Custom SSL wildcard certificates for subdomains

marek.korpacz · March 20, 2023, 2:54pm

Hello Cloudflare community,

I have a general question about SSL certificates for a domain.

Can I use Cloudflare universal SSL cert together with some wildcard commercial certificates for a set of subdomains e. g. *.uat.example.com, *.dev.example.com?

Best regards,
Marek K.

DarkDeviL · March 20, 2023, 5:41pm

Universal SSL will only cover the domain (example.com, and one label down with it’s wildcard being *.example.com (e.g. test.example.com and dev.example.com, but NOT test.dev.example.com).

You wouldn’t go more far than that, with Universal SSL alone.

At Business/Enterprise plan, you can upload your own certificate.

Another option would be the “Advanced Certificate Manager” add-on, that can help you choose some more covered hostnames (or wildcards).

marek.korpacz · March 28, 2023, 6:52am

Good morning,

Thank you for explanation.

However, I think I was not clear with my question. Can I use both certificates at the same time? so, for example universal SSL for *.example.com domain and custom ssl for other like *.uat.example.com and *.dev.example.com.

The reason I am asking this is, that our current production setup is already using Universal SSL, and we’re under Business Plan.

Can we we add additional custom certificates for 3rd level domains like *.dev.example.com and *.uat.example.com, without impacting Universal SSL configuration?

Or those options exclude with each other, so we can either use custom SSL or use Universal SSL.

Thanks in advance,
Marek K.

DarkDeviL · March 28, 2023, 9:58pm

In hindsight, that “together” could indeed indicate “at the same time” too, so it could very well have been my understanding of it too!

As far as I understand, your explained scenario should be possible as well.

With two certificates, e.g.:

Custom Certificate:
*.dev.example.com
*.uat.example.com

Universal SSL:
example.com
*.example.com

A request to spaghetti.dev.example.com would take the Custom Certificate.

A request to spaghetti.uat.example.com would take the Custom Certificate.

A request to dev.example.com would take the Universal SSL Certificate.

A request to uat.example.com would take the Universal SSL Certificate.

Based on:

As long as you have at least one valid certificate matching the current request, there should not be any impact regarding the described set up.

system · April 3, 2023, 3:40am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.