How to Set Up Cloudflare SSL
Learning how to set up Cloudflare SSL is one of the fastest ways to improve website security, reduce browser warnings, and simplify certificate management.
The process is straightforward, but the SSL mode you choose can affect both security and how your origin server communicates with Cloudflare.
This guide explains the setup options, the recommended configuration for most sites, and the common mistakes that cause loops, mixed content, or insecure origin connections.
What Cloudflare SSL does
Cloudflare sits between your visitors and your web server as a reverse proxy.
When SSL is enabled, Cloudflare can encrypt traffic from the browser to Cloudflare and, depending on your settings, from Cloudflare to your origin server as well.
That means Cloudflare can handle certificate presentation at the edge while also helping you secure the connection behind the scenes.
For most websites, this reduces operational overhead compared with managing certificates manually on every server.
Before you begin
Before you configure Cloudflare SSL, make sure you have access to:
- A Cloudflare account with your domain added
- Your domain’s DNS records
- Access to the origin server or hosting panel
- A valid origin certificate or the ability to issue one
You should also confirm that your nameservers already point to Cloudflare.
If your DNS is not active in Cloudflare, SSL settings in the dashboard will not affect live traffic.
Choose the right SSL mode
Cloudflare offers several SSL/TLS encryption modes, and this choice is the most important part of the setup.
The wrong mode can either leave part of the connection unencrypted or cause redirect errors.
Flexible mode
Flexible encrypts traffic only between the visitor and Cloudflare.
Cloudflare connects to your origin over HTTP, not HTTPS.
This is easy to turn on, but it is not recommended for production because the back-end connection remains unencrypted.
Full mode
Full mode encrypts traffic between the visitor and Cloudflare, and between Cloudflare and your origin server.
However, Cloudflare does not verify whether the origin certificate is valid.
This is better than Flexible, but it still allows certificate trust issues on the origin side.
Full (strict) mode
Full (strict) is the recommended setting for most websites.
It encrypts both legs of the connection and verifies that your origin certificate is valid and trusted.
You can use a certificate issued by a public certificate authority or a Cloudflare Origin CA certificate.
How to set up Cloudflare SSL step by step
1. Open the SSL/TLS settings
Sign in to Cloudflare, select your domain, and open the SSL/TLS section in the dashboard.
This is where you control the encryption mode and related options.
2. Select Full (strict)
In the SSL/TLS overview, choose Full (strict) if your origin already has a valid certificate.
If your server does not yet have one, install an origin certificate first and then switch to Full (strict).
3. Install an origin certificate if needed
If your hosting provider does not already supply a trusted certificate, Cloudflare Origin CA is a reliable option.
Create the certificate in Cloudflare, download the certificate and private key, and install them on your web server or in your hosting control panel.
Cloudflare Origin CA certificates are trusted by Cloudflare but not by browsers directly.
That is fine because visitors connect to Cloudflare’s edge certificates, not your origin certificate.
4. Verify DNS records are proxied
In the DNS panel, make sure your web records use the orange cloud proxy icon.
If the record is grey clouded, traffic bypasses Cloudflare and your SSL settings will not protect that hostname.
5. Enable automatic HTTPS redirects
Cloudflare offers options such as Always Use HTTPS and Automatic HTTPS Rewrites.
These help redirect users from HTTP to HTTPS and reduce mixed-content issues on pages that still reference insecure assets.
6. Check your origin server configuration
Your web server should accept HTTPS connections on port 443 and serve the correct certificate for the hostname.
Common web servers such as Nginx, Apache, LiteSpeed, and IIS all support this setup, but the certificate path and virtual host configuration differ.
Recommended settings for most sites
For a standard WordPress, Shopify-like custom app, or static site behind Cloudflare, this setup is usually the safest:
- SSL mode: Full (strict)
- Edge certificate: Cloudflare-managed Universal SSL
- Origin certificate: Cloudflare Origin CA or a valid public certificate
- Always Use HTTPS: enabled
- Automatic HTTPS Rewrites: enabled where appropriate
These settings provide end-to-end encryption and reduce the chance of browser warnings or certificate mismatch errors.
Common problems when configuring Cloudflare SSL
Too many redirects
This often happens when both Cloudflare and the origin server force HTTPS without coordination.
Check your server rules, application settings, and Cloudflare redirects so they do not conflict.
Mixed content warnings
Mixed content occurs when a page loads over HTTPS but still requests images, scripts, or stylesheets over HTTP.
Update hard-coded links in your site content, theme files, or app templates, and use HTTPS URLs wherever possible.
Origin certificate errors
If Full (strict) fails, your origin certificate may be expired, installed on the wrong hostname, or missing an intermediate chain.
Reinstall the certificate and confirm the server name matches the domain being requested.
Browser shows a Cloudflare error page
Errors such as 525, 526, or 525 SSL handshake failures indicate a problem with the connection from Cloudflare to the origin.
Check whether your origin server is online, whether HTTPS is enabled on port 443, and whether the certificate is valid.
How to confirm SSL is working correctly
After setup, test the site in a browser and look for the padlock icon and an HTTPS URL.
Then confirm the page source and linked assets are also using secure URLs where needed.
You can also use external tools such as SSL Labs, browser developer tools, and Cloudflare’s own analytics or event logs to inspect certificate status and connection behavior.
- Check the certificate issuer in the browser
- Confirm the domain matches the certificate name
- Inspect redirects from HTTP to HTTPS
- Review any console warnings for insecure assets
When to use a Cloudflare Origin CA certificate
A Cloudflare Origin CA certificate is ideal when Cloudflare is always in front of your origin.
It is easy to issue, lasts a long time, and works well with Full (strict).
This is especially useful for VPS hosting, dedicated servers, and custom infrastructure where you want to avoid frequent renewals.
Do not use an Origin CA certificate as a browser-facing certificate.
It is designed for server-to-server encryption between Cloudflare and your origin only.
Security best practices after setup
Once you know how to set up Cloudflare SSL, strengthen the rest of the configuration so the site stays secure over time.
- Use HSTS only after HTTPS is stable across the site
- Keep origin certificates renewed or monitored
- Protect origin IPs so users cannot bypass Cloudflare
- Limit direct access to your server firewall
- Review application URLs after migrations or theme changes
These practices help preserve trust, reduce downtime, and prevent attackers from reaching the origin directly.
Why the setup matters for SEO and user trust
HTTPS is a standard ranking and trust signal because it protects data in transit and improves browser confidence.
A correct Cloudflare SSL setup also supports performance by allowing secure delivery through Cloudflare’s global network, which can improve responsiveness for users in different regions.
More importantly, a properly configured SSL stack reduces the risk of warning pages, broken redirects, and asset failures that can harm both engagement and crawlability.