SSL Certificates and Front-of-Site Services Like Cloudflare
Nicole BrownShare
Many website owners add a third-party service in front of their website to guard against malware, filter harmful traffic or improve performance. These services are genuinely useful, and they are widely used for good reason. They also change something that is easy to overlook, which is the SSL Certificate that visitors actually see.
When a service sits in front of your website, it becomes the first point of contact for every visitor. That has a direct effect on which SSL Certificate is presented to them, and it is worth understanding before and after you purchase an SSL Certificate of your own.
Reasons Website Owners Use Front-of-Site Protection Services
Services such as Cloudflare, along with similar website protection and content delivery services, sit between your visitors and your server. They can block malware, filter out harmful requests, absorb large attacks and cache content so that pages load faster around the world.
Many of these services also manage your Domain Name System (DNS) records and give you a central place to control how traffic reaches your website. The protection and performance benefits are real, which is why so many businesses choose to use them. Learn About Types of Malware 🔗
The Path Visitors Take to Reach Your Website
To protect and accelerate your website, these services need your visitor traffic to pass through them. This is usually arranged by changing your Domain Name System (DNS) records so that requests are directed to the service first, rather than straight to your server.
Once that is in place, the service answers each visitor and completes the secure connection with them on your behalf. Your own server then sits behind the service. The visitor is talking to the service first, not to your server directly, and that single fact determines which SSL Certificate they see.
The Free SSL Certificate Included with These Services
Because the service now answers visitors directly, it needs an SSL Certificate of its own to secure those connections. Most of these services provide one free of charge and apply it automatically at their edge.
The SSL Certificate they provide is normally a Domain Validated (DV) one. It confirms control of the domain and encrypts the connection, but it carries no verified details about the organization behind the website. Since the service is what visitors reach first, this is the SSL Certificate their browser receives. Learn About Domain Validation Requirements 🔗
The Effect on an SSL Certificate You Have Purchased
If you have purchased an SSL Certificate and installed it on your server, it remains installed and continues to work. Nothing about the service removes it or makes it invalid. It still secures your server, and it is still presented on the connection between the service and your server.
The change is what visitors receive. Because they reach the service first, their browser is shown the service's SSL Certificate, not the one on your server, unless you also apply your purchased SSL Certificate to that service.
This matters most with an Organization Validated (OV) or Extended Validation (EV) SSL Certificate. The value of those products is the verified organization identity recorded inside them. If the service presents its own free Domain Validated (DV) SSL Certificate instead, that verified identity is not the one shown to your visitors. Learn About Extended Validation Requirements 🔗
Important : A purchased SSL Certificate stays valid and installed on your server, but visitors will keep receiving the front-of-site service's own SSL Certificate until you also apply your purchased SSL Certificate to that service.
Closing the gap is straightforward once you know it exists, and it is handled in the settings of the service itself.
Applying Your SSL Certificate to the Intermediary Service
To have visitors receive your purchased SSL Certificate, you apply it to the front-of-site service as well as your server. Most of these services allow you to upload your own SSL Certificate, so that it becomes the one presented to visitors rather than the free option.
The exact steps, and whether custom SSL Certificate upload is included on your current plan, vary from one service to another, so it is worth checking the options on the service you use. Keeping the SSL Certificate on your server as well is still recommended, because it secures the connection between the service and your server. Learn About Uploading a Custom SSL Certificate 🔗
Getting the Full Value from a Verified SSL Certificate
The verified identity in an Organization Validated (OV) or Extended Validation (EV) SSL Certificate only reaches your visitors if your SSL Certificate is the one presented to them. When a front-of-site service is in use, that means applying your SSL Certificate to the service so its details are what visitors receive.
The verified identity is no longer shown as a green address bar, as it was in the past. It now lives in the SSL Certificate details, which visitors and their browsers can inspect, so it matters that the SSL Certificate on show is the one you paid for rather than a free replacement. Learn About The Green Address Bar 🔗
SSL Certificates provided through Trustico® can be applied both on your server and on the service in front of it, so that the protection you have chosen and the identity you have verified work together rather than one hiding the other.