Many website owners see a "Not Secure" warning when they first move DNS to Cloudflare. Cloudflare provides a free Universal SSL certificate for visitors connecting to your site, but you also need a certificate on your origin server (like Plesk) to complete the handshake.
Step 1: Generate Origin Certificate in Cloudflare
In Cloudflare dashboard, go to SSL/TLS → Origin Server and click Create Certificate. Cloudflare will give you two text blocks: the Origin Certificate and the Private Key. These are only valid between Cloudflare and your server.
Step 2: Install Certificate in Plesk
- Log in to Plesk and navigate to Websites & Domains → SSL/TLS Certificates.
- Create a new certificate entry and paste the Private Key into the "Private key" field.
- Paste the Origin Certificate into the "Certificate (*.crt)" field.
- Leave the "CA certificate (*-ca.crt)" field empty (Cloudflare does not provide a CA chain).
- Save and assign this certificate to your domain under Hosting Settings.
Step 3: Configure Cloudflare SSL Mode
In Cloudflare → SSL/TLS → Overview, set the mode to Full (Strict). This ensures Cloudflare will only connect to your server if the certificate is valid.
Step 4: Redirect All Traffic to HTTPS
Enable Always Use HTTPS and Automatic HTTPS Rewrites in Cloudflare. This forces visitors to use the secure version of your site and fixes mixed content issues.
Result
After these steps, visiting https://yourdomain.com will load securely without handshake errors.
Cloudflare protects the edge, and your Plesk server is secured with the Origin Certificate.