Wildcard Corp.

×
×

Import Server Certificate, KEY and CA Chain from Cloudflare

Back

You will need three things 1. Origin Certificate 2. The Key 3. The Cloudflare CA.
 
Download the CA here: 
 
The Certificate and the Key are contained in the .zip file sent and that .zip file has two formats of files, .pem and .pkcs7 depending on the type of server these will be imported into.  Each file has the format KEY and Certificate. You may wish to seperate out the key if your use case requires it. the KEY is in the file starting with "-----BEGIN PRIVATE KEY-----" and ending with "-----END PRIVATE KEY-----" and should be copied to a plain text file ending in .key.
 
You may want to rename .pkcs7 to .cer on a Windows machine with IIS.
 
 Converting certificates for your use case article is here: Converting PEM to PFX for Windows
 
Certificates can be converted by 'openssl' or other tools. You can convert your certificate via OpenSSL with the following command:

openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile CACert.crt

 

PFX version you may be able to just 'double' click on and import to the correct Web server cert store.

 

INSTALL the CA

 
    1. Open Internet Information Services (IIS) Manager and under Connections, select your server's hostname

      In the Windows Start screen, click Administrative Tools, then Internet Information Services (IIS) Manager. Alternatively, you can search for Internet Information Services (IIS) Manager.

    2. Click on the servername, then in the IIS section of the center menu, double click the Server Certificates icon



    3. In the Actions menu, click Complete Certificate Request to open the Complete Certificate Request wizard



      In the Complete Certificate Request wizard on the Specify Certificate Authority Response page under File name containing the certification authority’s response, click  to browse to the .cer certificate file that was copied to the desktop, select the file, and then click Open.

    4. In the Friendly name box, enter a friendly name for the certificate

      The friendly name is not part of the certificate. Instead, it is used to identify the certificate. Choose to place the new certificate in the Web Hosting certificate store.



    5. To finish installing the SSL Certificate to the server, click OK

    6. Download the Cloudflare Root CA

      Depending on what type of Origin CA you are creating there are 2 different types of Cloudflare Root CA. RSA and ECC. Browse to the following link to download the latest Cloudflare Root CA from the bottom of the page. 

    7. Open the Certificates Manager

      In the Windows Start screen, type certmgr.msc Alternatively, you can search for Manage Computer Certificates.

    8. Import the Cloudflare Root CA Certificate

      In the Certificate Manager, open Trusted Root Certification Authorities. Next right click on Certificates. Hover over All Tasks, then click on Import...



    9. When the wizard opens, click Next



    10. Browse to the Cloudflare Origin Root CA

      Browse to the location that the Cloudflare Origin Root CA that was just downloaded. Please note that you will need to change the file filter to All Files (*.*) for the certificate to be displayed.



    11. Click Next, then Next again and click Finish on the wizard

    12. Click Yes on the Security Warning 

      Please note that the Thumbprint for the ECC and RSA certificates are different.



INSTALL the Key

 

Restore Private Key

  1. With the MMC console still open, select the Certificates folder inside the Personal folder in the left-hand pane.
  2. Double-click the newly imported SSL certificate in the right-hand pane, then select the Details tab.
  3. Scroll down and select the Thumbprint field, then select and copy the entire thumbprint (in the bottom box) to the clipboard.
  4. Open a command prompt, then enter the following command:
     
    certutil -repairstore my ""

    Example:
     
    certutil -repairstore my "00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f"

    If successful, the response will be "CertUtil: -repairstore command completed successfully"

 

NOTE: If unable to complete the steps listed above due to technical implemenation on the IIS server, the certificate will need to be replaced via CSR. Try to create a new Certificate Signing Request (CSR) on the server. Once the new CSR has been created, send the CSR to the appproriate technical person for processing and issuance.

 

INSTALL the Certificate

    1. Open Internet Information Services (IIS) Manager and under Connections, select your server's hostname

      In the Windows Start screen, click Administrative Tools, then Internet Information Services (IIS) Manager. Alternatively, you can search for Internet Information Services (IIS) Manager.

    2. Click on the servername, then in the IIS section of the center menu, double click the Server Certificates icon



    3. In the Actions menu, click Complete Certificate Request to open the Complete Certificate Request wizard



      In the Complete Certificate Request wizard on the Specify Certificate Authority Response page under File name containing the certification authority’s response, click  to browse to the .cer certificate file that was copied to the desktop, select the file, and then click Open.

    4. In the Friendly name box, enter a friendly name for the certificate

      The friendly name is not part of the certificate. Instead, it is used to identify the certificate. Choose to place the new certificate in the Web Hosting certificate store.



    5. To finish installing the SSL Certificate to the server, click OK

  1. Assign or Bind the certificate to your website

    In Internet Information Services (IIS) Manager under Connections, expand your server’s name, expand Sites, and then select the site that you want to secure with your SSL Certificate.

  2. In the Actions menu under Edit Site, click Bindings


  3. In the Site Binding window, click Add


  4. In the Add Site Bindings window, enter the following information and then, click OK

    Type In the dropdown list, select https
    IP Address In the dropdown list, select all unassigned
    Port Enter 443
    SSL Certificate In the dropdown list, select the friendly name of the certificate you just installed



  5. [OPTIONAL] Configure your SSL certificate to use Server Name Indication (SNI)

    Check the box that states Require Server Name Indication. This is required if you have multiple sites using SSL bound to the same IP address. 



  6. Your Origin CA SSL certificate is now installed, and your website is configured to accept secure connections