Subdomains having separate SSL certificates
Hi,
I have multiple subdomains registered with my domain (all in Cloudflare) and I only want a single wildcard SSL/TLS certificate for my domains (to prevent subdomain enumeration from SSL/TLS certificate registration logs - e.g. which can be seen from sites like crt.sh).
Most of my subdomains are plain Cloudflare Pages projects and some to other external projects.
* I have the CNAMEs set to proxy (maybe that's the issue?)
* I have SSL/TLS set to "Full (strict)" for the domain
* In my Edge Certificate section, I have have only two certificates (a universal and a backup, both targeting my domain and my domain with a subdomain wildcard)
Is there a way to tell Cloudflare to not register certificates for every subdomain and rather use the universal wildcard certificate?
Thank you so much!
6 Replies
Every Pages Custom Domain has its own certificate issued for it, it uses CF for SaaS under the hood
no way around that, and yea they won't appear in your zone/website since they're from CF for SaaS, not zone certificates
Thanks for the quick response! That's unfortunate. At least it seems like the A records I have that are pointing to other clouds are using the wildcard cert (but not always), but I'll dig into that myself.
Unless you have Total TLS, part of ACM (Advanced Certificate Manager) enabled, Cloudflare itself shouldn't be issuing ssl certs for just any record you make.
It's possible, just like Pages or R2 Custom Domains do, that they automatically issue you an ssl cert so you can have encryption from CF -> them, which is something you want.
I don't have ACM, which is ok for now. And I'm guessing the same behaviour is to be expected from Workers as from Pages?
For Worker Custom Domains they create Adv. Certs which you can delete (they would be visible under the Edge Certs tab, like your universal/backup is)
For Routes, no certs
and just because it may be worth mentioning: If the subdomains are public it's likely they'd be picked up by search engines at some point anyway and thus bots would find them. Security by obscurity is not security. It is annoying though, espec if you're trying to watch for certs being issued CT Logs and there's hundreds for every single thing
Yepp fully agree, what is being exposed is avail. to the public (which isn't a big concern), just wondered if there's a way obfuscate enumeration of subdomains through that path