With Cloudflare, you can generate a root certificate, a free TLS certificate signed by Cloudflare. And you can install it on your webserver to secure the connection between your server and the Cloudflare proxy servers. Cloudflare Original Certificates’ main feature is the validity of the certificate, which can be up to 15 years and include all your subdomain replacement card.
Create Your Origin Certificate
First, go to your Cloudflare dashboard and, in the Crypto section, click Create Certificate. If you have already generated a CSR or the Certificate Signing Request and a private key, you can copy your CSR content to generate your Cloudflare Original Certificate. Or click Next to generate your certificate allowing you to generate a private key for Cloudflare. It is better for you to choose an ECDSA private key over RSA, as ECDSA provides better performance and an encryption level than RSA. Cloudflare will show you your private key and your Certificate of Origin after you click the Next button. Be sure to save your private key before closing your web browser tab, as Cloudflare will no longer display it.
Then you can create a new file and copy the contents of your private key in this file. Then create another file, your domain-TLD-cert. Pem, and copy your root certificate’s contents in this file. So you can create a folder in /etc/nginx
to store your private key and your certificate of origin. As an example, you can put your certificate and your private key in /etc/nginx/ssl
.
Add Cloudflare Root Certificates Authorities (Optional)
This step is not necessary because Nginx will not attempt to validate your original CA certificate chain. It will only check your SSL certificate and your private key for any errors. To add Cloudflare Root Certification Authority to your Original Certificate, you must download them from the Cloudflare website. And also, integrate your root certificate with the root certificate. You can download the Cloudflare root certificate with the following command:
For RSA private keys, follow this command.
wget -O cloudflare_root.pem https://support.cloudflare.com/hc/en-us/article_attachments/206709108/cloudflare_origin_rsa.pem
For ECDSA private keys, follow this command.
wget -O cloudflare_root.pem https://support.cloudflare.com/hc/en-us/article_attachments/206709098/cloudflare_origin_ecc.pem
Besides, to combine your Certificate of Origin and Cloudflare Root Certificate, you can use the cat command:
cat your domain-TLD-cert.pem cloudflare_root.pem > your domain-TLD-cert.pem
Install Your Origin Certificate With Nginx
Your root certificate can now be installed with Nginx.
- To do so, you must edit your Nginx vhost.
- Especially if your server is running with EasyEngine and how to add SSL / TLS configuration by following this simple method:
listen 443 SSL http2; listen [::]:443 SSL http2; ssl on; ssl_certificate /etc/nginx/ssl/yourdomain-tld-cert.pem; ssl_certificate_key /etc/nginx/ssl/yourdomain-tld-key.pem;
- Further, if your server is running Nginx 1.15.0 or later, you can also remove the line as SSL on;
- Besides, you can reload your Nginx configuration with
nginx -t && systemctl reload nginx
- Now that your Cloudflare Origin certificate is installing on your server, you can change the SSL settings on your Cloudflare dashboard to “full (strict).”
- If you wish to force redirection from HTTP to HTTPS, you can enable the “Always use HTTPS” and “Automatic rewrite HTTPS” options using your Cloudflare dashboard.