How to Configure Cloudflare Origin Certificate on a DigitalOcean Droplet

This guide shows you how to replace an existing Let's Encrypt SSL certificate with a Cloudflare Origin Certificate for securing the connection between Cloudflare and your origin server.

Note:
The Cloudflare Origin Certificate secures the connection from Cloudflare to your server only. Visitors will see Cloudflare’s edge certificate in their browser.

Step 1: Generate Your Cloudflare Origin Certificate

  1. Log in to Cloudflare Dashboard:
    Navigate to the SSL/TLS tab and select Origin Server.

  2. Create a Certificate:

    • Click Create Certificate.

    • Choose for Cloudflare to generate a private key and certificate signing request (CSR).

    • Enter your hostnames (e.g., example.com and www.example.com).

    • Set your desired certificate validity period.

    • Click Next and copy both the certificate and the private key.
      Tip: Save these securely on your local machine.

Step 2: Upload the Certificate and Private Key to Your Server

  1. SSH into your droplet: bashCopyssh root@your-server-ip

  2. Create a directory for your SSL files (if it doesn’t exist): sudo mkdir -p /etc/ssl/cloudflare

  3. Create the certificate file: sudo nano /etc/ssl/cloudflare/cloudflare-origin.pem

    • Paste your Cloudflare Origin Certificate into the file.

    • Save (Ctrl+O) and exit (Ctrl+X).

  4. Create the private key file: sudo nano /etc/ssl/cloudflare/cloudflare-origin.key

    • Paste your private key into the file.

    • Save and exit.

  5. Secure the private key: sudo chmod 600 /etc/ssl/cloudflare/cloudflare-origin.key

Step 3: Configure Apache to Use Your Cloudflare Origin Certificate

  1. Open your SSL VirtualHost configuration file:
    The active SSL vhost might be named something like: example.com-le-ssl.conf under /etc/apache2/sites-available/. Edit it using: sudo nano /etc/apache2/sites-available/example.com-le-ssl.conf

  2. Modify the SSL directives:
    Replace the Let’s Encrypt paths with your Cloudflare files. Change this section: 

    Include /etc/letsencrypt/options-ssl-apache.conf 
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem to: 
# Optionally, include your own SSL options (or leave it out) 
# Include /path/to/your/ssl-options.conf SSLCertificateFile /etc/ssl/cloudflare/cloudflare-origin.pem 
#SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin.key

    The full VirtualHost block may look like:

    <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html <Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted </Directory>
ErrorLog ${APACHE_LOG_DIR}/example_error.log
CustomLog ${APACHE_LOG_DIR}/example_access.log
combined SSLCertificateFile /etc/ssl/cloudflare/cloudflare-origin.pem
SSLCertificateKeyFile /etc/ssl/cloudflare/cloudflare-origin.key </VirtualHost>
</IfModule>

  3. Save the file (Ctrl+O, Enter) and exit (Ctrl+X).

Step 4: Disable the Let’s Encrypt SSL vhost (if needed)

Check your enabled sites:

ls /etc/apache2/sites-enabled/

If you see a file such as 000-default-le-ssl.conf, disable it:

sudo a2dissite 000-default-le-ssl.conf

Ensure your updated SSL vhost is enabled:

sudo a2ensite example.com-le-ssl.conf

Step 5: Reload Apache and Verify the Certificate

  1. Test Apache configuration: sudo apachectl configtest You should see “Syntax OK.”

  2. Reload Apache: sudo systemctl reload apache2

  3. Clear Browser Cache:
    Sometimes old certificates are cached. Use an incognito window or clear your browser cache.

  4. Verify with OpenSSL (optional): openssl s_client -connect example.com:443 -servername example.com

Confirm that the certificate path shows your Cloudflare certificate paths.

Step 6: Update Cloudflare Settings

  1. Log in to Cloudflare Dashboard.

  2. Set SSL/TLS Mode:
    Under the SSL/TLS tab, set the mode to Full (Strict) to ensure Cloudflare validates your origin certificate.

  3. Check DNS Records:
    Ensure your A records point to your droplet’s IP address. Enable proxying to prevent SSL errors.

Final Verification

Visit your website using HTTPS (e.g., https://example.com) and inspect the certificate details in your browser’s developer tools. The connection between Cloudflare and your server should now be secured using your Cloudflare Origin Certificate.

By following these steps, you'll have successfully configured your DigitalOcean droplet to use a Cloudflare Origin Certificate, enhancing the security of your origin connection while allowing Cloudflare to serve trusted edge certificates to your visitors.


Still need help?

Contact us

Hosting