SSL from Cloudflare

In order to issue a certificate from Cloudflare , you need to direct your site to Cloudflare's servers. To do this, you need to register on the website - cloudflare.com.

After registration, add a domain in the Home - Add a site menu:

1.

2.

3.

4.

According to the instructions, we change the NS server at the domain registrar to the one recommended by Cloudflare. After changing the servers, wait for the settings to take effect (from 1 hour to 72 hours)

We issue a certificate

To install the certificate, open the SSL/TLS menu on the left. By default, the certificate will be installed and the Full mode will be selected:

Learn more about Cloudflare's SSL certificate modes below:

off

Setting encryption mode to "Off" (not recommended) redirects any HTTPS request to unencrypted HTTP.

When you set the encryption mode to Off:

- Makes your visitors and your app vulnerable to attacks.

- Will be marked as "unsafe" in Chrome and other browsers, which will reduce the trust of visitors.

- Will be penalized in SEO ranking.

Flexible

Setting up a flexible encryption mode makes your site partially secure. Cloudflare allows HTTPS connections between your visitor and Cloudflare, but all connections between Cloudflare and your hosting server are made over HTTP. As a result, an SSL certificate is not required for your hosting server.

Select this option if you cannot configure an SSL certificate with your host or your host does not support SSL/TLS.

Full

When you set the encryption mode to "Full", Cloudflare allows an HTTPS connection between your visitor and Cloudflare and establishes a connection to the hoster using the scheme requested by the visitor. If your visitor uses http, Cloudflare connects to the host using plain text HTTP and vice versa.

Choose full mode if your host can support SSL certification (self-signed or free from let's encrypt), but for various reasons cannot support a valid public certificate.

Before enabling full mode, make sure the host allows HTTPS connections on port 443 and provides a certificate (self-signed, Cloudflare Origin CA, or purchased from a certificate authority). Otherwise, your visitors may encounter a 525 error.

Full (strict)

When you set the encryption mode to Full, Cloudflare does everything in full mode, but also enforces stricter requirements for origin certificates.

Choose full mode for maximum security. Your host must be able to support an SSL certificate that:

- Not expired, ie certificate notBeforeDate < now() < notAfterDate.

- Issued by a public trusted CA or Cloudflare Origin CA.

- Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.

After enabling the Full (strict) mode, you need to issue an Origin Certificate. In your Cloudflare control panel, open the Origin Server menu on the left - click on Create Certificate:

- In the menu that opens, fill in the fields - "Let Cloudflare generate a private key and a CSR".

- We prescribe the necessary domains and subdomains that must be included in the certificate.

- Select the validity period of the certificate. I press "Next" further.

- Without closing the open window opposite "Key format", select "PEM (Default)", then save the certificate and key in a separate file on your PC.

- We copy the saved certificate and key to the panel on the hosting, described in more detail in the instructions - https://cityhost.ua/uk/support/hosting/ssl/kak-zagruzit-svoy-ssl-sertifikat/