Skip to content

Origin Certificates -- Secure Origin Communication

DodaTech 7 min read

In this tutorial, you'll learn about Origin Certificates. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Cloudflare Origin Certificates are free TLS certificates issued by Cloudflare's own CA, designed specifically to encrypt traffic between Cloudflare's edge and your origin server. Unlike public CA certificates, Origin Certificates are not trusted by browsers -- they are intended only for the Cloudflare-to-origin connection and work exclusively with Full Strict SSL mode.

Why Origin Certificates Matter

The most secure Cloudflare SSL configuration -- Full Strict -- requires a valid certificate on your origin server. Traditionally, this meant purchasing certificates from a public CA or using Let's Encrypt with automated renewal. Origin Certificates solve this by providing free, long-lived (up to 15 years) certificates that Cloudflare's edge automatically trusts. This eliminates certificate renewal overhead, reduces cost, and ensures the origin-facing connection is always encrypted with a valid certificate.

Real-World Use Case

A SaaS company with a Kubernetes cluster serving 25 Microservices needed each service to terminate TLS for Cloudflare Full Strict mode. Managing Let's Encrypt certificates for 25 internal services required complex cert-manager automation and frequent troubleshooting. After switching to Cloudflare Origin Certificates, they generated one wildcard certificate for *.app.internal.example.com, installed it across all services, and eliminated certificate renewal concerns for years.

How Origin Certificates Work

flowchart LR
    V[Visitor Browser] -- TLS --> C[Cloudflare Edge]
    C -- TLS Origin Certificate --> O[Origin Server]
    
    subgraph "Cloudflare CA"
        CA[Origin CA] -- Issues Cert --> C
    end
    
    subgraph "Your Infrastructure"
        O -- Installs Origin Cert --> W[Web Server]
        W --> A[Application]
    end
    
    style CA fill:#4a90d9,color:#fff
    style O fill:#27ae60,color:#fff

Cloudflare operates its own Certificate Authority specifically for origin certificates. When you generate an Origin Certificate through the Cloudflare dashboard or API, Cloudflare signs it with its Origin CA key. Cloudflare's edge nodes are configured to trust this CA automatically. You then install the certificate on your origin server. Because Cloudflare trusts its own CA, Full Strict mode validates the origin certificate successfully.

Generating an Origin Certificate

# Generate an Origin Certificate via API
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/YOUR_ZONE_ID/origin_tls_client_auth/certificates" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{
    "hostnames": ["example.com", "*.example.com"],
    "requested_validity": 7300,
    "request_type": "origin-rsa"
  }' | python3 -m json.tool
# Expected output:
# {
#   "result": {
#     "certificate": "-----BEGIN CERTIFICATE-----\n...",
#     "private_key": "-----BEGIN RSA PRIVATE KEY-----\n...",
#     "id": "origin-cert-id"
#   },
#   "success": true
# }

The API returns the PEM-encoded certificate and private key. The requested_validity is specified in days -- 7300 is approximately 20 years. The request_type can be origin-rsa (RSA 2048-bit) or origin-ecc (ECDSA P-256). Save both outputs to files immediately as the private key is shown only once.

Installing Origin Certificate on Nginx

# Save the certificate and key
cat > /etc/ssl/certs/origin.pem << 'EOF'
-----BEGIN CERTIFICATE-----
...paste certificate here...
-----END CERTIFICATE-----
EOF

cat > /etc/ssl/private/origin.key << 'EOF'
-----BEGIN RSA PRIVATE KEY-----
...paste private key here...
-----END RSA PRIVATE KEY-----
EOF

# Configure Nginx to use the origin certificate
sudo tee /etc/nginx/sites-available/example.com << 'EOF'
server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/ssl/certs/origin.pem;
    ssl_certificate_key /etc/ssl/private/origin.key;
    ssl_protocols TLSv1.2 TLSv1.3;

    root /var/www/example.com;
}
EOF

# Test and reload
sudo nginx -t && sudo systemctl reload nginx
# Expected output:
# nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
# nginx: configuration file /etc/nginx/nginx.conf test is successful

The configuration above sets up Nginx to use the Cloudflare Origin Certificate. The ssl_protocols directive restricts TLS to versions 1.2 and 1.3 for security. After reloading Nginx, Cloudflare's edge can connect to your origin over TLS with a certificate that Full Strict mode validates as trusted.

Installing Origin Certificate on Apache

# Configure Apache to use the origin certificate
sudo tee /etc/apache2/sites-available/example.com-ssl.conf << 'EOF'
<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerName example.com
        DocumentRoot /var/www/example.com

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/origin.pem
        SSLCertificateKeyFile /etc/ssl/private/origin.key
        SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    </VirtualHost>
</IfModule>
EOF

# Enable SSL module and site, then reload
sudo a2enmod ssl && sudo a2ensite example.com-ssl && sudo systemctl reload apache2
# Expected output:
# Module ssl already enabled
# Site example.com-ssl enabled

The Apache configuration mirrors the Nginx setup. The SSLProtocol directive disables older, insecure protocol versions. Cloudflare Origin Certificates work with any web server that supports PEM-encoded certificates, including Caddy, HAProxy, and IIS.

Testing the Origin Certificate

# Verify the origin certificate is working from Cloudflare's perspective
# Run this on your origin server to check the TLS configuration
curl -vI https://localhost --cacert /etc/ssl/certs/origin.pem 2>&1 | grep -E "SSL|TLS"
# Expected output:
# * SSL connection using TLSv1.3
# * SSL certificate verify ok

Local verification confirms the web server is serving the certificate correctly. The final production test is to set Cloudflare SSL mode to Full Strict and verify your site loads without 526 errors.

Common Errors and Troubleshooting

Error 526 After Enabling Full Strict

If you get error 526 after switching to Full Strict with an Origin Certificate, Cloudflare's edge may not trust the certificate yet. Solution: wait 30-60 seconds for certificate propagation, then retry. If the error persists, regenerate the certificate and reinstall.

Origin Certificate Not Trusted by Browsers

Origin Certificates are not trusted by browsers by design. They are only for Cloudflare-to-origin communication. If you install an Origin Certificate directly on a public-facing server (not behind Cloudflare), browsers will show an untrusted certificate warning.

Private Key Lost

Cloudflare does not store the private key after generation. If you lose it, you must generate a new Origin Certificate and reinstall it on your origin server. Old certificates continue working until they expire, but you cannot recover the private key.

Wrong SSL Mode

Origin Certificates only work with Full or Full Strict mode. If your SSL mode is set to Flexible or Off, Cloudflare does not attempt TLS to the origin, and the Origin Certificate sits unused on your server.

Expired Origin Certificate

Origin Certificates can be issued with validity up to 15 years, but if you generate one with a shorter validity period, you must track the expiry. Unlike Universal SSL, Origin Certificates do not auto-renew. Use the Cloudflare API to list origin certificates and their expiry dates.

Practice Questions

  1. Why are Cloudflare Origin Certificates not trusted by web browsers?
  2. What SSL mode must be enabled for Origin Certificates to secure origin communication?
  3. What happens if you lose the private key for an Origin Certificate?

FAQ

What is the maximum validity period for a Cloudflare Origin Certificate?

Cloudflare Origin Certificates can be issued with validity up to 15 years (approximately 5475 days). You can specify a shorter validity period during generation. Unlike Let's Encrypt certificates which renew every 90 days, Origin Certificates provide long-lasting coverage without frequent renewal.

{{< faq "Can I use Origin Certificates with servers not behind Cloudflare?">}} No. Origin Certificates are issued by Cloudflare's Origin CA and are only trusted by Cloudflare's edge network. If you install an Origin Certificate on a server that is accessible directly by visitors (not proxied through Cloudflare), browsers will display an untrusted certificate warning. Use public CA certificates for non-Cloudflare servers. {{< /faq >}}

What is the difference between Origin Certificates and Custom SSL Certificates?

Origin Certificates are free, auto-trusted by Cloudflare's edge, and designed solely for Cloudflare-to-origin encryption. Custom SSL Certificates are uploaded by you from any CA and can serve both the Visitor-facing edge and origin-facing connections. Origin Certificates simplify the Full Strict setup, while Custom SSL Certificates give you provider flexibility.

Summary

Cloudflare Origin Certificates provide a free, simple path to Full Strict SSL mode. They are issued by Cloudflare's own CA, trusted automatically by Cloudflare's edge, and can be generated with validity up to 15 years. Installation on Nginx, Apache, or any web server takes minutes. Origin Certificates eliminate the need for public CA certificates on your origin server while maintaining the highest level of encryption between Cloudflare and your infrastructure.

This guide is brought to you by the developers of Cloudflare, SSL, and Web Security products at DodaTech.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro