Self Signed SSL certificate provider is now available!

A Self Signed SSL certificate provider has now been released and is available through the Free SSL Certificates tool in the client area.

What is it?

The Self Signed SSL provider is an alternative SSL provider from Let’s Encrypt and GoGetSSL. It provides certificates which are “self signed”, meaning they are not trusted by browsers. The certificates created are valid for 10 years.

For whom is this useful?

The main use case for these certificate are Cloudflare users.

Many Cloudflare users currently make use of Flexible SSL, which means the connection between Cloudflare and your hosting account is not encrypted. To secure this connection, you need to install an SSL certificate on your hosting account.

Cloudflare provides their Origin Certificates for this, but those cannot be used because they are wildcard certificates. You can use Let’s Encrypt or GoGetSSL certificates too, but those are only valid for three months.

Self signed SSL certificates can be valid for much longer, so you only need to set them once to have SSL for almost ever!

Self signed SSL can also be useful for testing in some situations, for example to develop your website on HTTPS without it being available to visitors yet.

How do I use it?

Simply go to the Free SSL Certificates tool in the client area, add a new domain name and select “Self Signed” as the provider. After that, just click Request SSL Certificate and a new certificate will be created instantly!

Once the certificate is created, you can install it like you would any other SSL certificate.

Then, in Cloudflare’s settings, go to the “SSL/TLS” app for your domain, where you can change the SSL mode from “Flexible” to “Full”.

This is great news!! No more renewing every 3 mths!! Yeah!!!

Yes, and no. This is more or less for testing…

A post was split to a new topic: I am not able to put SSL on my blog

Why can’t you install wildcard SSLs in vPanel? Also can you only install the let’s encrypt (and the self-signed SSL) in vPanel. You can’t install other SSLs like global sign or sectigo?

The control panel checks whether the domain name in the Common Name field in the certificate matches the domain you’re trying to install the certificate on. Wildcard certs have a different Common Name, so they fail the validation check.

As to why the validation has not been changed to also support wildcard sets, I don’t know.

You can install any (single domain) certificate you want.

We provide our own tools to get those certificates which are 1) free and 2) work well with our hosting. That makes them well suited for most people here.

But if you want to bring your own certificate, you’re of course free to do so.

Then what happens if your wildcard SSL has the common name of your domain name.

Like issued to yourdomain.com.

Subject Alternative name:

*.yourdomain.com

Good question, I don’t know. I don’t know if there are wildcard certs like that in the first place and I don’t know if the control panel accepts them. My guess to these questions are “no” and “yes” but again, not sure.

Another question is what you gain from it. Sure, there is a wildcard in the SAN, but the control panel won’t let you install that certificate on forum.yourdomain.com because the Common Name is still yourdomain.com. So even though the certificate is valid for all subdomains, you’ll still need separate certificates for every subdomain.

I don’t see an option in cloudflare/SSL-TLS/OriginServer for setting a self-signed certificate not generated by cloudflare. Did they remove this capability?

A self-signed certificate is on the webserver (Here on IF) and not on Cloudflare. You can use app.infinityfree.net/ssls to get a free self-signed SSL here on IF, and then you can use Cloudflare’s “Full” SSL mode for the best security.

I agree but my point here is that I think we need to tell CloudFlare to trust this self-signed certificate as an origin server and I don’t see the option to do such thing on CloudFlare.

Set Cloudflare SSL to “Flexable”

there is not point using a self-signed cert on origin when the Flexible option is selected. My goal is to use Full in that case.

1. Install a certificate on IF using the link above.

2. Set Cloudflare SSL to “Full”

That’s it!

in which of the steps above is cloudflare trusting the self-signed certificate generated on IF?

Why does Cloudflare need to trust it?

because anyone could generate a self signed certificate and impersonate the origin server otherwise. If the self-signed cert is not trusted by CF the Full mode does not make sense since it becomes equivalent to the Flexible mode in which there is no SSL protection between CF and IF servers.

But then they would have to install there certificate here. So they would have to hack you first, and than change it. I’m not sure how this is a big threat.

What you’re describing is the difference between “Full” and “Full (strict)” SSL mode. The former accepts any SSL certificate, the latter only accepts one that is signed by a trusted provider for the domain in question.

If you want to use “Full (strict)” mode, you’ll need a certificate that Cloudflare trusts. Cloudflare providers their Origin Certificates for that, but our panel doesn’t support those. But a certificate from any other recognized vendor (including Let’s Encrypt and GoGetSSL) can be used too.

Using self signed SSL is not perfect for security, but it’s better than using Flexible SSL, and comes with less caveats for configuration too.

And the attack scenario you described is quite hard to exploit. You would somehow have to route the backend connection for Cloudflare to another IP address than what’s configured in Cloudflare’s DNS. But if you could do that, you could also just hijack the connection for the Let’s Encrypt verification and get a valid certificate that way.