Origin Certificates and Subdomains



So I’m creating an Origin Certificate, that on the help, it says:

Hostname/Wildcard Coverage
Certificates may be generated with up to 100 individual Subject Alternative Names (SANs). A SAN can take the form of a fully-qualified domain name (www.example.com) or a wildcard (.example.com); IP addresses are not permitted as SANs on Cloudflare Origin Certificates. Wildcards may only cover one level, but can be used multiple times on the same certificate for broader coverage (e.g., .example.com and *.secure.example.com may co-exist).

So I created my certificate for my white label website, that it would be something similar to *.white-label.mywebsite.com
and added an entry of *.white-label and pointed to my white label server.

When it try to access the root of my white label: white-label.mywebsite.com the https works, but when I try to access a subdomain like app2.white-label.mywebsite.com I receive a Your connection is not private error.

Why it does not work?



The origin certificate is the certificate you install on your origin server (to controllSSL traffic between Cloudflare and your origin). Do you also have an edge certificate for *.white-label.mywebsite.com? The free SSL certificate only covers the first level wildcard *.mywebsite.com.


Thanks for you quick reply.

No I don’t have the edge certificate for *.white-label.mywebsite.com.

So event on the help part of the Edge Certificates saying that I can use with *.secure.example.com it does not work?
It’s for ONE level or FIRST level?


The help portion which references *.secure.example.com is in the origin certificate help. Origin certificates are used for the securing of connections between Cloudflare and the origin. Origin certificates are not signed by a public CA and aren’t trusted by end user browsers. They are intended to provide validation for secure authentication between Cloudflare and the server where the content resides (and re installed and configured on those origin servers).

The certificates which are presented to end users are edge certificates and at the edge there is a free SSL certificate provided to all plan types (universal SSL) which is a shared SAN cert that supports *.example.com and example.com for each registered domain (multiple domains are generally bundled on the free SAN certificates).

For customers who wish to have dedicated certificates there are 3 primary options. 1. Dedicated certificates (support *.example.com and example.com on a CERT with no other host names), 2. Dedicated certs with custom host names (supports up to 50 host names for domains under your account including *.example.com and example.com) or 3. Uploading a certificate you already own which contains the host names you wish to cover from another CA (requires the business plan).

If you installed an origin certificate on an origin server named app1.whitelabel.mywebsite.com with the certificate you created above it could be accessed via cname from https://whitelabel.mywebsite.com where the whitelabel.mywebsite.com pointed to the app1 record in DNS using the full strict setting if that was your desire. But to make app1.whitelabel.example.com accessible to an external user over SSL using that host name you would need a certificate from option 1 or 2 above if you wanted to proxy the request through Cloudflare for CDN and DDoS.

Multi-level subdomain "wildcard" SSL

I see, so my problem was because I can’t put *.white-label.mywebsite.com behind Cloudflare Proxy, the certificate that is present to my end user, will be the Origin Certificate and not the Edge?


Unfortunately no (although there would be an error regardless). Since we do SSL termination at our edge we present the closest match SSL certificate which is your universal SSL cert, but the host name doesn’t match so the user’s browser received an error.

If the record wasn’t orange clouded the user would still receive an error, because our internal CA used for origin certificates is not an externally trusted 3rd party CA the browser would recognize so they would give a different error but an error regardless. In order for us to terminate an SSL session at our edge we have to have a certificate in place which matches the host name being called. And since ..example.com isn’t an allowed certificate type, so you have to define the parent domain *.foo.example.com (abnd probably foo.example.com in most usage scenarios) in the cert.