Search code examples
sslssl-certificatecloudflarecdn

Should I share my website's SSL private key with CloudFlare to use its CDN service?


Assume I've already hosted a https website. The SSL certificate is got from something like Let's Encrypt.

If I want to use CloudFlare's CDN service, should I share my SSL private key with it? For example, I want CloudFlare to cache my website's index page, so that users' requests for the index page won't go to my origin server again and again. Instead, CloudFlare (acting as a middle man) will serve the page to them directly.

However, if CloudFlare doesn't know my SSL private key, it cannot decrypt the HTTPS traffic (that contains information like the page URL user is requesting), so it actually doesn't know what user is requesting for.

So how does CloudFlare act as a middle man like magic? It can't really be the case that you should share your SSL private key with it, right? Because if you do, you are essentially trust CloudFlare that it won't do bad things (like serving a modified page). CloudFlare could basically do anything on behalf of your website. This sounds risky.


Edited: If there are actually 2 SSL connections (one between user and CF, the other one between CF and origin server), how can CF get a certificate that is issued to my website? For example, my website is https://www.abcabc.com. After user types the URL in his browser and hits Enter, the browser will get a certificate from CF and begins the SSL handshake with CF. But wait, how can CF possess a certificate that is issued to www.abcabc.com or *.abcabc.com?


Solution

  • should I share my SSL private key with it

    You don't have to, though you could if you want, with their Custom Certificates, but it's very expensive and only meant for enterprise users or whatever use case that can't accept third-party cert.

    if CloudFlare doesn't know my SSL private key, it cannot decrypt the HTTPS traffic

    Cloudflare don't need to care about your origin server private key (unless you use the custom cert feature), since your visitor connects to Cloudflare using Cloudflare's cert.

    how does CloudFlare act as a middle man like magic

    Once you verify your domain ownership, Cloudflare will generate a cert for your domain through LetsEncrypt or other partners. Cloudflare is authorized to do this because the CAs will see that your domain NS records now indeed point to Cloudflare's nameserver. It's similar (though in larger scale) on how Let's Encrypt will issue you a cert once certbot running on your server passes the challenge.

    Thus, now Cloudflare can handle TLS connection between your visitor to their server, decrypt and inspect it, then re-encrypt with your origin server cert. Fun fact, unless you use Full Strict mode, the origin server doesn't need to have a valid, publicly trusted cert for the domain (or even any encryption if you use Off mode). This is usually for legacy situations where the origin server can't use a valid cert from public CA, but I've seen plenty of domains on Cloudflare pointed to Google DNS IP, which in turn made them a DNS-over-HTTPS endpoint, likely in an attempt to evade censorship. That trick works because while normally most origin servers will reject requests with invalid SNI, the Google DNS DoH endpoint happily accepts any SNI.

    essentially trust CloudFlare that it won't do bad things

    Regardless of Custom Certificates and TLS mode, you always have to trust Cloudflare if you use them, since they can at any time generate a cert for your domain and it will be trusted since your domain points to their IP.

    sounds risky

    That's how most DDoS protection works: They have to handle your traffic and thus have complete control of it. Even CAs are essentially a chain of trust themselves.