Why does Cloudflare require your certificate's private key?


One of the main criticisms that Cloudflare faces in my circles is that they require your custom SSL certificate’s private key in order to function, which probably means it has to decrypt traffic to work. They speculate that Cloudflare does this for either self-enrichment purposes, or at the request of government for LEO.

It would be nice if it were possible to keep traffic completely encrypted. Cloudflare has a strong history of security but it’s not flawless.


For enterprise customers we support keyless SSL. It does require that the customer maintain a highly available public key server.

Because we are an SSL termination endpoint in order to provide the services that we do, it’s necessary for us to decrypt the traffic before processing a request and serving a response/sending requests on to the origin server.

I’m not sure what value we could provide beyond a basic port blocking if all we did was act as a firewall (which is really all we could do if we didn’t decrypt the traffic).

We take customer data, privacy and security very seriously. https://www.cloudflare.com/security-policy/ and perform regular audits both internal and external including PCI 3.1 which has some very stringent data controls. https://blog.cloudflare.com/cloudflare-is-now-pci-3-1-certified/ Our trust and safety team is available to answer specific questions or concerns if you have them.


Source obfuscation, DDoS protection, and analytics (shy of content type) would all be possible without decryption, yea? I think for many users, skipping caching for SSL continuity would be preferred.

I did not know that Enterprise allowed this. Thanks for the info.