Ssl ev domain and subdomain

Hello

My company want to buy a ssl certificate EV from globalsign for our main domain. We have a business cloudflare account and i know we can upload our own private certificate. But what about subdomains? As i understood, this sort of certificate can be use only for one domain, so can we use standard Cloudflare ssl certificate for them and EV certificate for our main domain? If yes, how exactly?

Second question: What about secure connexion beetween our server and cloudflare? Actually, we use the option “Full” and not “full (strict)”. Can we change to Full strict when the EV certificate will be in place on cloudflare?

Thank you for your answer, first time i have to setup this configuration.

Regards

Any hostnames that you have :orange: and that are not covered by the custom certificate will be covered by the Universal certificate, so no issues there.

The Edge Certificate and SSL Mode (Full or Full Strict) are not related to each other. To change from Full to Strict you need to install a valid certificate (such as your Globalsign cert, a Let’s Encrypt certificate or a Cloudflare Origin Certificate, etc.) on your origin.

Out of curiosity, why do you need an EV certificate? Other than costing more, and requiring more verification, they offer no additional security. Most browsers no longer use visual indicators of EV certificates.

1 Like

Thank you for your quick and effective answser Michael! My boss has the final word so if he wants to install one, i have no choice but try to install it as clean as possible (despite the fact i am agree with you)

So if i understand you correctly, i will have to install the globalsign EV certificate on cloudflare for my main domain to have this cert working beetween clients and cloudflare and install the same Globalsign cert on my nginx server if i want to secure beetween cloudflare and the server. Am i right?

Thank you so much :wink:

For any hostname that is :orange: and that you set Full (Strict) you need a valid certificate. It could be the Globalsign cert, or any other valid cert including a Cloudflare Origin cert.

Make sure you generate both an ECDSA and an RSA certificate with the same hostnames. You can upload both in Cloudflare to create a certificate pack. Also worth while checking out Scott Helmes recent blog post about certificate chains. (This coming from somebody who spent most of last night unsuccessfully trying to build an alternate chain for a Globalsign ECDSA certificate!). Globalsign have excellent compatibility with old crud, and you can leverage that compatibility with an alternate trust path.

1 Like