Skip to content
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,29 @@ As a security measure, you should hide the hostname of your key server.

:::

:::note

If your key server hostname is on a zone you have on Cloudflare, you must create a **DNS-only** (grey-clouded) record for it — do not proxy it. If the record is proxied or missing, Cloudflare's edge resolver returns `NXDOMAIN` and the Keyless TLS handshake fails. The fix is the DNS-only record — not adding the hostname to a certificate SAN.
Comment thread
baubuchon-cf marked this conversation as resolved.
Outdated

:::

---

## Certificates used in Keyless SSL

Keyless SSL involves **two different certificates**. Confusing them is the most common setup error.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Define the acronym before it appears in the table below:

Suggested change
Keyless SSL involves **two different certificates**. Confusing them is the most common setup error.
Keyless SSL involves **two different certificates**, each with a different Subject Alternative Name (SAN). Confusing them is the most common setup error.


| Certificate | What it is | SAN should contain |

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expand the acronym for accessibility:

Suggested change
| Certificate | What it is | SAN should contain |
| Certificate | What it is | Subject Alternative Name (SAN) should contain |

| --- | --- | --- |
| **Edge (Keyless SSL) certificate** | The public certificate Cloudflare serves for your site. | Your site hostnames only (for example, `www.example.com`) |
| **Key server authentication certificate** | The certificate your key server uses to prove itself to Cloudflare. | The key server hostname only |

:::caution

Do **not** add your key server hostname to the SAN of your public edge certificate. It is not required, and it leaks internal hostnames into the public certificate and Certificate Transparency logs.

:::

---

## 2. Upload Keyless SSL Certificates
Expand Down
Loading