Different cipher suites for ACM certs/subdomains?


We are on a Pro plan and would like to disable RSA ciphers, which at first glance seemed straightforward enough - buy the ACM add-on, create advanced certs and set our preferred allow-list.

However, we would like to retain the RSA ciphers for one subdomain (api.) as we have customers whose legacy software may not support ECHDE. Unfortunately there are no analytics in the dashboard to tell us which suites are being used - just the overall proportion of TLS1.2/1.3 traffic.

We thought that ACM would allow us to create two (or more) certificates and apply different allow-lists on a per-certificate basis, however this does not seem to be the case - the allow-list seems to be universal across the whole zone.

Is our understanding correct that we are unable to apply different allow-lists to different certs/subdomains (except possibly with Enterprise Subdomain Support, which appears to separate out all config for each delegated subdomain)?


Specifying cipher suites on a hostname basis is restricted to SSL for SaaS - or the partial setup that you mentioned.



This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.