An SSL/TLS certificate is what enables websites and applications to establish secure connections. With SSL/TLS, a client - such as a browser - can verify the authenticity and integrity of the server it is connecting with, and use encryption to exchange information.
Since is at the core of several products and services that Cloudflare offers, what this implies in terms of SSL/TLS is that, instead of only one certificate, there can actually be two certificates involved in a single request: an edge certificate and an origin certificate.
guarantee the security and authentication on the other side of the network, between Cloudflare and the origin server of your website or application. Origin certificates are managed on your origin server.
One common aspect of every SSL/TLS certificate is that they must have a fixed expiration date. If a certificate is expired, clients - such as your visitor’s browser - will consider that a secure connection cannot be established, resulting in warnings or errors.
Certificate authority (CA)
A is a trusted third party that generates and gives out SSL/TLS certificates. The CA digitally signs the certificates with their own private key, allowing client devices - such as your visitor’s browser - to verify that the certificate is trustworthy.
SSL/TLS certificates vary in terms of the level to which a CA has validated them. As explained in the article about , SSL/TLS certificates can be DV (Domain Validated), OV (Organization Validated) or EV (Extended Validation).
When visitors request content from your website or application, Cloudflare first attempts to . If this attempt fails, Cloudflare sends a request back to your origin web server to get the content. This request between Cloudflare and your origin web server is called origin pull.
This relates to the difference between and , and also explains why some specifications such as can be set differently depending on whether they refer to the connection between Cloudflare and your visitor’s browser or between Cloudflare and your origin server.
Besides the authentication and integrity aspects that valid certificates guarantee, the other important aspect of SSL/TLS certificates is encryption. Cipher suites determine the set of algorithms that can be used for encryption/decryption and that will be negotiated during an .
The list of and intermediate certificates that are trusted by operating systems, web browsers or other software that interacts with SSL/TLS certificates is called trust store. Cloudflare maintains its trust store on a public .
While for most cases you do not have to worry about this list or how it is used when a client checks your SSL/TLS certificate, some features such as , and processes such as , are directly related to it.
Chain of trust
Depending on your organization requirements, or if you have to troubleshoot an issue with your certificates, for example, you might come across the terms root certificate, intermediate certificate and leaf certificate.
These terms refer to the way in which the certificate presented to a client - the leaf certificate - has to be traceable back to a trusted certificate authority (CA) certificate - the . This process is structured around a .