This section outlines the general process of submitting the generated Certificate Signing Request (CSR) to a trusted Public Certificate Authority (CA) to obtain a signed SSL/TLS certificate.
The signed certificate is deployed at the Cloudflare edge to enable secure TLS communication as part of the Keyless SSL setup.
-
Select a Public Certificate Authority.
-
Choose a trusted CA based on organizational policies and production requirements.
-
Ensure the CA supports the required domain validation methods (e.g., DNS, HTTP, or email validation).
-
Submit the CSR.
-
Provide the generated CSR file to the selected CA through their portal or API.
-
Ensure that all required domain names (including SAN entries, if applicable) are correctly included in the CSR.
-
Complete Domain Validation.
-
Perform domain ownership verification as required by the CA.
-
This may involve adding DNS records, hosting validation files, or responding to validation emails.
-
Certificate Issuance.
-
After successful validation, the CA issues the signed certificate.
-
The certificate bundle may include:
-
Server certificate.
-
Intermediate CA certificate(s).
-
Root CA certificate (optional, depending on the CA).
-
-
Download the Certificate Chain.
-
Retrieve the signed certificate along with the full certificate chain from the CA.
-
Ensure the correct format is used (e.g., PEM).
-
Prepare for Deployment.
-
Verify that the certificate matches the private key stored in the HSM.
-
Confirm all required domains are covered and the certificate validity period meets operational requirements.
The choice of Certificate Authority and certificate lifecycle management (renewal, revocation, etc.) should align with organizational security policies.