Zone-Level Authenticated Origin Pulls (AOP) Setup Walkthrough

Hi guys, I will start by listing the steps and expand on each that requires it. Hopefully, I would like to get your approval on the procedure.

  1. Cloudflare (CF) offers its .PEM shared cert to upload to your origin but I want to use my own. I’m on cPanel which has the option of creating a self-signed cert and key. So, create a self-signed cert and key and place them in separate files (name/extension by choice).
  2. Upload the cert and key via API to CF.
  3. Upload the cert to origin. Choose any location, for example /path/to/aop.pem.
  4. Configure origin (Apache) to accept the CF cert. Place the following directives inside the Apache VirtualHost container, either in httpd.conf file directly (non-cPanel servers) or via httpd.conf file’s include files (cPanel servers).
    SSLVerifyDepth 1
    SSLCACertificateFile /path/to/aop.pem
  5. Enable AOP in CF Dashboard > SSL/TLS > Origin Server. This makes CF use the uploaded cert when connecting to origin.
  6. Enable zone-level AOP via CF API.
  7. Test if the AOP is working by inspecting the logs on origin.
  8. Enforce AOP on origin by placing this directive in the same location (step 4).
    SSLVerifyClient require
  9. Test if the AOP is working by disabling the AOP (step 5). If you get an error when accessing the website, it means it’s working.


  1. What is the difference between steps 5 and 6? Why enable it two times?
  2. What exactly should I look out for in the logs (step 7)?

Once I get the green light on the steps I will expand on steps 2 and 6. These are the API calls. I want to make sure my code is right.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.