Mask subdomain SSL Cert


One of our domains has a few subdomains and I was asked if we could mask the SSL cert we have for that specific subdomain (it is a Let’s Encrypt cert). As in, it can show anything else but that Let’s Encrypt cert we have in use.
I set the CloudFlare proxy on that CNAME entry to see if that would work. It may not have yet propagated but is there anything else I would need to do? Do I need to set the CloudFlare proxy on the A record entry for the domain, as well?


Once the change you made to enable proxying in CF has propagated, you should see the Cloudflaressl issued by Comodo/Sectigo.


Do I only need to set the CF proxy on that subdomain (CNAME) or do I need to set it on the A records, too?


If that subdomain is proxied, then it will show the Comodo/Sectigo (or one signed by the Cloudflare CA, cross-signed by DigiCert) certificate as you intend.

In general, that should be it. Just, if you go to any zone that is grey clouded :grey: the Cloudflare proxy won’t kick in and the certificate on your origin will show.

Note that, in order to use CF, you cannot proxy a “substantial amount of non-HTML content”. Make sure that subdomain is a subdomain with some content of its own, and that it doesn’t end up serving mostly images/files/etc. If this is a “mostly non-HTML static files” subdomain, your root domain/where your main content is will also have to be on Cloudflare. See section 2.8 of the terms.