Cloudflare Origin Certificates

Cloudflare automatically provides free client-facing certificates for your domain, even if using their free service. In addition, they provide free Origin Certificates to encrypt the connection between Cloudflare and your origin Moxie.Build server. Use this article if you are going to have Cloudflare connect to inbound open ports on your Moxie.Build server.

 

First, Consider using Cloudflared Tunnel instead

Cloudflared Tunnel exposes applications running on your local web server on any network with an internet connection with an outbound tunnel that connects directly to Cloudflare's edge network without the need to configure inbound firewall rules. In most cases, this is the preferred method of connecting.

 

Requirements

 

Create Certificate

  1. Login into Cloudflare admin and navigate to your domain
  2. Navigate to SSL/TLS and then the sub-tab of Origin Server
  3. Click Create Certificate
  4. Let Cloudflare generate a private key and a CSR
  5. Private key type: RSA
  6. List of hosthames should be good as is, but if pointing additional domains to the same Moxie.Build server, including behind the Moxie.Build Relay, list those as well
  7. Certificate Validity defaults to 15 years which is good since you can delete these certificates in Cloudflare to invalidate them when needed
  8. Click Next
  9. Copy the text from the CSR into a file such as C:\Temp\domain.com.csr
  10. Copy the text form the private key (PEM) into a file such as C:\Temp\domain.com.pem

 

Create PFX File

  1. Open a command prompt or PowerShell on your workstation in the folder OpenSSL.exe is in
  2. .\openssl.exe pkcs12 -export -out C:\Temp\domain.com.pfx -inkey C:\Temp\domain.com.pem -in C:\Temp\domain.com.csr
  3. Enter and confirm a password that will be used to protect this .pfx file

 

Install on Server

  1. Copy the pfx file to a location on the server such as C:\Temp\domain.com.pfx
  2. If the Moxie.Build service this is being installed for is running, stop the service
    1. Right click on Moxie.exe, Run as Administrator, click the Stop button
    2. Close that window
  3. Assuming it is in place (it should be) remove the Deny log on locally local security policy on the Moxie.Build service user running
    1. For context, see notes in the more info window found by clicking on the note under Run Service as this User in the Moxie.Build Server Setup window when you run Moxie.exe if you are not familiar with this topic. Be sure to close that window when done reading before you move to step 4 below
    2. If the user is a member of a group that the Moxie.Build security policies are a part of (a good idea), remove it from that group and add it to the Users group
    3. If the security polices are applied against the user directly, remove that user from this local security policy
  4. Hold Shift as you right click on Moxie.exe and choose Run as different user
  5. Enter the username and password of the user account you use to run this Moxie.Build service
  6. Click on the link to Cert Mgr beside the Certificate Name field
  7. In the certmgr window, navigate to Personal
  8. Click on the Action menu, All Task, Import
  9. In the Certificate Import Wizard that opened, click Next
  10. Select your pfx file as above. Note the File Type dropdown needs to change to Personal Information Exchange to see it. Then click Next
  11. Enter the password you set when you created the PFX file
  12. Leave the import options as they are by default. Click Next
  13. Leave the location as it defaults to Personal and click Next
  14. Click Finished, and assuming the message box pops up that says the import was successful, click ok
  15. Navigate to the Certificates sub-folder that now shows up under Personal in the crtmgr window
  16. Double click on CloudFlare Origin Certificate, click on Details tab, click on Edit Properties
  17. Enter the domain name in the Friendly name field and click OK
  18. Click OK to close the Certificate window
  19. Close the certmgr window
  20. Back in the Moxie.Build Server Setup window, enter the domain name as you entered it in the Friendly name above in the Certificate Name field and close the window
  21. Reverse the security policy / group membership from step 3 above
  22. Start the service
  23. Save or delete all copies the .pfx, .pem, and .cer files according to your company's policy

 

 Final Changes on Cloudflare

  1. Navigate to SSL/TLS and then the first sub-tab of Overview
  2. Set the mode to Full
  3. Navigate to SSL/TLS and then the sub-tab of Origin Server
  4. Turn On Authenticated Origin Pulls