How to enable free ssl on all subdomains with cloudflare

To make all subdomains serve via SSL using Cloudflare, follow these steps:


1. Add Your Domain to Cloudflare

  • Log in to your Cloudflare account.
  • Add your domain if you haven’t already.
  • Update your domain’s nameservers to point to Cloudflare’s nameservers (this may take some time to propagate).

2. Enable SSL on Cloudflare

  • Navigate to the SSL/TLS section of your Cloudflare dashboard.
  • Select Full (Strict) mode for better security (if your origin server has a valid SSL certificate).
    • Flexible mode is only for non-SSL origin servers but is less secure.
    • Full mode allows a non-CA SSL certificate.

3. Issue Universal SSL Certificate

  • In the SSL/TLS section, go to Edge Certificates.
  • Ensure that Always Use HTTPS is enabled.
  • Cloudflare will automatically provide a Universal SSL certificate that covers the root domain and wildcard subdomains (e.g., *.yourdomain.com).

4. Configure Subdomain DNS Records

  • Go to DNS settings in Cloudflare.
  • Add A, CNAME, or other required records for your subdomains.
  • Ensure the Proxy Status is set to Proxied (Orange Cloud).

5. Automatic HTTPS Redirect

  • In the SSL/TLS > Edge Certificates, enable Always Use HTTPS and Automatic HTTPS Rewrites.

6. Optional: Configure Origin SSL Certificate (for Full Strict Mode)

  • Navigate to SSL/TLS > Origin Server.
  • Click Create Certificate to generate a Cloudflare Origin Certificate.
  • Install this certificate on your server to secure the connection between Cloudflare and your server.

7. Test SSL for Subdomains

  • Visit your subdomains (https://subdomain.yourdomain.com) to confirm they are served over HTTPS.
  • Use SSL Labs Test to verify the security level.

8. Edge Certificate for Wildcard Coverage (Optional)

If you need more specific wildcard SSL coverage, consider Cloudflare’s Advanced Certificate Manager.

  • Also not that this free ssl only works for single level sub domain only…. like it will work for api.mycompany.com but not for api.backend.mycompany.com