Cloudflare PFX Certificate Generation Guide

Complete guide for generating PFX certificates from Cloudflare Origin Certificates for use with Azure Container Apps custom domains.

Table of Contents

• Prerequisites
• Step 1: Install OpenSSL on Windows
• Step 2: Generate Cloudflare Origin Certificate
• Step 3: Save Certificate Files
• Step 4: Convert to PFX Format
• Step 5: Verify PFX File
• Step 6: Secure Certificates in 1Password
• Step 7: Upload to Azure Container App
• Troubleshooting

Prerequisites

• Active Cloudflare account with domain configured
• Azure subscription with Container App deployed
• Windows 10/11 with Command Prompt or PowerShell
• OpenSSL installed (see Step 1)
• 1Password account (for secure certificate storage)

Step 1: Install OpenSSL on Windows

Using Chocolatey package manager:

# Install OpenSSL
choco install openssl

# Restart your terminal and verify installation
openssl version

Note: If you don't have Chocolatey installed, visit https://chocolatey.org/install for installation instructions.

Step 2: Generate Cloudflare Origin Certificate

1. Log in to your Cloudflare Dashboard: https://dash.cloudflare.com
2. Select your domain
3. Navigate to SSL/TLS → Origin Server
4. Click Create Certificate
5. Configure certificate settings:
6. Private key type: RSA (2048)
7. Certificate validity: 15 years (recommended)
8. Hostnames: Enter your domains
   • Example: yourdomain.com and *.yourdomain.com
   • Or specific subdomains: app.yourdomain.com
9. Click Create

Step 3: Save Certificate Files

After generating the certificate, you'll see two text blocks:

Save Origin Certificate

1. Copy the entire Origin Certificate content (including BEGIN/END lines)
2. Save as certificate.pem in a secure location (e.g., C:\Users\YourUsername\certificates\)

Example certificate.pem:

-----BEGIN CERTIFICATE-----
MIIEpDCCAowCCQDxxx...
(multiple lines)
...xxxxx
-----END CERTIFICATE-----

Save Private Key

1. Copy the entire Private Key content (including BEGIN/END lines)
2. Save as privatekey.pem in the same location

Example privatekey.pem:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASC...
(multiple lines)
...xxxxx
-----END PRIVATE KEY-----

Important: Keep the private key secure and never commit it to version control.

Step 4: Convert to PFX Format

Azure Container Apps require certificates in PFX/PKCS12 format with a password.

Navigate to Certificate Directory

# Example - adjust to your path
cd C:\Users\YourUsername\certificates

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.pem -in certificate.pem

Set Export Password

You'll be prompted to enter a password:

Enter Export Password: [enter a strong password]
Verifying - Enter Export Password: [re-enter the same password]

Important: Remember this password - you'll need it when uploading to Azure.

Expected Output

C:\Users\YourUsername\certificates\
├── certificate.pem
├── privatekey.pem
└── certificate.pfx  ← Generated file

Step 5: Verify PFX File

Verify the PFX file was created successfully:

# Check file exists
dir certificate.pfx

# Verify PFX structure (optional)
openssl pkcs12 -info -in certificate.pfx -noout

You'll be prompted for the password you set earlier. If successful, you'll see certificate information.

Step 6: Secure Certificates in 1Password

Before uploading to Azure, securely store your certificates and credentials in 1Password for safekeeping and team access.

Create a New Item in 1Password

1. Open 1Password application or browser extension
2. Click New Item (+ button)
3. Select Secure Note or Document type

Save Certificate Files

Option A: As Secure Note (Recommended for Text)

1. Title: [Domain] Cloudflare Certificate - [Date]

2. Example: app.yourdomain.com Cloudflare Certificate - 2026-04-15

3. Add the following fields:

4. Domain: app.yourdomain.com
5. Certificate Type: Cloudflare Origin Certificate
6. Valid Until: 2041-04-15 (based on 15-year validity)
7. PFX Password: [Enter the password you created in Step 4]
8. Certificate PEM: [Paste contents of certificate.pem]
9. Private Key PEM: [Paste contents of privatekey.pem]
10. Azure Resource Group: your-resource-group
11. Azure Container App: your-container-app-name

12. Created Date: 2026-04-15

13. Add Tags: certificate, cloudflare, azure, ssl

14. Click Save

Option B: As Document Attachment

1. Title: [Domain] Cloudflare Certificate Files - [Date]

2. Attach Files:

3. Click Add Files
4. Attach certificate.pem
5. Attach privatekey.pem

6. Attach certificate.pfx

7. Add Fields:

8. Domain: app.yourdomain.com
9. PFX Password: [Enter the password]
10. Valid Until: 2041-04-15
11. Azure Resource Group: your-resource-group

12. Azure Container App: your-container-app-name

13. Add Notes:

    Cloudflare Origin Certificate for Azure Container App
    - Generated: 2026-04-15
    - Expires: 2041-04-15
    - Used for custom domain SSL/TLS
    

14. Click Save

Set Expiration Reminder

1. In the 1Password item, scroll to Expiration Date or Custom Fields
2. Add field: Expiration Date = 2041-04-15
3. 1Password will remind you before expiration

Share with Team (Optional)

If working in a team:

1. Move the item to a Shared Vault (e.g., "Azure Certificates")
2. Grant access to relevant team members
3. Set appropriate permissions (view/edit)

Delete Local Files

After securing in 1Password:

# Navigate to certificate directory
cd C:\Users\YourUsername\certificates

# Securely delete local files (Windows)
del certificate.pem
del privatekey.pem
del certificate.pfx

Important: Only delete local files after confirming they're safely stored in 1Password!

Step 7: Upload to Azure Container App

Option A: Azure Portal

1. Navigate to Azure Portal: https://portal.azure.com
2. Go to your Container App
3. Select Custom domains (under Settings)
4. Click + Add custom domain
5. Enter your domain name (e.g., app.yourdomain.com)
6. Choose Upload certificate
7. Upload certificate.pfx (retrieve from 1Password if needed)
8. Enter the password you set in Step 4 (retrieve from 1Password)
9. Click Add

Option B: Azure CLI

# Upload certificate
az containerapp ssl upload \
  --resource-group <your-resource-group> \
  --name <your-container-app-name> \
  --environment <your-environment-name> \
  --hostname <your-domain.com> \
  --certificate-file certificate.pfx \
  --password <your-pfx-password>

Replace placeholders: - <your-resource-group>: Your Azure resource group name - <your-container-app-name>: Your container app name - <your-environment-name>: Your container app environment name - <your-domain.com>: Your custom domain (e.g., app.yourdomain.com) - <your-pfx-password>: The password you set in Step 4 (retrieve from 1Password)

Configure DNS in Cloudflare

After uploading the certificate, configure DNS:

1. In Cloudflare Dashboard, go to DNS → Records
2. Add CNAME record:
3. Type: CNAME
4. Name: Your subdomain (e.g., app)
5. Target: Your Azure Container App default domain
   • Example: your-app.nicegrass-12345.eastus.azurecontainerapps.io
6. Proxy status: Proxied (orange cloud) - ENABLED

7. TTL: Auto

8. Configure SSL/TLS settings:

9. Go to SSL/TLS → Overview
10. Set encryption mode to Full (strict)

Verify Setup

1. Wait 5-15 minutes for DNS propagation
2. Test your domain:

# Check DNS resolution
nslookup app.yourdomain.com

# Test HTTPS connection
curl -I https://app.yourdomain.com

Expected response: HTTP/2 200 or your application's response.

Troubleshooting

OpenSSL Not Recognized

Error:

'openssl' is not recognized as an internal or external command

Solution: 1. Reinstall OpenSSL using Chocolatey (see Step 1) 2. Restart your terminal/command prompt 3. Verify installation: openssl version

Certificate Validation Failed in Azure

Error: "Certificate validation failed" or "Invalid certificate"

Solutions: - Verify PFX includes both certificate and private key - Check certificate expiration date - Ensure password is correct - Regenerate PFX if needed

DNS Not Resolving

Error: Domain doesn't resolve to Azure Container App

Solutions: - Wait 15-30 minutes for DNS propagation - Verify CNAME record points to correct Azure domain - Check if Cloudflare proxy is enabled (orange cloud) - Use nslookup or dig to verify DNS

SSL/TLS Errors

Error: "SSL handshake failed" or "Certificate mismatch"

Solutions: - In Cloudflare, set SSL/TLS mode to Full (strict) - Verify certificate includes your domain name - Check certificate hasn't expired - Ensure Cloudflare proxy is enabled

Azure CLI Errors

Error: "The term 'az' is not recognized"

Solution: Install Azure CLI: https://aka.ms/installazurecliwindows

Security Best Practices

1. Store certificates in 1Password
2. Follow Step 6 to securely store all certificates and passwords
3. Use 1Password's secure sharing for team access

4. Set expiration reminders in 1Password

5. Never commit certificates to version control

6. Add to .gitignore: *.pem, *.pfx, *.key

7. Never commit passwords or sensitive data

8. Use strong passwords

9. PFX password should be 16+ characters
10. Use 1Password's password generator

11. Store in 1Password, not in plain text files

12. Rotate certificates regularly

13. Set reminder before 15-year expiration
14. Consider shorter validity periods for higher security

15. Update 1Password entry when rotating

16. Delete local copies after securing

17. Once stored in 1Password and uploaded to Azure, securely delete local files
18. Only retrieve from 1Password when needed
19. Never leave certificates in Downloads or Desktop folders

Certificate Renewal Process

Cloudflare Origin Certificates are valid for up to 15 years. When renewal is needed:

1. Generate new certificate in Cloudflare (repeat Step 2)
2. Save new certificate files (repeat Step 3)
3. Generate new PFX (repeat Step 4)
4. Verify new PFX (repeat Step 5)
5. Update 1Password entry with new certificate files and expiration date
6. Upload new certificate to Azure Container App (Step 7)
7. Azure will automatically switch to new certificate
8. Revoke old certificate in Cloudflare
9. Archive or delete old 1Password entry

Useful Commands Reference

# Install OpenSSL
choco install openssl

# Verify OpenSSL version
openssl version

# Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privatekey.pem -in certificate.pem

# Verify PFX file
openssl pkcs12 -info -in certificate.pfx -noout

# Check DNS
nslookup yourdomain.com

# Test HTTPS
curl -I https://yourdomain.com

# Azure CLI - Upload certificate (retrieve password from 1Password)
az containerapp ssl upload \
  --resource-group <rg> \
  --name <app> \
  --environment <env> \
  --hostname <domain> \
  --certificate-file certificate.pfx \
  --password <password-from-1password>

# Delete local certificate files (after securing in 1Password)
del certificate.pem
del privatekey.pem
del certificate.pfx

Additional Resources

• Cloudflare Origin Certificates: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca
• Azure Container Apps Custom Domains: https://learn.microsoft.com/azure/container-apps/custom-domains-managed-certificates
• OpenSSL Documentation: https://www.openssl.org/docs/
• Azure CLI Reference: https://learn.microsoft.com/cli/azure/containerapp
• 1Password Documentation: https://support.1password.com/
• 1Password for Teams: https://support.1password.com/teams-getting-started/

Support

For issues related to: - Cloudflare: https://support.cloudflare.com - Azure Container Apps: https://learn.microsoft.com/azure/container-apps/ - OpenSSL: https://www.openssl.org/community/

---

Last Updated: 2026-04-15 Version: 1.0.0