Advanced Certificate Manager for Custom Domain SSL Certificates

My objective is to enable customers to use their custom domains that are pointed to my server through Cloudflare. However, Cloudflare requires an SSL certificate to establish HTTPS connections for these custom domains.

Based on my understanding, the basic Universal SSL does not support creating SSL certificates for custom domains. I’ve noticed that Cloudflare offers an Advanced Certificate Manager add-on, which allows the creation of additional certificates. I have a couple of questions regarding this add-on:

  1. Can the Advanced Certificate Manager generate SSL certificates for custom domains (domain that I do not own)?
  2. Is there a limit to the number of SSL certificates I can create using the Advanced Certificate Manager (in my case, basically a number of customer who can use their custom domains)? If so, what is the limit?

I appreciate any insights you can provide on these questions.

Advanced Certificate Manager is not the correct product.

Instead, you will need to use another product from Cloudflare, which is ‘SSL for SaaS,’ for this use case.

2 Likes

Sorry I did not mention that I was aware of it, but to my opinion, it scales quite bad, if I understand its limits correctly. It’s a 5000 hard limit for the account (unless Enterprise), which means that if my every customer (in any project) wants to add 5-7 domains/subdomains, 700-1000 customers would hit the limit. Plus, as far as I understand, it bills the hostname (after 100 hostnames) even if the hostname was not verified, which potentially might lead to abuse and thus quite big bills unless handled very thoroughly.

That’s why I was wondering if Advanced Certificate Manager was a valid approach and could be used for that case since everything I need is a SSL certificate for a custom domain, nothing more.

You will not be able to use ACM in such a fashion. Cloudflare for SaaS is going to be a requirement based on your objective. You may need to charge more for your service so that you are ready for an Enterprise plan when you begin to approach the usage limits. You may also want to implement your own controls before a custom name is added to your Cloudflare for SaaS if there are abuse concerns.

2 Likes

Thank you for the confirmation, then it solves that. A bit off-topic but since you mentioned it: speaking of my own controls before adding a custom domain, what can it look like? Something like doing a DNS lookup for a CNAME, and only add the custom domain to the Cloudflare once I see that a CNAME points to my domain?

That’s one, or asking the user to set a TXT record with a unique value is another common one…

dig +short cloudflare.com txt
"docker-verification=c578e21c-34fb-4474-9b90-d55ee4cba10c"
"status-page-domain-verification=r14frwljwbxs"
"cisco-ci-domain-verification=27e926884619804ef987ae4aa1c4168f6b152ada84f4c8bfc74eb2bd2912ad72"
"ZOOM_verify_7LFBvOO9SIigypFG2xRlMA"
"google-site-verification=ZdlQZLBBAPkxeFTCM1rpiB_ibtGff_JF5KllNKwDR9I"
"drift-domain-verification=f037808a26ae8b25bc13b1f1f2b4c3e0f78c03e67f24cefdd4ec520efa8e719f"
"google-site-verification=C7thfNeXVahkVhniiqTI1iSVnElKR_kBBtnEHkeGDlo"
"atlassian-domain-verification=WxxKyN9aLnjEsoOjUYI6T0bb5vcqmKzaIkC9Rx2QkNb751G3LL/cus8/ZDOgh8xB"
"logmein-verification-code=b3433c86-3823-4808-8a7e-58042469f654"
"v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all"
"liveramp-site-verification=EhH1MqgwbndTWl1AN64hOTKz7hc1s80yUpchLbgpfY0"
"facebook-domain-verification=h9mm6zopj6p2po54woa16m5bskm6oo"
"stripe-verification=bf1a94e6b16ace2502a4a7fff574a25c8a45291054960c883c59be39d1788db9"
"stripe-verification=5096d01ff2cf194285dd51cae18f24fa9c26dc928cebac3636d462b4c6925623"
"miro-verification=bdd7dfa0a49adfb43ad6ddfaf797633246c07356"
"onetrust-domain-verification=bd5cd08a1e9644799fdb98ed7d60c9cb"
"apple-domain-verification=DNnWJoArJobFJKhJ"
"MS=ms70274184"
2 Likes

It might. It may also involve ensuring that your customers have valid payment methods on file prior to any custom hostnames being available for submission.

The suggestion offered by @sjr addresses verification from a technical perspective, but you may have other considerations.

It is too complex of a question to confidently answer in a casual forum chat. You will probably need to collaborate with your legal, technical, and financial advisors to create a process that meets your risk tolerance and addresses any other concerns that you identify.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.