# How to Configure Cloudflare Origin Certificate on a DigitalOcean Droplet This guide shows you how to replace an existing Let's Encrypt SSL certificate with a Cloudflare Origin Certificate for securing the connection between Cloudflare and your origin server. > Note: > The Cloudflare Origin Certificate secures the connection from Cloudflare to > your server only. Visitors will see Cloudflare’s edge certificate in their > browser. STEP 1: GENERATE YOUR CLOUDFLARE ORIGIN CERTIFICATE 1. Log in to Cloudflare Dashboard: Navigate to the SSL/TLS tab and select Origin Server. 2. Create a Certificate: * Click Create Certificate. * Choose for Cloudflare to generate a private key and certificate signing request (CSR). * Enter your hostnames (e.g., example.com and www.example.com). * Set your desired certificate validity period. * Click Next and copy both the certificate and the private key. Tip: Save these securely on your local machine. STEP 2: UPLOAD THE CERTIFICATE AND PRIVATE KEY TO YOUR SERVER 1. SSH into your droplet: ssh root@your-server-ip 2. Create a directory for your SSL files (if it doesn’t exist): sudo mkdir -p /etc/ssl/cloudflare 3. Create the certificate file: sudo nano /etc/ssl/cloudflare/cloudflare-origin.pem * Paste your Cloudflare Origin Certificate into the file. * Save (Ctrl+O) and exit (Ctrl+X). 4. Create the private key file: sudo nano /etc/ssl/cloudflare/cloudflare-origin.key * Paste your private key into the file. * Save and exit. 5. Secure the private key: sudo chmod 600 /etc/ssl/cloudflare/cloudflare-origin.key STEP 3: CONFIGURE APACHE TO USE YOUR CLOUDFLARE ORIGIN CERTIFICATE 1. Open your SSL VirtualHost configuration file: The active SSL vhost might be named something like: example.com-le-ssl.conf under /etc/apache2/sites-available/. Edit it using: sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf 2. Modify the SSL directives: Replace the Let’s Encrypt paths with your Cloudflare files. Change this section: Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem to: # Optionally, include your own SSL options (or leave it out) # Include /path/to/your/ssl-options.conf SSLCertificateFile /etc/ssl/cloudflare/cloudflare-origin.pem SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin.key The full VirtualHost block may look like: ServerName example.com ServerAlias www.example.com DocumentRoot /var/www/html Options Indexes FollowSymLinks AllowOverride All Require all granted ErrorLog ${APACHE_LOG_DIR}/example_error.log CustomLog ${APACHE_LOG_DIR}/example_access.log combined SSLCertificateFile /etc/ssl/cloudflare/cloudflare-origin.pem SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin.key 3. Save the file (Ctrl+O, Enter) and exit (Ctrl+X). STEP 4: DISABLE THE LET’S ENCRYPT SSL VHOST (IF NEEDED) Check your enabled sites: ls /etc/apache2/sites-enabled/ If you see a file such as 000-default-le-ssl.conf, disable it: sudo a2dissite 000-default-le-ssl.conf Ensure your updated SSL vhost is enabled: sudo a2ensite example.com-le-ssl.conf STEP 5: RELOAD APACHE AND VERIFY THE CERTIFICATE 1. Test Apache configuration: sudo apachectl configtest You should see “Syntax OK.” 2. Reload Apache: sudo systemctl reload apache2 3. Clear Browser Cache: Sometimes old certificates are cached. Use an incognito window or clear your browser cache. 4. Verify with OpenSSL (optional): openssl s_client -connect example.com:443 -servername example.com Confirm that the certificate path shows your Cloudflare certificate paths. STEP 6: UPDATE CLOUDFLARE SETTINGS 1. Log in to the Cloudflare Dashboard. 2. Set SSL/TLS Mode: Under the SSL/TLS tab, set the mode to Full (Strict) to ensure Cloudflare validates your origin certificate. 3. Check DNS Records: Ensure your A records point to your droplet’s IP address. Enable proxying to prevent SSL errors. FINAL VERIFICATION Visit your website using HTTPS (e.g., https://example.com) and inspect the certificate details in your browser’s developer tools. The connection between Cloudflare and your server should now be secured using your Cloudflare Origin Certificate.