Configuration for SSL between a domain with it's own origin cert and another without


We have two websites with the same domain but different URLs i.e. one as www.domain and the other as admin.domain. The admin site has it’s own SSL certificate at origin and the other will only require a certificate on the Cloudflare side. Also, the admin domain uses Realex and they’ve recently notified us that they now support SNI.

Are there any configuration instructions on how to move these sites to Cloudflare? Or would there be any configuration clashes with the sites on the same domain but not both using SSL at origin.


You should install a cert on that host too. It can be a self-signed or a Let’s Enrcypt certificate.

There is a way to do this without a certificate on your origin. Not recommended

Set the SSL mode to
-Full (Strict) If your admin cert is valid
-Full if it’s self signed or expired

Create a Page Rule for your URL which has no certificate and set SSL → Flexible.

Why the community does not recommend flexible in a few words: Traffic between Cloudflare and your server will remain unencrypted.

The full story:

1 Like

Thanks Mark.

We actually have 3 sub domains on that domain so we are going to look into getting a certificate for the 2 sites that don’t currently have any SSL certs. I might have a couple more queries when we are configuring this next week as we may need to configure SNI for Realex too.

Hi Mark,

Would it be best practice to use the same wildcard SSL cert for our three sites on the same domain? One site currently has it’s own certificate, with the two other sites being brochure websites. So we are considering two options:

  1. Get a wildcard certificate for the three sites on the same domain or
  2. Keep using our existing certificate on our admin site and get a self-signed certificate for the other two sites.

Are there any pros/cons to each option or are there other, better options for this scenario?



I forgot to try the knowledge base first. I will start here

Also, to clarify, we are looking for origin certificates.

This topic was automatically closed after 30 days. New replies are no longer allowed.