Cloudflare SSL: Things you should know

January 12, 2019

Cloudflare SSL is pretty tricky/confusing, do take not of the following:

If your original server is not setup with SSL, you can use something called Flexible SSL (Free), which secure connection between Cloudflare and user, but connection between Cloudflare and your server is not secured.

If your original server is secured with SSL (e.g. Let’s Encrypt or CloudFlare Origin CA), use Full SSL (Strict). The connection between your server and cloudflare is secured using your SSL, and connection between cloudflare and user is secured using Cloudflare SSL.

I have a certificate installed on my server, why am I seeing a Cloudflare certificate?

When you use Cloudflare, we must decrypt the data at our edge in order to cache and filter any bad traffic. Depending on the SSL setting from the options above, we may re-encrypt or send it as plain text. (full vs. flex) Since each certificate needs a dedicated IP address, we add your domain name and wildcard (*.domain.com) domain in the SAN (Subject Alternative Name) to the certificate.

I want Cloudflare to show my certificate when a client visits, how can I do that?

This is a premium feature available to our Business and Enterprise customers. For details, visit this guide.

By default, cloudflare’s SSL is shown to the user (not the SSL on your original server). The free SSL certificate (Cloudflare Universal SSL certificate) is shared among 50 domains. You can purchase a Dedicated SSL for $5/month. If you want to use your own SSL, then you need a Business/Enterprise plan (from $ 200 / month per month).

NOTE: The Cloudflare SSL certificate feels like artificial limitation to promote upgrade.

Cloudflare SSL options

Flexible SSL

SSL is terminated at the Cloudflare edge servers. Everything between your client and Cloudflare is encrypted, but traffic between Cloudflare and your origin server is not encrypted. You do not need a certificate directly installed on your server for full encryption.

SSL Full

SSL is terminated at the Cloudflare edge server. Then it is encrypted again and sent back to your servers all encrypted. You need an SSL certificate installed directly on your server. Also, you may use a self-signed certificate.

SSL Full (Strict)

Same as SSL Full, but you must have a trusted certificate that is signed by a valid Certificate Authority (such as GlobalSign or DigiCert).

Custom SSL (Business/Enterprise ONLY)

Customers are able to upload their own SSL key and certificate, so CloudFlare’s name will not show if a visitor checks the certificate.

This work is licensed under a
Creative Commons Attribution-NonCommercial 4.0 International License.