Total TLS: one-click TLS for every hostname you have


1 Like

Can anybody explain the use case for Total TLS, i.e. why use a separate certificate for your hostname if you are already covered by a wildcard certificate?

@user20610 The main usecase for Total TLS is to automatically provision certificates for new subdomains.

For example, you own a domain (domain.tld), and you constantly create new subdomains for X reason. Subdomains you create look like this:

  • a.b.c.subdomain.domain.tld
  • b.c.d.subdomain.domain.tld
  • abc.subdomain.domain.tld
  • *.x.subdomain.domain.tld

Imaging needing to provision an advanced certificate for each of those subdomains (note that you can’t use *.subdomain.domain.tld).

Total TLS will automatically provision a certificate (from LE or GTS) for each subdomain you have proxied in your ACM purchased zone.

Hope it helps!

Suggestion for Cloudflare: please let users to also select DigiCert (yes, I know it’s deprecated) or Sectigo as the Total TLS certification authority. It’ll make a difference.

If you use then a wildcard * will not work. Cloudflare offers Advanced Certificates to allow you to obtain certificates automatically for this kind of situation, but previously you had to configure ACM manually. Total TLS automatically generates a certificate for every proxied DNS entry, avoiding the additional step, and potential misconfiguration.


Thanks both, it is clear. Did not realize *.subdomain.domain.tld isn’t covered by a wildcard certificate.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.