Thank you for reaching out to us. If I understood correctly, you could do the following:
For your main website: By using Cloudflare’s DNS and SSL services, you won’t need to manually renew SSL certificates every 90 days. Cloudflare offers automatic SSL certificate management and renewal. For more information please refer to the following link: Enable Universal SSL certificates · Cloudflare SSL/TLS docs
For subdomain1: Cloudflare can set this for your subdomains as well. You won’t need to manually upload SSL cert files every 90 days, as Cloudflare will handle this automatically.
For subdomain2: You can try setting up a proxied A record in Cloudflare pointing to your Digital Ocean server’s IP address, as it will enable Cloudflare’s SSL and other security features for this subdomain.