The first time you see Edge Certificates, Client Certificates and Origin Server in the Cloudflare dashboard, it’s easy to get lost. But once you understand what Cloudflare actually does between you and your visitors, all three fall into place.
First: what Cloudflare does in the middle
Cloudflare is essentially a CDN + reverse proxy. When you put your domain behind Cloudflare and turn on the “orange cloud”, one key thing happens: your domain’s DNS no longer resolves to your server — it points to Cloudflare’s IPs.
So a visitor’s request goes from “direct” to “relayed”:
visitor ──→ Cloudflare edge node (the data center nearest them) ──→ your origin server
This middle layer brings the usual CDN benefits:
- Nearby access + caching: visitors connect to the closest edge node, and static content is served straight from cache — faster;
- Hiding and protecting the origin: visitors only ever see Cloudflare’s IPs; your real server IP stays hidden, blocking DDoS and port scanning;
- Edge protection: WAF, rate limiting and bot filtering all happen at the edge.
The trade-off: Cloudflare has to sit in the middle, decrypt the visitor’s HTTPS, then forward it to you. Because of this extra hop, HTTPS is no longer one end-to-end connection — it’s split into two, each with its own TLS handshake and its own certificate:
visitor browser ──TLS①── Cloudflare edge ──TLS②── your origin (Nginx)
Edge cert Origin cert
- TLS①: the visitor only handshakes with Cloudflare, and sees the Edge certificate;
- TLS②: Cloudflare separately handshakes with your origin, using the Origin certificate;
- and that SSL/TLS mode in the dashboard (Flexible / Full / Full strict) defines exactly “how the second hop is encrypted, and whether the origin cert is verified”.
Hold on to this one idea — a single HTTPS connection split into two hops — and the three certificates become clear.
Edge Certificates
These cover TLS①: visitor browser ⇄ Cloudflare.
- They live on Cloudflare’s edge nodes — the lock and certificate a visitor sees in the address bar is this one;
- By default Cloudflare issues and renews them for free (Universal SSL); you don’t have to do anything;
- They are publicly trusted certs (signed by a CA browsers trust), because they face visitors directly.
The HTTPS your visitors see on
blog.lddi.netis the Edge certificate at work.
Origin Server Certificates
These cover TLS②: Cloudflare ⇄ your origin server.
- Issued by Cloudflare, but installed on your own server (Nginx);
- Key trait: they only need to be trusted by Cloudflare (it’s fine that browsers don’t trust them, since visitors never connect to the origin directly); valid for up to 15 years; free;
- Used together with the Full (strict) SSL/TLS mode — that mode verifies the origin certificate’s validity, so the origin must have one.
This is exactly the
/etc/ssl/cloudflare/lddi.net.pemin your VPS’s Nginx config — it’s the Origin certificate.
Client Certificates
This one is a different dimension — don’t mix it up with the two above. It’s for mTLS (mutual TLS), and it verifies who is connecting.
- Normal HTTPS only verifies the server’s identity (proving “you really did reach this site”);
- mTLS additionally requires the client to present a certificate, proving “you are an authorized visitor”;
- Cloudflare can act as a private CA to issue client certificates and hand them to authorized devices/users; once mTLS is enabled, any request without a valid client certificate is rejected outright;
- Typical uses: internal APIs, admin systems, mobile app backends — only letting specific devices in and shutting everyone else out.
So a Client certificate isn’t for “encrypting the channel” — it’s for “identifying who’s knocking”.
One table to tell them apart
| Certificate | Lives where | Covers / role | Whose identity | Issued by |
|---|---|---|---|---|
| Edge | Cloudflare edge | visitor ⇄ Cloudflare (encryption) | server (to the visitor) | Cloudflare (Universal) / your own |
| Origin Server | your origin Nginx | Cloudflare ⇄ origin (encryption) | origin (to Cloudflare) | Cloudflare Origin CA |
| Client | the client device | mutual auth (who you are) | the client / visitor | Cloudflare Client CA |
Summary
- Edge and Origin are the two “server certificates” for the two hops a single HTTPS connection is split into by Cloudflare — one facing the visitor, one facing the origin;
- Client is a separate thing — during the handshake it verifies the client’s identity instead, used for mTLS access control;
- For everyday self-hosting, the first two matter most: the visitor hop (Edge) is handled automatically by Cloudflare, while the origin hop (Origin) needs a cert installed on your server plus the mode set to Full (strict).