Using Cloudflare Origin Certificates with your Cloudways-hosted website allows you to secure the connection between Cloudflare and your origin server without relying on third-party SSL providers.
These certificates are specifically designed for Cloudflare-proxied domains and help you maintain end-to-end encryption while improving site performance and security.
In this guide, you’ll learn how to configure a Cloudflare Origin Certificate on Cloudways by generating the certificate from your Cloudflare dashboard and installing it using the Custom SSL feature on the Cloudways Platform.
Table of Contents:
Important Announcement for Cloudflare Enterprise Users
If you have integrated Cloudflare Enterprise with your application, you don't need to install the Cloudflare Origin certificate. This article is only for those customers who are not using the Cloudflare Enterprise add-on.
How to Configure Cloudflare Origin Certificate?
Cloudflare is a widely used Web Application Firewall (WAF) and reverse proxy service that sits between your website visitors and your server.
By updating your domain’s nameservers to Cloudflare and routing traffic through it, you gain faster DNS resolution, enhanced security, and server identity masking.
This setup helps block malicious traffic before it reaches your origin server. However, keep in mind that if Cloudflare experiences issues, your site’s availability may also be affected.
Why Choose Cloudflare Origin Certificate
In addition to its DNS management and Content Delivery Network (CDN) services, Cloudflare also offers free SSL/TLS certificates—including the Cloudflare Origin Certificate.
This certificate is specifically designed to secure the connection between your Cloudways server (origin) and Cloudflare’s proxy servers, enabling authenticated origin pull requests.
By using a Cloudflare Origin Certificate, you ensure end-to-end encryption, including the path between Cloudflare and your origin server—adding an extra layer of protection beyond standard HTTPS.
Cloudflare provides this service free of cost with the option to set the certificate validity for up to 15 years, reducing the need for frequent renewals.
What is Authenticated Origin Pull
Authenticated Origin Pulls allow your origin server to verify that incoming traffic is genuinely from Cloudflare—not from malicious sources trying to bypass it.
Cloudflare does this by using TLS client certificate authentication. When Cloudflare connects to your origin server, it presents a unique client certificate, and your server checks its validity.
This ensures that only Cloudflare can access your origin over HTTPS, blocking all direct requests that don’t come through Cloudflare.
This is especially useful when you're relying on Cloudflare’s Web Application Firewall (WAF) to filter and protect incoming traffic.
Disadvantages of Using the Cloudflare Origin Certificate
The Cloudflare Origin Certificate only works when your traffic is routed through Cloudflare’s proxy.
If you disable or stop using Cloudflare on your site, the certificate becomes invalid, and your site will no longer have a valid SSL connection.
In such cases, you can easily switch to the Free Let’s Encrypt SSL Certificate available on the Cloudways Platform, which works independently of Cloudflare.
Alternatively, if you prefer not to rely on Cloudflare from the start, you can choose Let’s Encrypt as your SSL solution right away.
Tips:
Let’s Encrypt SSL Certificate can be deployed effortlessly using the Cloudways Platform.
It can be set up to renew automatically before the expiry. You can also renew it manually.
How to Configure Cloudflare Origin Certificate
The Cloudflare Origin CA lets you generate a free SSL/TLS certificate signed by Cloudflare to install on your Cloudways server.
To configure the Cloudflare Origin Certificate, you need a CSR first, which can be easily generated from any third-party website like CSRGenerator.
Note:
CSR refers to Certificate Signing Request, and it is a small file in which you provide information about the certificate to be created. CSR is required at the time of purchasing/generating an SSL certificate by the Certification Authority.
Prerequisites
Following are a few prerequisites for completing this tutorial:
A Cloudflare account.
The desired domain should be added to your Cloudflare account.
Your website should be live, and DNS records should be hosted over Cloudflare.
Step #1 — Generate CSR:
First of all, you need to generate a CSR; We recommend using a third-party service called CSRGenerator and download the files.
Step #2 — Generating Cloudflare Origin Certificate:
Next, log in to your Cloudflare account and choose your target domain.
Navigate to SSL/TLS.
Select Full mode.
4. Switch to the Origin Server tab.
5. Click Create Certificate.
6. Here, select “I have my own private key and CSR”.
7. Paste the entire content of your CSR file.
8. Now, list those domains you want your origin certificate to protect, just like you input at the time of CSR generation.
9. Choose the Certificate Validity period. The shorter validity period may sound inconvenient as you need to re-issue the certificate by following the same process, but it has its benefits as well.
The certificate ecosystem keeps changing due to many new emerging threats; a shorter validity certificate can put Certificate Authority (CA) and you as a site owner ahead of those threats in case any vulnerability comes up.
Secondly, the shorter validity certificates put you in the practice of updating the cryptographic keys and minimizing the potential impact of a single key compromise.
10. Click Next.
Step #3 — Deploying Certificate:
Your Cloudflare Origin Certificate is successfully issued. Now, you need to deploy it on your application.
1. Copy your entire origin certificate, as shown below.
2. Move back to the Cloudways Platform and click Install Certificate.
3. Now, paste your entire certificate content.
4. Also, paste the same certificate content entirely in CA Chain.
5. Finally, hit Submit.
Your SSL certificate should be deployed in a few minutes. Please be advised that this certificate is renewed/revoked at Cloudflare’s end.
Step #4 — Forcing HTTPS Redirection
Now, you will see a dialog box prompting you to force HTTPS redirection if you have not forced it through the Cloudways Platform previously.
Important:
Skip forcing HTTPS redirection from the Cloudways Platform if you have:
Implemented HTTPS redirection via Cloudflare or using any application-level plugin.
Modifying the .htaccess file of your application.
Multiple redirections will cause your website to run into redirection loops. But, if you want to force HTTPS redirection from the Cloudways Platform, then you need to disable any redirection mechanism working elsewhere first.
So, choose to Enable HTTPS or simply skip it by clicking Not Now. Please note that you can also force HTTPS redirection later as well.
Step #5 — Enabling Authenticated Origin Pulls
1. Go back to your Cloudflare dashboard (the same section where you generated your certificate) and toggle on the Authenticated Origin Pulls.
2. Switch to the Overview tab.
3. Finally, choose Full (strict).
You have successfully configured the Cloudflare Origin Certificate on your web application. Let’s move to the next step of verifying the SSL Certificate to ensure that it is properly configured.
Note:
The installed certificate is only trusted by Cloudflare and should be used with the configured server actively connected to Cloudflare. If you disable/pause Cloudflare protection or remove proxied DNS records, it will become an untrusted certificate, and internet browsers will generate unwanted warnings.
Verifying SSL Certificate
After installing your SSL certificate, it’s important to verify that it’s correctly configured. Misconfigured SSL certificates can lead to browser warnings, broken
HTTPS, and a poor user experience for your visitors. To help you confirm that your certificate is working as expected, we’ve created a step-by-step guide you can follow. Click here for the self-explanatory guide.
Secure your site with Cloudflare Origin Certificate on Cloudways. Configure it now for enhanced protection! Protect Your Site with Cloudflare.
That’s it! We hope this article was helpful.
Need Help?
If you need assistance, feel free to:
Visit the Cloudways Support Center
Chat with us: Need a Hand > Send us a Message
Or create a support ticket anytime.
We're here 24/7 to help you!