Troubleshooting Cloudflare origin CA
Consider the following common issues and troubleshooting steps when using Cloudflare origin CA.
Site visitors may see untrusted certificate errors if you pause Cloudflare or disable proxying on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.
This also means that SSL Labs or similar SSL validators are expected to flag the certificate as invalid.
- Make sure the proxy status of your DNS records and any page rules (if existing) are set up correctly. If so, you can try to turn proxying off and then on again and wait a few minutes.
- If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a certificate authority (CA) of your choice. You can still use Full (strict) encryption mode, as long as the CA is listed on the Cloudflare trust store ↗.
Some origin web servers require that you upload the Cloudflare origin CA root certificate or certificate chain.
Use the following links to download either an ECC or an RSA version and upload to your origin web server:
- Cloudflare Origin ECC PEM (do not use with Apache cPanel)
- Cloudflare Origin RSA PEM
Apache cPanel requires that you upload the Cloudflare origin CA root certificate or certificate chain.
Use the following link to download an RSA version of the root certificate and upload it to your origin web server:
When trying to generate an Origin CA on the dashboard, you find the error Failed to validate requested hostname <hostname>: This zone is either not part of your account, or you do not have access to it.
This is a known issue where, whilst being created on the Cloudflare dashboard, Origin CA requires API access for the user creating the origin certificate. If the user does not have API Access, this error is returned.
Make sure that the user creating the certificate has access to the API. You can check under Account Home > Manage Account > Members:
- The default setting for the account is specified in the card Enable API Access.
- Specific user API Access (which can override the default setting) is presented after selecting the user in the list of members.
This is a known issue where, when the Origin Server page is opened for different zones in sequence, it displays the certificates from the first zone.
Refresh the page in your browser to get the correct origin certificates list for current zone.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark