Troubleshooting Cloudflare origin CA
Consider the following common issues and troubleshooting steps when using Cloudflare origin CA.
Site visitors may see untrusted certificate errors if you pause Cloudflare or disable proxying on subdomains that use Cloudflare origin CA certificates. These certificates only encrypt traffic between Cloudflare and your origin server, not traffic from client browsers to your origin.
This also means that SSL Labs or similar SSL validators are expected to flag the certificate as invalid.
- Make sure the proxy status of your DNS records and any page rules (if existing) are set up correctly. If so, you can try to turn proxying off and then on again and wait a few minutes.
- If you must have direct connections between clients and your origin server, consider installing a publicly trusted certificate at your origin instead. This process is done outside of Cloudflare, where you should issue the certificate directly from a certificate authority (CA) of your choice. You can still use Full (strict) encryption mode, as long as the CA is listed on the Cloudflare trust store ↗.
Some origin web servers require that you upload the Cloudflare origin CA root certificate or certificate chain.
Use the following links to download either an ECC or an RSA version and upload to your origin web server:
- Cloudflare Origin ECC PEM (do not use with Apache cPanel)
- Cloudflare Origin RSA PEM
Apache cPanel requires that you upload the Cloudflare origin CA root certificate or certificate chain.
Use the following link to download an RSA version of the root certificate and upload it to your origin web server: