How to Use Cloudflare Origin Certificates with Apache2 on Ubuntu 16.04 | 18.04

laptop 4662049 640

Cloudflare lets you enable a feature they called Origin Certificates to secure the connections between your server (Apache2, in this case) and Cloudflare’s proxy servers.

Using Origin Certificate, you can create an end-to-end SSL/TLS encryption between both your servers and Cloudflare proxy server thus making sure that all connections to your servers are encrypted.

With Original Certificates, Cloudflare allows you to generate free TLS certificates signed by Cloudflare to install on your origin server.

Because the certificate is free and provided by Cloudflare, you can choose a longer validation period — which can be set to up to 15 years, and the ability to include all your subdomains with a wildcard *

This brief tutorial shows students and new users how to setup Cloudflare origin certificates on your Apache2 server to enable a more secure connection to your servers.

When you’re ready to setup your server and Cloudflare to use Origin Certificate, follow the steps below:

Step 1: Sign up for Cloudflare Account.

The first step in this tutorial is to sign up for Cloudflare service. This assumes that you already have registered a domain name. If you don’t, then go and get one before continuing further.

If you already have a Cloudflare account, then skip the registration below.

Once you have a domain name, click on the link below to sign up for Cloudflare.

Type in your email address and click Create Account.

Cloudflare WordPress setup

Once the account is created and you’ve verified your email address and logged back into Cloudflare account, click the button or link (Add a Site) to add a site to your account.

Cloudflare WordPress setup

Next, type in the domain name you have registered. Cloudflare service will help speed up and protect the site you add.

Cloudflare WordPress setup

Next, Cloudflare will begin to query your domain DNS provider for the records in the DNS table. If the domain is online, Cloudflare should find it and import the records into your Cloudflare account.

Cloudflare WordPress setup

After that, select the plan you want to use for the site. For this tutorial, we’re going to be using Cloudflare free plan.

Cloudflare WordPress setup

When you’re done, you should see two nameservers provided to you by Cloudflare. What you need to do is logon to your domain provider’s portal. where you have your domain. and replace the nameservers with the ones Cloudflare gives you.

cloudflare setup name servers

For example, our site is hosted with Google Domains. so we’ll logon to our Google Domains account and use custom nameservers. Then we’ll use the nameservers provided by Cloudflare and save.

Cloudflare WordPress Setup

Once you’ve saved your custom nameservers changes,  go back to your Cloudflare account and wait for Cloudflare to see the changes. Depending on your domain provider, it make take up to an hour for Cloudflare to be visible.

cloudflare overview active

Once all is ready, you’ll see your site status as Active.

When everything is done, you should also see your Cloudflare account with DNS entries as shown below. Your DNS records might have more entries then the two below. but these two are the most important for running your website.

Cloudflare WordPress Setup

After that, click on Crypto tab and choose to enable Full (strict) SSL. This should turn on SSL for the site.

Cloudflare WordPress Setup

Still under Crypto tab, scroll down to Origin Certificates. Then click the button to create certificate.

Use the free TLS certificate signed by Cloudflare to install on your origin server. Origin Certificates are only valid for encryption between Cloudflare and your origin server.

cloudflare wordpress setup 8

Next, choose to Let Cloudflare generate a private key and a CSR for the domain. Click Next.

WordPress Cloudflare

Then copy a paste these into a text file on onto your server.

On Ubuntu, run the commands below to create the Private key, Certificate and Origin pull files (3 files in total). Copy and paste each content into the respective file. and save.

For the Private key file. run this, then copy and paste the private key given to you into the file and save.

sudo nano /etc/ssl/private/

For the certificate file, run this and copy and paste the certificate content into the file and save.

sudo nano /etc/ssl/certs/

You’ll also want to download Cloudflare Origin Pull certificate. You can download that from the link below:

Run th commands below to download it.

cd /etc/ssl/certs/
sudo wget

After that, you should have three files. The server key, server certificate and the origin-pull certificate.

We will use these file in Apache2 config below

cloudflare wordpress setup 10

After saving the key, certificate and origin pull certificates files. continue below.

Still, under, Crypto enable Always use HTTPS and you may also change settings for HSTS but not necessary.

cloudflare wordpress setup 11

Next, turn on Authenticated Origin Pulls and Opportunistic Encryption, and continue.

cloudflare wordpress setup 12

Then, turn on Automatic HTTPS Rewrites and continue.

cloudflare wordpress setup 13

Next, move to the Page Rules tab. then create a new rule for the site. then type URL and choose Always Use HTTPS


Alwyas Use HTTPS

cloudflare wordpress setup 15

Save your settings and you’re done with setting up Cloudflare.

Step 2: Configure Apache2

Finally, configure Apache2 site configuration file for your website. This file will control how users access your website content. Run the commands below to create a new configuration file called

sudo nano /etc/apache2/sites-available/

Then copy and paste the content below into the file and save it. Replace the highlighted line with your own domain name and directory root location.

Also make sure to reference the certificate files created above during Cloudflare setup.

<VirtualHost *:80>

<VirtualHost *:443>
     Protocols h2 http/1.1
     DocumentRoot /var/www/html/
     SSLEngine on
     SSLCertificateFile /etc/ssl/certs/
     SSLCertificateKeyFile /etc/ssl/private/
     SSLCACertificateFile /etc/ssl/certs/origin-pull-ca.pem
     SSLVerifyClient require
     SSLVerifyDepth 1

     <Directory /var/www/html/>
          Options FollowSymlinks
          AllowOverride All
          Require all granted

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
     <Directory /var/www/html/>
            RewriteEngine on
            RewriteBase /
            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteRule ^(.*) index.php [PT,L]

Save the file and exit.

Step 3: Enable the Apache2

After configuring the VirtualHost above, enable it by running the commands below

sudo a2ensite
sudo a2enmod rewrite
sudo systemctl restart apache2.service

Congratulations! You have successfully installed Cloudflare and configured its Origin Certificate with Apache2 on Ubuntu 16.04 | 18.04

You may also like the post below:


  1. This tutorial is messed up. You clearly instructing to create3 files: a private key file, a certificate file, and an origin pull certificate. You have given the example to create the private key file as “sudo nano /etc/ssl/private/”, the certificate file as “sudo /etc/ssl/certs/”. However, if you followed the steps on CloudFlare, you should know that you DO NOT get 2 “pem” files. You get a “key” file and a “pem” file. In your example you show a “pem” file for both key and certificate files. This is conflicting, confusing, and frustrating for a person, like me, how is doing this the first time. If you know what you are talking about, please give CORRECT instructions. If you do not, then DO NOT give confusing or otherwise misleading instructions. Thank you.

  2. Please do the world a favor and STOP writing another tutorial until you are thoroughly familiar with the topic and included ALL steps necessary. Otherwise you just leave people in limbo and frustration.

    SSLEngine on
    Invalid command ‘SSLEngine’, perhaps misspelled or defined by a module not included in the server configuration

    If this is important and required, maybe you should spell this out how to enable it!

  3. Thank you for the tutorial very details, I think you forgot to mention

    sudo a2enmod ssl

    run the above cmd, if you are getting SSLEngine on
    Invalid command ‘SSLEngine’, perhaps misspelled or defined by a module not included in the server configuration

  4. Thanks for your help! This guide is perfectly detailed.
    (Sorry for my english)

    1. No its not…its a mess and has caused lots of problems for my server.
      To be honest the instructor should try it out on a real server.

      Thanks to this tutorial and the SSLEngine on syntax error my apache is stuffed up!!

      1. I take that all back……..I stuffed it up your tutorial is one of the bets and it works…..except for one typo where “nano” is not specified in the sudo for the cert paste:)

        Keep up the good work :)))))

  5. Thank
    IOS Broken . Need Del :
    Protocols h2 http:/1.1 —–> Protocols h2 http/1.1

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.