Cloudflare Origin CA as custom certificate

RyanMG · October 6, 2021, 6:19pm

I’ve been trying to install a Cloudflare Origin CA certificate for my website as custom domain and it just says certificate is not a valid PEM certificate

my website domain: https://objective-nightingale-894f46.netlify.app

my custom domain :www.justnotes.app

luke · October 7, 2021, 1:14am

Hi, @RyanMG. Netlify requires three fields to be filled out in the web UI.

certificate
private key
intermediate certs

Filling out those fields usually involves copying and pasting the contents of PEM files into the fields of the web UI. The files might end with .pem or .crt.

Those files will start and end with lines like these:

-----BEGIN CERTIFICATE-----
...text here...
-----END CERTIFICATE-----

or:

-----BEGIN PRIVATE KEY-----
...text here...
-----END PRIVATE KEY-----

The intermediate certs (also called a chain certificate), likely will have more than once certificate in it and, if so, copy and paste the entire file into that field.

Do you have these files from Cloudflare? If so, what are the names of each file? Based on the names I should be able to confirm which file should be copied to each field.

Also, if there are any questions about this, please let us know.

RyanMG · October 7, 2021, 4:04am

I copied the Origin Certificate which is formatted the a PEM into the Certificate section
then I coped the private key too into the private key section and lastly I downloaded the Cloudflare Origin RSA PEM certificate (origin_ca_rsa_root.pem) and copied it into the intermediate certs section

luke · October 7, 2021, 5:10am

Hi, @RyanMG. Without seeing the PEM files myself, my answers are only best guesses because I’d need to see the actual files to say for sure.

With that caveat, it sounds like the Cloudflare Origin RSA PEM certificate is not the intermediate or chain certificates required. That or it is in the wrong format.

It might be helpful to send me copies of those files to examine. Now, if you share the actual PEM files with me, they should no longer be considered secure and you would need to revoke them and generate new ones. However, sharing them would likely allow me to test them so I can tell you what files to use or else what isn’t working.

Would you be willing to private message (PM) the file contents to me? I’ve confirmed private messaging is enabled. Likewise, if you do plan on revoking the certificate and issuing a new one (and I strongly recommend that you do so), you might just post the actual files here. If you are revoking them anyway, sharing them isn’t going to be a security risk as you won’t ever use that SSL certificate for the site. If you do this, it will also provide a real world example of the Cloudflare certificate and key files to help the next person that runs into this.

So, either via PM or posting publicly, would you be willing to share those files with us?