?

A dedicated certificate for the proxies? You can do that, but that won’t be necessary.

What you really need is the certificate on your server.

Here are instructions for installing a free Cloudflare origin cert on your server so you can use Full (Strict) SSL mode.

Ok so I am following the instructions but CF provides two files, a .pem and a .key file. When I go to the instructions for installing on my web server it talks about 3 files, an intermediate and primary cert, as well as a .key file. I would assume the primary cert is the .pem file but where does the intermediate cert come from?

If you need the certificate’s root certificate, then you’ll find that at point #4 under Managing Cloudflare Origin CA certificates – Cloudflare Help Center

1 Like

Let me ask it in a different way. I am updating my Virtual Hosts file and I do not know what the following is:

SSLCertificateChainFile /path/to/DigiCertCA.crt

Where does this come from?

That’s obsolete to begin with

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

And as for the content, a quick search will really explain that in no time. For example https://serverfault.com/questions/382633/difference-between-sslcertificatefile-and-sslcertificatechainfile

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.