Can Edge and Origin certificates be issued to the same domain?

We have both Edge Certificates and Origin Certificates issued to the same domain, like this:

On SSL/TLS > Edge Certificates tab:
Hosts | Type
*.example.com, example.com | Universal

On SSL/TLS > Origin Server tab:
Hosts
*.example.com, example.com (2 hosts)

Further, in DNS tab we configure A records for top domain and subdomain:
Type | Name | Content
A | example.com | xxx.xxx.xxx.xxx
A | subdomain | yyy.yyy.yyy.yyy

I wonder if this configuration correct and supports Full (strict) encryption for the following request?
https://subdomain.example.com/

I did my testing with Full (strict) encryption enabled and it works, surprisingly (I don’t see SSL errors in browser). But it seems to me that config is incorrect. How is this possible that it works?

How come?

The proxy certificates are managed by Cloudflare anyhow, so there is not much to do. As far as the Origin certificates are concerned, as long as they were issued for the right host names you should be good.

Bottom line, if you are on Full strict and you don’t get any errors, you’ll have a secure connection (still not end-to-end, as content is always decrypted on Cloudflare’s side, but that’s a different story) and both connections will be properly encrypted and validated.

And :+1:t2: for actually picking Full Strict. Good and proper choice. The majority of Cloudflare’s users does not and have insecure sites.

@sandro Thanks for reply!

The thing that confuses me is that Cloudflare proxies the subdomain to an IP, instead of some other domain.

Say, if we had the following scheme in place:

[client] --> [Cloudflare: sub.example.com]  -> [Origin: sub.foo.com]
                 IP: x.x.x.x                                       IP: y.y.y.y

… then in Full (strict) mode, Cloudflare would make a connection to sub.foo.com and verify that the certificate provided by y.y.y.y.y host (issued for *.foo.com domain) is really trusted. One of the options to make it trusted is using Origin CA feature, that is, let Cloudflare issue the certificate on its own.

But in our case the situation is different:

[client] --> [Cloudflar: sub.example.com]  -> [Origin: y.y.y.y]
                 IP: x.x.x.x                                     IP: y.y.y.y

So, upon receiving the request, Coudflare proxies it to the IP y.y.y.y (not the domain!) that provides certificate for *.example.com and Cloudflare trusts it!

I wonder why is it trusted? For example, if I would nslookup google.com and try to open https://<google's IP> in browser, then I see this error:

Your connection is not private

Because it matches the host name of the actual request. You are providing an IP address to the proxies but the request is still there and comes with a host name which can be matched against the certificate.

CNAME records are actually even an additional exception, as in their case not only the host name of the request will be acceptable for the certificate but even the CNAME host itself.

1 Like

Thanks for explanation, @sandro !

Most welcome :slight_smile:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.