DCV Delegation for SSL Wildcard

I bought Advanced Certificate Manager and I need to config SSL so subdomains will work with www. I found in documentation Clouflare this part:

To set up Delegated DCV:

  1. Order an advanced certificate for your zone. You can choose any Certificate validation method.
  2. On SSL/TLS > Edge Certificates, go to DCV Delegation for Partial Zones.
  3. Copy the Cloudflare validation URL.
  4. At your authoritative DNS provider, create CNAME record(s) considering the following:
  • If your certificate only covers the apex domain and a wildcard, you only need to create a single CNAME record for your apex domain. Any direct subdomains will be covered as well.

Well, in the point 2 I don’t see DCV Delegation for Partial Zones option in SSL/TLS > Edge Certificates. How to find it?

And 2nd - do I need to add all subdomains like *.sub1.domain.com *.sub2.domain.com or not?
Because I have ~300 virtual subdomains wildcard.

Thanks in advance.

Is your zone a Partial(CNAME) zone? It will not show for Full zones using Cloudflare nameservers because it is not necessary there. You can just issue the cert and it will work as expected.

Yes. SSL/TLS certificates only support one level of wildcard, so to get multiple levels you need to add every single one individually.

Advanced Certificate Manager allows for 100 certificates and each certificate can have up to 50 hostnames. Hopefully that is enough.


Thank you very much for quick explanation. you’re right, it’s not a partial zone.

Not sure if I did ok by enabling TotalTLS option as documentation says:

To prevent insecure connections on a multi-level subdomain, do one of the following:

  • Enable [Total TLS], which automatically issues individual certificates to your proxied hostnames not covered by a Universal certificate.
  • Order an [Advanced Certificate] covering the subdomain.
  • Upload a [Custom Certificate] covering the subdomain.

Is it should be enabled or disabled?
After enabling I see 3 new certificates with type Advanced - Total TLS so now I am confused if I should add subdomains to normal Advanced certificate or to Advanced - Total TLS certificate.

And the last one - all hostnames should be added as Subject Alternative Names (SAN)s, correct?

1 Like

Completely up to you. Total TLS will automatically generate certificates that don’t count to your quota for every single DNS record you create. In some situations this may be preferable, however if you want to manage them yourself you can create your own Advanced certificates instead.


1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.