Uploading a Custom SSL Certificate to Cloudflare

Uploading a Custom SSL Certificate to Cloudflare

Thomas Wilson

Cloudflare sits between visitors and your server, which means an SSL Certificate can live in two distinct places, at the Cloudflare edge facing visitors and on your origin server facing Cloudflare. Understanding which one you are installing decides the entire procedure, so this guide covers both, starting with the distinction itself.

Edge and Origin Explained

The edge SSL Certificate is what browsers see. Cloudflare provides a shared one automatically on every plan, and replacing it with your own custom SSL Certificate is the upload procedure most people search for.

The origin SSL Certificate secures the second leg, the connection from Cloudflare back to your server. Installing a publicly trusted SSL Certificate on the origin works on every plan and is what unlocks the strictest security mode.

Important : Uploading a custom SSL Certificate to the Cloudflare edge requires a Business or Enterprise plan. Free and Pro zones cannot replace the Cloudflare issued edge SSL Certificate, and on those plans your own SSL Certificate belongs on the origin server instead.

With the distinction clear, the upload procedure comes first.

Uploading the Custom Edge SSL Certificate

You need your issued SSL Certificate, the ca-bundle of Intermediate Certificates from the Certificate Authority (CA), and your Private Key, with the first two available in the tracking system. View Our Tracking & SSL Management 🔗

Concatenate the SSL Certificate and ca-bundle into one block with your own SSL Certificate first, since Cloudflare reads the chain from the same paste field. Learn About Intermediate Certificates 🔗

In the Cloudflare dashboard, select the zone and open the section governing Transport Layer Security (TLS) behavior, labeled SSL/TLS, then go to Edge Certificates. Choose the upload option for a custom SSL Certificate, paste the combined block into the SSL Certificate field and the Private Key into its own field, and save.

Leave the bundle method on its default unless you have a specific compatibility need, and allow a few minutes for the upload to propagate across the Cloudflare network. Visitors then receive your SSL Certificate at the edge worldwide.

Securing the Origin Connection

Install your SSL Certificate on the origin server using the guide for your platform, whether that is NGINX, Apache, Internet Information Services (IIS), or anything else terminating HTTPS behind Cloudflare. Explore Our SSL Certificate Installation Guides 🔗

Then return to the SSL/TLS section and set the encryption mode to Full strict. This mode makes Cloudflare validate the origin SSL Certificate on every connection, closing the gap that the weaker modes leave open between Cloudflare and your server.

A publicly trusted SSL Certificate on the origin also keeps the site fully secure if Cloudflare is ever paused or removed, since visitors then connect to the origin directly.

Verifying the Installation

Browse to the site and confirm which SSL Certificate the browser receives, remembering that with Cloudflare proxying enabled this is always the edge SSL Certificate. An external scan confirms the chain reaches fresh clients complete. Trustico® provides free checking tools for this confirmation. Explore Our Trustico® SSL Tools 🔗

To verify the origin side, temporarily grey-cloud the Domain Name System (DNS) record or test the origin address directly, confirming the origin serves its own valid SSL Certificate before relying on Full strict mode.

Troubleshooting Common Installation Problems

An upload rejected over a key mismatch means the Private Key does not pair with the SSL Certificate, usually because the Certificate Signing Request (CSR) was regenerated after submission. A reissue against the current CSR resolves it. Learn About Reissuing Your SSL Certificate 🔗

Error 526 appearing after enabling Full strict means Cloudflare cannot validate the origin SSL Certificate, because it is expired, self-signed, or does not cover the hostname. Correct the origin installation rather than weakening the mode.

If visitors still see the previous edge SSL Certificate after upload, propagation is usually still in progress. Persistent staleness beyond that points at a second SSL Certificate entry taking priority for the hostname, so review the Edge Certificates list for overlaps.

Professional Installation Assistance

Cloudflare setups involve two installations and an encryption mode decision, and getting all three aligned is where help pays off.

Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf. Discover Our Premium Installation Service 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering custom SSL Certificate uploads to Cloudflare, including the edge and origin distinction, the Business plan requirement, the upload procedure, Full strict mode, the Error 526 diagnostic, separate edge and origin verification, and the Trustico® Premium Installation service.

Edge and Origin SSL Certificates Distinguished

The edge SSL Certificate is what browsers see, and Cloudflare provides a shared one automatically on every plan, while the origin SSL Certificate secures the connection from Cloudflare back to your server. Understanding which one you are installing decides the entire procedure.

The Business Plan Requirement for Custom Edge Uploads

Uploading a custom SSL Certificate to the Cloudflare edge requires a Business or Enterprise plan. Free and Pro zones cannot replace the Cloudflare issued edge SSL Certificate, and on those plans your own SSL Certificate belongs on the origin server instead.

Uploading the Custom Edge SSL Certificate

Concatenate the SSL Certificate and ca-bundle into one block with your own SSL Certificate first, since Cloudflare reads the chain from the same paste field, then upload under Edge Certificates in the SSL/TLS section. Allow a few minutes for the upload to propagate across the Cloudflare network worldwide.

Full Strict Mode for the Origin Connection

Full strict mode makes Cloudflare validate the origin SSL Certificate on every connection, closing the gap that the weaker modes leave open between Cloudflare and your server. A publicly trusted SSL Certificate on the origin also keeps the site fully secure if Cloudflare is ever paused or removed, since visitors then connect to the origin directly.

Decoding Error 526 After Enabling Full Strict

Error 526 means Cloudflare cannot validate the origin SSL Certificate, because it is expired, self-signed, or does not cover the hostname. Correct the origin installation rather than weakening the mode.

Verifying the Edge and Origin Sides Separately

With Cloudflare proxying enabled, the browser always receives the edge SSL Certificate, so an external scan confirms that side. To verify the origin side, temporarily grey-cloud the Domain Name System (DNS) record or test the origin address directly, confirming the origin serves its own valid SSL Certificate before relying on Full strict mode.

Premium Installation Assistance for Cloudflare Environments

Cloudflare setups involve two installations and an encryption mode decision, and getting all three aligned is where help pays off. Trustico® offers a Premium Installation service where our technicians complete the installation on your behalf.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom