How to Get a SSL Certificate from Cloudflare and Install It on Your Server
- Log into Cloudflare → Go to SSL/TLS → Click on "Origin Server".
- Click "Create Certificate".
- Choose "Let Cloudflare generate a private key and a CSR".
- Under Key Format, select PEM (recommended).
- Add your domain (
subdomain.example.com) and optionally*.subdomain.example.com(wildcard). - Choose 15 years validity.
- Click "Create".
After generation, Cloudflare will provide:
- Origin Certificate → Copy and save as
/etc/ssl/certs/cloudflare_origin.pem - Private Key → Copy and save as
/etc/ssl/private/cloudflare_origin.key
Run:
sudo nano /etc/ssl/certs/cloudflare_origin.pemPaste the Origin Certificate, then save.
sudo nano /etc/ssl/private/cloudflare_origin.keyPaste the Private Key, then save.
Set proper permissions:
sudo chmod 644 /etc/ssl/certs/cloudflare_origin.pem
sudo chmod 600 /etc/ssl/private/cloudflare_origin.keyEdit your Nginx site configuration:
sudo nano /etc/nginx/sites-available/subdomain.example.comModify it to use the Cloudflare certificate:
server {
listen 443 ssl;
server_name subdomain.example.com;
ssl_certificate /etc/ssl/certs/cloudflare_origin.pem;
ssl_certificate_key /etc/ssl/private/cloudflare_origin.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
location / {
root /var/www/subdomain.example.com/htdocs;
index index.html;
}
}Test and reload Nginx:
sudo nginx -t
sudo systemctl restart nginx- Go to Cloudflare Dashboard → SSL/TLS.
- Set SSL mode to Full (Strict).
Check SSL status:
openssl s_client -connect subdomain.example.com:443or visit:
https://subdomain.example.com
| Feature | Cloudflare SSL (Origin) | Let's Encrypt |
|---|---|---|
| Validity | Up to 15 years | 90 days |
| Renewal | Manual | Auto (via acme.sh) |
| Security | Strong (if Full Strict) | Strong |
| Works with Cloudflare Proxy? | ✅ Yes | ⚠ May need extra steps |
Let me know if you hit any issues!