TotalTLS and Origin certificate

With TotalTLS, what are the requirements of the web server?

I assume it still require an Origin cert, and if so, will the default hostnames of and * suffice?

This is in order to protect for example without having to re-configure an Origin cert on the web servers each time.

So I went ahead and tested the Total TLS with Origin Cert.

The “Full (Strict)” connections won’t work with Total TLS unless I specify the full hostname.

If I set “Full” connection then it will work, due to it not being as strict.

Q: While using “Full (Strict)” Is there are way to get Total TLS to automatically generate certs based on domain name (which it does currently) but not have to update anything on the web server (e.g. install some special “catch all” Origin cert)


This is the error if the specific hostname is not specified in the Origin Cert using “Full (Strict)”:

The actual subdomain structure I want is *
If I create an Origin certificate for * and install it on the web server, then any of the Total TLS certificates generated via the DNS entry e.g. will work using “Full (Strict)”. This is because the hostname is specified.

Is there any way to have Full Strict with just * ?

With certificates and DNS, the asterisk always refers to one-level only. So you do need to specify the individual sub-domains, even if you use a wildcard for their hostnames.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.