Using Cloudflare Origin certificate on Salesforce

As certificate validity is now reducing to 200 days in 2026, Salesforce administrators must find a practical way to manage certificate renewal. Ideally, Salesforce should support ACME protocol to automate renewal.

For those utilising Cloudflare CDN, it is possible to install Cloudflare Origin certificate with 15-year validity on Salesforce. Although Salesforce documentation mentions the certificate must be CA-signed, self-signed certificate including Cloudflare Origin certificate (which is not public CA-signed) is actually acceptable.

1. In Cloudflare, change the encryption mode to “Full (strict)”.
2. Enable True-Client-IP if on Enterprise plan.
3. Add CNAME record (if not exist) that points to the Salesforce site, e.g. custom-domain.com.xxx.live.siteforce.com. Ensure the CNAME record is in Proxied/orange-clouded mode.
4. In Salesforce, generate and download certificate signing request (CSR).
5. In Cloudflare, create a new origin certificate, choose “Use my private key and CSR”, paste the CSR value, update hostname and Create it.
6. Copy the PEM value then append Origin CA root certificate and save it with “.pem” extension. The file should have both leaf and root certificates.
7. Upload the “.pem” file to Salesforce.
8. Select the new certificate in Salesforce domain configuration.

In the last step, do not select the “Use a third-party service or CDN” option despite Cloudflare being a CDN service. That option will configure the Salesforce site to serve over HTTP, requiring “Flexible” encryption mode in Cloudflare which is not ideal.