We are using Cloudflare, which points to an AWS load balancer in front of an EC2 instance. The goal here is to have end-to-end encryption but I am trying to understand which parts of this setup actually require a certificate from a Certificate Authority, and whether or not we can use a complete set of free certificates between Cloudflare and AWS.
Cloudflare - We can use their free Universal SSL certificate to secure the traffic from Cloudflare to the load balancer.
AWS Load Balancer - We can use a free AWS certificate which is attached to the load balancer. This same certificate cannot be installed on the EC2 instance.
EC2 Instance - Can we use a self-signed certificate here, or do we need to continue purchasing certificates from a recognised authority? My understanding here is that, yes, we can just use a self-signed certificate and everything will be secure without raising any warnings about the self-signed nature of the certificate, as long as the load balancer has a valid CA certificate from Amazon or other authority.
Cloudflare is set to Full SSL mode which does not validate the origin certificate and will allow it to be self-signed, but I assume this only applies to the load balancer in our case.