Cloudflare Docs
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Origin CA certificates

Use Origin Certificate Authority (CA) certificates to encrypt traffic between Cloudflare and your origin web server and reduce origin bandwidth consumption. Once deployed, these certificates are compatible with Strict SSL mode.

For more background information on Origin CA certificates, refer to the introductory blog post.

​​ Availability




​​ Deploy an Origin CA certificate

​​ 1. Create an Origin CA certificate

To create an Origin CA certificate in the dashboard:

  1. Log in to the Cloudflare dashboard and select an account.
  2. Choose a domain.
  3. Go to SSL/TLS > Origin Server.
  4. Select Create Certificate.
  5. Choose either:
    • Generate private key and CSR with Cloudflare: Private key type can be RSA or ECC.
    • Use my private key and CSR: Paste the Certificate Signing Request into the text field.
  6. List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default.
  7. Choose a Certificate Validity period.
  8. Select Create.
  9. Choose the Key Format:
    • Servers using OpenSSL — like Apache and NGINX — generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files.
    • Servers using Windows and Apache Tomcat require PKCS#7 (a .p7b file).
  10. Copy the signed Origin Certificate and Private Key into separate files. For security reasons, you cannot see the Private Key after you exit this screen.
  11. Select OK.

​​ 2. Install Origin CA certificate on origin server

To add an Origin CA certificate to your origin web server

  1. Upload the Origin CA certificate (created in Step 1) to your origin web server.
  2. Update your web server configuration:
  1. (Required for some) Upload the Cloudflare CA root certificate to your origin server. This can also be referred to as the certificate chain.
  2. Enable SSL and port 443 at your origin web server.

​​ 3. Change SSL/TLS mode

After you have installed the Origin CA certificate on your origin web server, update the SSL/TLS encryption mode for your application.

If all your origin hosts are protected by Origin CA certificates or publicly trusted certificates:

  1. Go to SSL/TLS.
  2. For SSL/TLS encryption mode, select Full (strict).

If you have origin hosts that are not protected by certificates, set the SSL/TLS encryption mode for a specific application to Full (strict) by using a Page Rule.

​​ Revoke an Origin CA certificate

If you misplace your key material or do not want a certificate to be trusted, you may want to revoke your certificate. You cannot undo this process.

To prevent visitors from seeing warnings about an insecure certificate, you may want to set your SSL/TLS encryption to Full or Flexible before revoking your certificate. Do this globally via the Cloudflare dashboard or for a specific hostname via a Page Rule.

To revoke a certificate:

  1. Log in to the Cloudflare dashboard and select an account.
  2. Choose a domain.
  3. Go to SSL/TLS > Origin Server.
  4. In Origin Certificates, choose a certificate.
  5. Select Revoke.

​​ Additional details

​​ Cloudflare Origin CA root certificate

Some origin web servers require upload of the Cloudflare Origin CA root certificate or certificate chain. Use the following links to download either an ECC or an RSA version and upload to your origin web server:

​​ Hostname and wildcard coverage

Certificates may be generated with up to 200 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name ( or a wildcard (* You cannot use IP addresses as SANs on Cloudflare Origin CA certificates.

Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (for example, * and * may co-exist).

​​ API calls

To automate processes involving Origin CA certificates, use the following API calls with Origin CA Keys.

List certificatesGETcertificates?zone_id=<<ZONE_ID>>
Create certificatePOSTcertificates
Get certificateGETcertificates/<<ID>>
Revoke certificateDELETEcertificates/<<ID>>

​​ Troubleshooting

Site visitors may see untrusted certificate errors if you pause or disable Cloudflare on subdomains that use Origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.