Multi-level subdomain "wildcard" SSL


Hello there,

I am running into issues, that a multi-level subdomain is not working with Cloudflare provided wildcard SSL, as the certificate itself only protects two levels of your domain, one is apex level, and another one is a subdomain of apex level.

The tree looks like this:

This is kinda frustrating when migrating large sites to Cloudflare, and is losing all the subdomains. My own SSO server stays at, and this is the case that Cloudflare Wildcard SSL is not working at all. Once I turn on the orange cloud for that DNS record, browsers immediately prompt SSL errors.

I am hoping there are people who can shed some lights on this, since it has been itchy long time ago.


Information in this post/thread may help, if you haven’t already seen it:

Unfortunately that’s all the assistance I can provide, but Im sure someone from Cloudflare will pop onto this thread at some point :nerd_face:


Buy dedicated certificate and put whatever you want in them (max 50 hostnames with wildcards for 10$ per month). There’s no other way and that’s how I do it for one of my clients.


This is a limitation of SSL in general. No browsers support multi-level wildcard certificates and no trusted CA will issue them. The free universal SSL certificate provided by Cloudflare supports the root and wildcard domain on a shared certificate. For more levels, dedicated certificates or custom host names a different certificate is needed. Some/most of these can be obtained through Cloudflare if you wish or for certain certificate types/orgs business and ENT plans support uploading a custom certificate purchased elsewhere.

How do you have your SSL certificate configured/managed for the sites currently?


Currently we have a over 100 wildcard certificate installed, and all of them are signed individually by CAs, like * and * This was the original design for our architecture, and it works flawlessly until Cloudflare sits in place, breaking the fourth level of domain on SSL transport.

Due to the current situation, some of the domain has been offloaded using Secondary DNS, to reroute for better SSL support. Needless to say this generated quite an amount of cost, only purchasing a dedicated profile on DDoS mitigation and SSL support.


We don’t break the 4th level of wildcard. It works just fine if you have a valid certificate. It’s just that our free Universal SSL certificate only offers * and

You might also contact our sales department to see if SSL for SaaS might be an option for you depending on what services you’re providing to your customers.


This is interesting, i have a service with my own two SSL wildcards (* * so if i understand plans i should choose Enterprise Plan wich is a bit overkill for us !


This could be done on a free plan with a $10/mo dedicated certificate with custom hostnames purchased through actually for the specific limited scenario you describe.