Origin Certificate with Custom Hostname

Trying to get an Origin Certificate generated but with the Custom Hostname. It seems to only let me create an Origin Certificate under the main domain in Cloudflare but not for any verified Custom Hostnames.

Is there any way to get an Origin Certificate with the custom hostname in it? Otherwise, Strict SSL fails.

I don’t believe it is possible to generate a Cloudflare Origin Certificate for a domain outside your zone.

However, the Cloudflare SSL documentation states that for Full (strict) SSL mode to work:

Your origin needs to be able to support an SSL certificate that is:

  • Contains a Common Name (CN) or Subject Alternative Name (SAN) that matches the requested or target hostname.

This means you can have an SSL certificate on your origin server that only covers example.com, then create a CNAME record on www.example.com pointing to example.com and Cloudflare will consider the SSL certificate valid for www.example.com as well.

I’ll give two examples to showcase this. Let’s assume the IP address of the origin server is 127.0.0.1 and has a SSL certificate covering example.com.

Example 1
In this example you have the following DNS records:

example.com IN A 127.0.0.1
www.example.com IN CNAME example.com

Because www.example.com points to example.com and the origin server has a valid SSL certificate for example.com, this will work with Full (strict) SSL mode.

Example 2
In this example you have the following DNS records:

example.com IN A 127.0.0.1
www.example.com IN A 127.0.0.1

Because www.example.com points directly to the origin server and the origin server does not have a valid SSL certificate for www.example.com, this will not work with Full (strict) SSL mode.

Since Custom Hostnames have a CNAME record pointing to the main domain, it sounds like you simply need a Cloudflare Origin Certificate for your main domain and it will be valid for Custom Hostnames as well. I haven’t personally tried this with Custom Hostnames (only regular CNAME records), so do let me know whether this works if you decide to try it :slight_smile:

Thanks for your detailed reply, was not aware that it would also work in that case. Had an issue but found out that the host did not actually install the origin cert correctly. But now it’s all working.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.