CNAME Setup for multiple domains? TLS certs for WAF?

Hi all. A few questions about CNAME Setup for a WAF use case. We’re trying to decide whether we should upgrade from Pro to Business.

  1. Is CNAME Setup enabled per-tenant, or per-domain? Is it possible to add so that it uses CNAME Setup, but add so that Cloudflare is configured as the authoritative DNS?
  2. When adding multiple domains to a single Cloudflare account, does pricing change? If we wanted to use CNAME Setup for 1000 different domains, is it still the same monthly fee as only a single domain?!
  3. We already have valid TLS certificates and keys for our FQDNs. If we’re using CNAME Setup for a given FQDN to utilize the Firewall feature, does Cloudflare issue a new cert, or can we just upload our pre-existing cert/key to Cloudflare?
  4. What should we do when multiple FQDNs under a single domain all have separate certs – can we just upload each of them?

Many thanks!


They charged based on per-domain. So if you want CNAME setup (business plan) for 1000 domains, then 200 USD x 1000 = 200000 USD.

Note: one domain can consist of many subdomains. Cloudflare won’t charge you extra if you have many subdomains inside a domain.

If you use Business plan, you can do either one. Else, you can only use the cert generated by Cloudflare.

I believe you can only upload one certificate per Business plan domain.

1 Like

@erictung Many thanks! That clarifies things a lot.

Hmm…if this is indeed true (the plan comparison table does indeed list “1” for custom certs), and we wanted to continue using our existing certs, we’d have to utilize a wildcard cert for each domain :thinking:

Just curious, is there any special requirement to use your preferred CA to issue the certificate instead of just using the one issued by Cloudflare?

Nah, not really, I think. Maybe just avoiding “damaging” the business relationship we have with our longstanding current CA. Some end users might be wary of a non-major (read: Verisign, etc.) CA being the signer, but how many end users actually make the effort to check :laughing:

Incidentally, do you happen to know whether Cloudflare’s WAF will ignore the TLS cert on the origin server being invalid (self-signed, expired, etc.)?

Ok, that’s interesting. Just for your information, Cloudflare is using DigiCert or Let’s Encrypt to issue SSL cert to each domain.

I don’t think end users will really care about which CA you are using - as long as the cert is valid and the site is able to load without issues, then most probably end users won’t complaint.

Nothing related to WAF. It’s the SSL Encryption mode affecting the behaviour of the connection between Cloudflare and server. Anyway, always use Full (strict) mode and nothing else.

Very informative all around! Huge thanks!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.