I am working with Azure API Management Service, in the Consumption Tier, and I registered a "Custom domain" through a free account at Cloudflare, in cloudflare register the domain and configure full encryption.
Also add the domain as DNS to my API Management, as example CNAME "third.two.example.com".
Once this is done, create a source server certificate for the domain that I will use, it is a third level domain example "third.two.example.com" and then download the certificate and key (PEM and KEY).
Once this is done, because Azure when adding the certificate in API Management threw me the error "The content type needs to be application / x-pkcs12." I had to transform the certificate from PEM to PKCS12, I did it with the following script in OpenSSL on my computer.
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
Then I upload the certificate in an Azure Key Vault as a certificate which does not give me any problem.
Finally I add the domain "third.two.example.com" to my Azure API Management referencing as custom domains in API Management, referencing the certificate uploaded to Key Vault, the process runs correctly and everything is fine.
However, when entering this domain, the browser shows me the following error:
And when trying to call the API through Postman with SSL active:
I also get the following error:
You could tell me if I'm doing something wrong or I have everything wrongly configured, I really don't have much knowledge in digital certificates so I don't know if I should do something additional or the configuration I'm using is not correct, thanks in advance for your comments.
The certificate information through the browser is as follows:
in advance thanks for your help !, sorry for the blurr but some data is private and I can't show it.
UPDATE
I found on this site that i have to change the cloud to orange (Proxied) so i did it and it doesn't work.
Finally i tested the same steps with the domain "third-two.example.com" and it works with 0 problems (The only thing to keep in mind is that the proxy must be activated after adding the domain in APIM), is there something that i need to do or update to some tier on CloudFlare for make a multiple level ssl certificate?, on the creation page, it says that is allowed here:
UPDATE - 2021-09-02
Ok, for everyone that still having this issue, there's no way to do that without an edge certificate (The plan cost 10 USD).
Quote for the activation:
Create a certificate in the dashboard To create a new advanced certificate in the dashboard:
- Log into your Cloudflare account and select a domain.
- Select SSL/TLS > Edge Certificates.
- Select Order Advanced Certificate.
- If Cloudflare does not have your billing information, you will need to enter that information.
- Enter the following information:
- Certificate Authority
- Certificate Hostnames
- Validation method
- Certificate Validity Period
- Select Save.
With all the steps done, you can now order an edge certificate that contains, all the hosts needed, for my example: main domain, the wildcard domain, and the three level subdomain:
You can add a total of 50 hostnames, so if you need additional hostnames you can add it here, the steps are the following:
With this steps and all the steps from before done, your API Management will recognize the domain as secured and also the SSL Certificate as follows:
Finally, i know this is a very specific topic using Azure Functions on Azure API Management, with a custom domain in Cloudflare, but maybe it can be usefull for someone, but it's not free, its 10USD per month, so if you want to use third level domain, but i think this is the cheapest and secure way to do it.
I will close this question.
I edited the question to add the answer from the CloudFlare forum, and it works so i think i will close this question.