Using Cloudflare Origin Certificates with Azure App Services

Corsiva Lab
4 min readMar 14, 2018


Cloudflare can be used by anyone with a website and their own domain, regardless of your choice of platform. It automatically optimises the delivery of your web pages so your visitors get the fastest page load times and the best performance. Furthermore, it blocks threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. As a result, Cloudflare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

However, while Cloudflare ensures you have TLS between the browser and their servers, they are more permissive when it comes to TLS between their servers and your origin server (in our case Azure App Service).

Ideally, what we want is Full SSL (Strict) where Cloudflare communicates with your origin server over HTTPS, using an SSL certificate issued by a valid Certificate Authority. Luckily, Cloudflare provides you with the ability to generate a Cloudflare signed certificate for your origin that complies with the Strict policy which is precisely what we will be teaching you today.

Step-By-Step Guide

1) Go to and download the installer (for Windows only).

2) Take note of the installation location as all files generated and saved later on will go into folder.

3) Head over to Cloudflare and under the appropriate domain, create a certificate under ‘Crypto’ and ‘Origin Certificates’.

4) Ensure your private key is RSA and the domain (or subdomains) that you’re installing it on is inside the hostnames.

5) Click ‘Next’ and save the contents under ‘Origin Certificate’ on a text editor. Ensure it is saved as .pem with ‘All Files’ type and ‘ANSI’ encoding. E.g. example.pem

6) Do the same for the contents under ‘Private Key’ but save it as .key instead. E.g. example.key

7) Move both the .key and .pem files to the SSL folder installed in Step 2 and run the .exe file in the ‘bin’ folder. A command prompt should appear.

8) Type in the command ‘pkcs12 -export -inkey corsiva.key -in corsiva.pem -name corsiva -out corsiva.pfx (bolded portions to be changed accordingly).

9) A prompt will appear to enter export password. Type in your desired password and retype it again to verify.

10) A .pfx file will be generated in the ‘bin’ folder of the SSL folder.

11) Head over to Azure App Service, choose the appropriate domain name > ‘SSL Certificates’ > ‘Upload Certificate’.

12) Choose ‘Private’ > Upload and key in the password in Step 9.

13) Under ‘SSL Certificates’, click ‘Add Binding’ under ‘SSL Bindings’. Select your hostname and certificate. Submit and give it some time to process.

14) Head over to Cloudflare and under ‘DNS’, ensure the host has an orange cloud icon. Give it some time for the cache to clear and it should work perfectly afterwards.

If you have any questions, don’t hesitate to contact us! As a web development company as well as a web design company, Corsiva Lab is equipped with the expertise to help you build and design a website that is user-friendly, attractive and interactive. Additionally, as a digital marketing agency, we will be able to help you increase your website’s online visibility and Google rankings. If you would like more information regarding web design and development or digital marketing, do head over to our website and drop our friendly web design Singapore team a message.



Corsiva Lab

Founded by a team of young entrepreneurs, Corsiva Lab is Singapore’s very own creative web design and digital marketing agency.