Enabling Full SSL with Cloudflare and 20i using Cloudflare Origin Certificates

SSL Certificates
Chris Wright
Published: 28 October 2025Last updated: 13 February 2026
Share:

Any domain using 20i nameservers can make use of the free SSL certificates we provide automatically.

However, if you can’t or don’t want to use our nameservers, or prefer to use Cloudflare instead, you can follow the steps below to install a Cloudflare Origin Certificate and enable Full (strict) SSL.

When using Cloudflare with 20i, you can choose between several SSL modes. Flexible SSL only encrypts traffic between your visitors and Cloudflare, leaving the connection between Cloudflare and 20i unencrypted. 

To fully secure your site, switch to Full (strict) mode. This ensures encryption across the entire path:   
Visitor ↔ Cloudflare ↔ 20i

Full (strict) requires a valid certificate on the 20i platform. Cloudflare Origin Certificates provide encryption between Cloudflare and your origin server and are ideal for this setup. Once installed, they fully support Full (strict) mode.

Step 1 - Generate a Cloudflare Origin Certificate

  1. Log in to the Cloudflare Dashboard and select your domain.
  2. Go to SSL/TLS → Origin Server → Create Certificate.
  3. Choose Generate private key and CSR with Cloudflare.
  4. Set the following options:
    • Private key type: RSA (2048)
    • Hostnames (SANs): add your domain(s), for example example.com and *.example.com
    • Validity: 15 years is suitable
  5. Click Create.
  6. On the certificate screen, set Key format to PEM (default).
  7. Copy and securely save both the Origin Certificate and Private Key for later.

Step 2 - Download the Cloudflare Origin RSA CA certificate

You also need Cloudflare’s RSA Origin CA file to complete the chain.

  1. Open Cloudflare’s documentation page: Cloudflare Origin CA root certificates.
  2. Download the Cloudflare Origin RSA PEM file.

Step 3 - Install the certificate in My20i

  1. Log in to My20i and go to Manage Hosting → [your package] → SSL/TLS.
  2. Scroll to Install External SSL Certificate.
  3. Select your domain from the drop-down menu.
  4. Paste the following into the fields:
    • Certificate: your Cloudflare Origin Certificate (PEM)
    • Private Key: the key generated or provided by Cloudflare
    • CA Bundle / Intermediate: the Cloudflare Origin RSA PEM downloaded earlier
  5. Click Install and allow up to 30 minutes for deployment.

Step 4 - Enable Full SSL in Cloudflare

  1. Return to the Cloudflare Dashboard.
  2. Navigate to SSL/TLS → Overview.
  3. Set SSL/TLS encryption mode to Full or Full (strict) for strict verification.

Notes

  • Cloudflare Origin CA certificates are trusted only by Cloudflare’s edge, not by public browsers.
  • Direct access to your origin (for example via server IP) will show the certificate as untrusted - this is expected.
  • Ensure your DNS proxy remains active for the protected hostname (the orange cloud in Cloudflare DNS).