Cloudflare Origin Certificates and Azure App Services

Azure

Cloudflare Logo

I recently made the move to Cloudflare and have been talking to anyone who will listen about how great it is, both for simplicity and nerdy security features. Yes, even after the media sensation that was #CloudBleed.

One of the things I wanted to do once I moved to Cloudflare was ensure that I had TLS across the entire pipeline. Whilst Cloudflare will ensure you have TLS between the browser and their servers, but they’re a bit more permissive when it comes to TLS between their servers and your origin server (in my case Azure App Service). You’ll see these kinds of images floating around explaining this:

Cloudflare Flexible SSL

Flexible: Where Cloudflare communicates with your origin server over HTTP

Cloudflare Flexible SSL

Full SSL: Where Cloudflare communicates with your origin server over HTTPS, using any old SSL certificate

Cloudflare Flexible SSL

Full SSL (Strict): Where Cloudflare communicates with your origin server over HTTPS, using an SSL certificate issued by a valid Certificate Authority

Image Source: Cloudflare

So, ideally what we want is Full SSL (Strict). Luckily Cloudflare is awesome and provides you with the ability to generate a Cloudflare signed certificate for your origin within the Crypto section of their portal, that complies with the Strict policy. This is included in their free tier. However, for the uninitiated this can be tricky to use, especially if you’re in the Windows world and need a pfx or a format not supplied by Cloudflare.

It’s simple enough once you know how though, so let’s create a pfx for use within Azure App Service, using openssl. This will work on both your Linux distribution of choice and WSL (Windows Subsystem for Linux, otherwise known as Bash on Ununtu on Windows).

Creating an Origin Certificate

You’ll find the Origin Certificates section in the Crypto section for your site. If you click 'Create Certificate' you’ll get the following:

Cloudflare Origin Certificate

We’ll leave the defaults and progress to the next step. I’m not going to preach here about certificate lifetime lengths.

Next, we’ll be presented with our Origin Certificate and Private Key. We’ll leave the defaults with a key format of PEM. Copy the certificate and key to your text editor of choice and save them with a file extension of .pem and .key respectively. These certificates will be in the format of -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. We like these, make sure to copy them across too.

Once you’re done, press okay to complete creation, and confirm the certificate is now in the list of Origin Certificates.

Creating the PFX

Now we want to create a PFX from our PEM and Key files, so that we can use the certificate within Azure. So, let’s navigate to the directory containing these two files and spin up openssl.

If you’re using WSL, you can access your drives from the /mnt directory.

And use the command (where my origin certs where saved as cloudflare-test):

openssl pkcs12 -export -inkey cloudflare-test.key -in cloudflare-test.pem -name cloudflare-test -out cloudflare-test.pfx

This will create our pfx, which we can then upload to the SSL Certificates section of our Azure App Service. Job done!