Cloudflare Origin Certificate: Why 15 Years and How to Set It Up (2026)

How Cloudflare Origin CA Differs from Let's Encrypt

To understand the 15-year validity question, you need to understand the trust model difference:

Public CA vs Private CA

Let's Encrypt is a publicly trusted CA. Its root certificate is included in every major browser and operating system. When a browser connects to your server and receives a Let's Encrypt certificate, it can validate the chain back to a trusted root without any intermediary. This is why Let's Encrypt certificates work for direct server access.

Cloudflare Origin CA is a private CA. Its root is not in browser trust stores. Browsers encountering a raw Cloudflare Origin Certificate would show a security warning — "Your connection is not private." This is intentional. Origin certificates are not for browser connections. They are for the Cloudflare-edge-to-your-origin leg of the connection.

The Two-Leg Model

When Cloudflare proxies a request, two separate TLS connections happen:

1. Browser to Cloudflare edge: Cloudflare presents its own publicly trusted certificate (managed by Cloudflare, renewed automatically).
2. Cloudflare edge to your origin server: This is where your Origin Certificate is used. Cloudflare knows and trusts its own CA, so this leg is fully encrypted and validated.

The end user's browser never sees your origin certificate. It only sees Cloudflare's edge certificate. This separation is why a private CA works here — the only party that needs to trust it is Cloudflare itself.

Root Chain Comparison

Why 15 Years Is Safe in This Context

The concern with long-lived certificates in public PKI is key compromise: if a certificate's private key is stolen and the cert is valid for 15 years, an attacker can use it for 15 years unless you revoke it. Short-lived certs (90 days) limit the exposure window.

Cloudflare Origin Certificates have a different risk profile:

• Not used in public trust chains: Even if someone obtains your origin certificate's private key, they cannot use it to impersonate your domain in a browser — because browsers do not trust Cloudflare's private CA. The certificate is useless for phishing or MITM attacks on end users.
• Only meaningful between Cloudflare and your server: An attacker would need to be positioned between Cloudflare's edge and your origin server, which is a significantly harder position to occupy than a simple passive network observer.
• Revocable on demand: You can revoke and reissue from the Cloudflare dashboard at any time. Unlike Let's Encrypt where revocation has caching issues in browsers, origin certificate revocation takes effect at Cloudflare's edge quickly.

The 15-year option is offered for operational convenience. Some infrastructure teams avoid frequent cert renewals because automation is not in place or because cert rotation requires downtime windows. A 15-year cert eliminates that friction. For most setups, 1 year is a reasonable choice — long enough to minimize renewal overhead, short enough that you review your Cloudflare configuration annually.

Step-by-Step: Issue and Install a Cloudflare Origin Certificate

Step 1: Enable Cloudflare Proxy

In your Cloudflare DNS dashboard, the A or AAAA record for your domain must show the orange cloud icon (Proxied), not the gray cloud (DNS Only). Without this, Cloudflare is not in the request path and the origin certificate is irrelevant.

Step 2: Issue the Origin Certificate

In the Cloudflare dashboard:

1. Go to your domain
2. Click SSL/TLS in the left sidebar
3. Click Origin Server
4. Click Create Certificate
5. Choose key type (RSA 2048 or ECDSA P-256 — ECDSA is faster and preferred)
6. Add your hostnames (e.g., example.com and *.example.com)
7. Set validity period (15 years for maximum operational convenience, 1 year for better hygiene)
8. Click Create

Cloudflare will show you two things you must copy immediately:

• Origin Certificate (the public cert, PEM format) — save as cloudflare-origin.pem
• Private Key (shown only once, never stored by Cloudflare) — save as cloudflare-origin-key.pem

Step 3: Install on nginx

server {
    listen 443 ssl;
    server_name example.com www.example.com;

    ssl_certificate     /etc/ssl/cloudflare/cloudflare-origin.pem;
    ssl_certificate_key /etc/ssl/cloudflare/cloudflare-origin-key.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # ... your server config
}

# Upload and set permissions
sudo mkdir -p /etc/ssl/cloudflare
sudo cp cloudflare-origin.pem /etc/ssl/cloudflare/
sudo cp cloudflare-origin-key.pem /etc/ssl/cloudflare/
sudo chmod 600 /etc/ssl/cloudflare/cloudflare-origin-key.pem
sudo nginx -t && sudo nginx -s reload

Step 4: Install on Apache

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com

    SSLEngine on
    SSLCertificateFile    /etc/ssl/cloudflare/cloudflare-origin.pem
    SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin-key.pem

    # ... your VirtualHost config
</VirtualHost>

Step 5: Set SSL Mode to Full (Strict)

In the Cloudflare dashboard, go to SSL/TLS, then Overview, and set the mode to Full (Strict). This is non-negotiable. Other modes will either send traffic unencrypted to your origin or accept any certificate regardless of validity.

When to Use Origin Certificate vs Let's Encrypt

Neither is universally better. The right choice depends on your setup:

Common Pitfalls

Turning Off the Cloudflare Proxy

If you change a DNS record from Proxied (orange cloud) to DNS Only (gray cloud), direct traffic will hit your server. Your origin certificate will cause a browser error. This catches many teams off guard during troubleshooting ("let me disable the proxy to test something") and breaks the site for end users. Always keep a Let's Encrypt certificate installed as a fallback, or test on a subdomain that already has Let's Encrypt.

SSL Mode Not Set to Full (Strict)

If you install an origin certificate but leave SSL mode at Flexible, Cloudflare encrypts traffic between the browser and Cloudflare's edge but sends plain HTTP to your server. The origin certificate is irrelevant — it is not used. If you set Full (not Strict), Cloudflare validates that your origin server has some certificate but does not verify it is actually valid. Only Full (Strict) verifies the certificate chain properly.

Mixed Content Warnings

If your site loads assets via HTTP after you enable Full (Strict), browsers will block them as mixed content. Use Cloudflare's "Always Use HTTPS" rule and ensure all asset URLs in your application use HTTPS or protocol-relative URLs.

Forgetting the Private Key

Cloudflare shows the private key exactly once. If you lose it before saving it, you must revoke the certificate and issue a new one. Save it to a secure secrets manager (not just a local file) immediately after generation.

SSL Mode Summary

TL;DR

• Cloudflare Origin Certificates can be valid for 15 years because they are issued by Cloudflare's private CA and are only trusted by Cloudflare's own edge nodes, not browsers.
• They are safe for long validity because they are useless outside the Cloudflare proxy context — they cannot be used to impersonate your domain to end users.
• Issue from the Cloudflare dashboard, install on nginx or Apache, set SSL mode to Full (Strict).
• Use them when your domain is always proxied through Cloudflare. Use Let's Encrypt for direct-access scenarios, mail servers, and domains you might need to un-proxy.
• The private key is shown once. Save it immediately to a secure location.

Related Posts

• 15-Year SSL Certificate: Cloudflare Origin Implementation
• Cloudflare SSL Modes Explained: Off vs Flexible vs Full vs Full Strict
• DV, OV, and EV SSL Certificates Explained