Cloudflare SSL and Plesk

Cloudflare SSL and Plesk

Here we are, it's my first technical post!

Today I decided to change my SSL certificate from a "letsencrypt" to a "Cloudflare Origin Certificate".

But what are the benefits?

LetsEncrypt.org Logo

There are many different types of certificates, in most cases, people pay a fee for a year and get an SSL Certificate provided to them in more formats than you can shake a stick at. Letsencrypt.org and Cloudflare both provide free alternatives. They're generally classed as "less secure" than conventional methods, but provide security and that nice shiny padlock to your domains.

Most people that use Cloudflare already see that nice shiny padlock, and that's because your traffic between your browser and Cloudflare's servers is secure, but security is only as good as the weakest link, so a man in the middle attack can still occur between CF and your own web domain.

There are plenty of posts explaining why Cloudflare or why Letsencrypt, but that goes beyond my knowledge. Basically, That padlock is false security without serverside certificates.

Most people using Cloudflare use the flexible SSL for all different purposes, but I wanted to go over the top and protect my viewers from source to browser, and many people use Plesk and get lost when it starts asking for CRT files.

So let the tutorial commence. This tutorial is from April 2022, so things change, usually Plesk (like whats this onyx change??? someone plays too much pokémon).


First, let's go to our Plesk, and select a domain we want to secure!

I've selected my domain neonlight.studio as it's currently being revamped.

From the picture above, the domain has no certificates enabled at all, that just won't do.

Click the "SSL/TSL Certificates" link and look for the "Download or remove existing certificates" or "Manage certificates" links.

this was at the bottom of the page for me.

 Next, select "Add SSL/TSL Certificate".

Certificate Name: Cloudflare SSL (you can name this anything, it identifies what certificate it is TO YOU).

Bits: 4096
Country: Your country
State or province: for you to complete
City: for you to complete
Organisation Name: NeonLight Studios (you can put your company or group or objective name)
Domain Name: neonlight.studio (This is the main domain you're certificating)
email: a valid email address

Scroll past the "Upload the certificate files" section to "Upload the certificate as text"

In a new tab/browser open Cloudflare's site. We're assuming your DNS is already set up. Select your domain name and then select SSL/TLS on the left sidebar.

This should now take you to the "Overview" in the submenu of "SSL/TLS"
from there we can see by default it's set to Flexible. We're going to select Full (strict). It's best to change this at the end as it may prevent people from viewing your site until the certificate is in place. I'll be changing it now as we don't currently have any visitors on that domain. There is no "apply" or "save" the change is almost immediately after you put the check (or circle) on Full(Strict).

Select Origin Server on the left, followed by "Create Certificate".

Keep "Generate Private key and CSR with Cloudflare" and the hostnames should be prepopulated with *.yourdomain.ext" and "yourdomain.ext" the * is a wildcard meaning all subdomains. then click Create at the bottom.

This is where the back and forth begins. Keep Key format as PEM.

Copy everything from "Origin Certificate" to "Certificate (*.crt) " on Plesk.

Copy the "Private key" to "Private key (*.key)" on Plesk.

Next, we need the CA Certificate, which is found on this page (click here)
Scroll down to Step 4. and download the RSA PEM. Open the file with a text editor, even notepad will work and select everything inside.

Paste the entire contents into "CA certificate (*-ca.crt)" and click Upload Certificate. That's the certificate added, but we need to tell the domain (and any subdomains) to use it. Click on your domain name at the top.

Click the Hosting & DNS option at the top, and select Hosting Settings.

Scroll down to Security and in the Certificate, select "Cloudflare SSL" (or the name you gave it)

Click Apply, and you're done!

If you did NOT select "Strict" on Cloudflare before, now is the time to do it!

I hope this helps someone out there struggling with Plesk.

Till Next Time!