Installing Cloudflare Origin CA as custom certificate

I’ve been trying to install a Cloudflare Origin CA certificate for my website as custom domain as I use Cloudflare upfront on my domain name, however it just says it’s not PEM formatted OR it says it’s not the correct private key, and I don’t know why. I do choose the PEM format and these also work fine on a test Nginx instance I spinned up on my computer. I generate those from the web UI on the Cloudflare Dashboard though…

  • My website name is
  • My custom domain is

If you use Cloudflare on your domain, doesn’t it automatically generate a SSL and use it? As I’m seeing now, your website is loading over SSL provided by Cloudflare, so is there ahy specific reason why you need to setup the SSL in Netlify?

To use the Full (Strict) setup rather than the Full SSL Setup
Helps ensure the integrity of communications between Netlify and Cloudflare in that case

Fair point. The certificate should easily work. It doesn’t really need a lot of configuration. In any case, a support engineer would take up your case soon.

it should, but it doesn’t on Netlify. It already works on Nginx as I said…
could be something about how Netlify parses the certificate or something like that :thinking:

@adjunct Welcome to the Netlify community.

You seem not to have a CNAME for your www custom subdomain, and you also seem to have DNSSEC turned on at Cloudflare, which doesn’t work with Netlify.

|==================== whois check for DNSSEC ====================
| --------------------- should be unsigned ----------------------
DNSSEC: signedDelegation
DNSSEC: unSigned 

I fail to see where the relation is, I only want to install Cloudflare’s Origin CA on my Netlify website
I did that back then a lot and my other domain, works fine with it.

comparing with openssl gives this:
root@vps-e24f812c:~# openssl x509 -noout -modulus -in remy.crt | openssl md5
(stdin)= 77f29883f9a1d602693099e6b00863d0
root@vps-e24f812c:~# openssl rsa -noout -modulus -in remy.key | openssl md5
(stdin)= 77f29883f9a1d602693099e6b00863d0
meaning the private key and certificate match

while it says that on Netlify :thinking:

1 Like

it should not matter whether I use DNSSEC or not, I don’t use Netlify DNS. I know what I’m saying, I used to have it on with Cloudflare CDN + DNS and Netlify before
the DNSSEC will only be relevant for the visitors but in no case it applies between Cloudflare’s Edge servers trying to connect upstream on the Netlify website.
And I do want to put Cloudflare’s CDN on top.


I can confirm. We have the same issue for Cloudflare Origin Certificate. For one of our projects it works fine to set up the custom cert. But for all other projects it says repeatedly “Private key did not match certificate” which is definitely not the case.

Custom Domain:

I just tried to use the safer CSR generation method to obtain a Cloudflare Origin CA certificate, but no success here either. Netlify simply doesn’t want to install the certificate.
“Private key did not match the certificate”.

1 Like

Looks like the issue is being addressed currently.

I suppose we’ll wait for future developments

Hey there @adjunct and @Kermin ,

This is being looked into by one of our teams! We will follow up on this thread when we have any developments.

Thank you for your patience!

We’ve shipped a fix for this. :tada: Could you please try it again and let us know how it goes?

It works fine now! :partying_face:

1 Like

Hi, @adjunct. Thank you for both reporting the issue and for confirming it is working now. Both help us to improve our service and we appreciate you taking the time to follow-up with us.

If there are other questions or concerns, please let us know.