Client Area

 Client Area

How to use Cloudflare SSL Origin Certificates with Nginx

cloudflare origin ssl certificate

Sections

    With Cloudflare, you can generate an origin certificate, it’s a free TLS certificate signed by Cloudflare and you can install it on your web server to secure connection between your server and the Cloudflare proxy servers. The main feature of Cloudflare origin certificates is the certificate validity, which can be set to up to 15 years, and the ability to include all your subdomains with a wildcard *.yourdomain.com.

    Create your origin certificate

    At first, go into your Cloudflare dashboard and in the section Crypto, click on create a certificate.

    create origin tls certificate

    You can let Cloudflare generate a private key for you and click on next to generate your certificate.

    ssl tls cloudflare

    Cloudflare will display your private key and your origin certificate.

    Copy your private key into a file yourdomain-pvkey.pem and your origin certificate into another file yourdomain-origin.pem. Make sure to save your private key because Cloudflare will not display it again. You can create a folder /etc/nginx/ssl to upload your origin certificates.
    When you have uploaded your two files in your ssl folder, download the Cloudflare Root CA :

     wget https://support.cloudflare.com/hc/en-us/article_attachments/206709108/cloudflare_origin_rsa.pem

    Then you will have to merge your origin certificate and the Cloudflare Root CA in a single file :

    cat yourdomain-origin.pem cloudflare_origin_rsa.pem > yourdomain-crt.pem

    Install your origin certificate with Nginx

    Your origin certificate can now be installed with Nginx. Create a file /var/www/yourdomain.tld/conf/nginx/ssl.conf witht the following content :

    listen 443 ssl http2;
        listen [::]:443 ssl http2;
        ssl on;
        ssl_certificate     /etc/nginx/ssl/yourdomain-crt.pem;
        ssl_certificate_key    /etc/nginx/ssl/yourdomain-pvkey.pem;

    Reload your nginx configuration with nginx -t && service nginx reload
    Your Cloudflare origin certificate is now installed on your server, so you can change the SSL settings to Full (strict) in your Cloudflare dashboard.

    If you want to add a redirect from http to https, just create a file force-ssl-yourdomain.conf into /etc/nginx/conf.d/

    server {
        listen 80;
        listen [::]:80;
        server_name yourdomain.com www.yourdomain.com;
        return 301 https://yourdomain.com$request_uri;
    }

    in EasyEngineNginx