Adding subdomain SSL certificates with existing EV root certificate

We have an existing Edge certificate (EV SSL) that only supports the root and www. Now we need to add additional subdomains but our certificate provider cannot upgrade our existing certificate to handle the additional subdomains (only covers the root). So I think that I need to install an additional Edge certificate for the new subdomains for Cloudflare to proxy these new sites. These subdomains are each on two other servers, so I can proxy them individually I think with CNAME.

My question is, how do I go about setting up additional Edge certificates for just these two other subdomains. We don’t need them to be EV certificates and we’d be fine with using the free SSL that Cloudflare offers but I don’t see an obvious way to add them that doesn’t mess with our existing edge EV certificate for the main site.

Can anyone point me in the right direction to a multi-certificate set up?

You should be able to generate subdomain certificates at your host. They don’t support this? Websites have their own vhost configurations with independent certificate settings.

We’d like to proxy through Cloudflare like our main sites does and it’s my understanding that CF then needs the SSL edge certificates for these new subdomains. The plan was to set up these new subdomains just like our main site: let CF handle the SSL via proxy, then connect CF to the hosts via origin certificates. This way we keep Full (strict) on for all subdomains as well as the root.

I’m just not seeing a way to add another certificate for the new subdomains once we have a custom EV certificate already imported into CF. The CF dashboard says “You may also order an auto-renewing certificate.” and maybe I can, but I can’t find info on how to do that for only new subdomains and whether this will mess with out existing root domain EV certificate. I don’t want to change how our existing SSL is set up so we continue to use our EV certificate for the root.

If you’re on a Business Plan and upload that EV cert, it will only apply to root and www, as you’ve issued it. Anything else will hit the lower priority Universal SSL certificate.

Thanks, exactly what I hoped to hear. Seems I have to upgrade to the Advanced Certificate Manager first to unlock the capability to manage it all.

ACM is only good for specific hostnames, usually for people with sub-subdomains (eg. www.sub.example.com) since Universal SSL won’t cover that. ACM does not handle EV certificates.

hmm. I was directed by CF support that I would need to use ACM to add additional managed certificates alongside our existing EV cert to have a mixture of both kinds. In fact, if I click that “order auto-renewing” link it says I have the universal free plan and lets me go no where unless I upgrade to the ACM. Now that I have upgraded, I can now click a link to order additional managed certificates.

I am a bit confused though as by default it wants to order a new certificate with ourdomain.com and *.ourdomain.com pre-selected. It lets me remove *.ourdomain.com, then I can add blog.ourdomain.com and my other subdomains. This seems like the way forward and I am assuming that the EV certificate for the naked root would be higher priority to handle the root and any subdomains would then just choose the subdomain specific certificates. But it concerns a little to have two certificates that cover the root without a clear explanation of how it works.

Note I’d be happy to just used a wildcard for all new subdomains but I want to ensure that our EV is still used for the root and WWW but it’s not clear to me that that is how it would work. I haven’t found docs on ACM and multiple certificate priority (yet).

I’m pretty sure there’s no need for you to use ACM.

I’ve used the Business Plan option to upload my own certificate, which I did, but I did not disable Universal certificate. Both covered example.com and *.example.com, but my uploaded certificate took precedence until it expired and I deleted it.

Maybe that’s a difference. We only every used an uploaded EV certificate for our one site and had no other subdomains that used certificates. I just could not find a way to enable certificates for additional subdomains in this scenario while still having Full (strict) turned on. But maybe I misunderstood how universal really worked and it may have worked but I was sure I had to find some place to enable the subdomain certificates and just could not figure it out.

1 Like

Just to experiment, I uploaded a server cert for the naked domain only, then Disabled Universal SSL.

I then confirmed that naked domain still worked, but ‘www’ could not make a secure connection.

I then Enabled Universal SSL and waited for it to issue. It finally did, and covers example.com and *.example.com.

After checking again, naked domain used the uploaded cert, as confirmed by expiration date, and ‘www’ used Universal SSL Cert with a different expiration date.

Well that’s good and bad news. Good that it works but I just changed the subdomains to proxy (they are A records) and made sure Universal was still on. When I go to the subdomains in a browser, I get a certificate handshake and connection error. I also used an SSL inspector tool and there is no certificate to inspect, like one is not getting served by CF. And now when I try and reach the subdomain via plan http, it gets redirected back to https which of course fails. So I am not sure what is going on.

Thanks for you help btw, this is a little outside the box of what I have had to do so far with CF.

edit: it may be that my origin connection to the subdomain is the issue here (in strict mode) but I can’t quite figure out how to debug that yet.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.