Multi-Level Subdomains

In many cases, you want to run Tunnel to expose a multi-level subdomain, such as Because the certificate Tunnel generates will cover the first tier of subdomains and the apex (i.e. * and, you need to make a small modification to how you run Tunnel to get it to work. Tunnel offers two ways to accomplish this:

Option One: DNS Solution

The first option is for you to run Tunnel on a separate domain, and then CNAME the domain you wish to expose to that original Warped domain. How this works:

  1. Run Tunnel on your origin server and expose your service on a single-level subdomain such as
  2. Open up the Cloudflare DNS panel and create a CNAME record for the multi-level domain to the domain where Tunnel is running: CNAME ==>

Option Two: Bring Your Own TLS Certificate

The reason why you need a custom solution to run Tunnel on a multi-level domain is because the certificate Tunnel generates for your origin server is not valid beyond one subdomain level.

In order to include more hostnames, you can bring your own TLS certificate. Below are instructions for how to use Tunnel with a custom certificate.

  1. Install Tunnel on your machine
  2. Run the command $ cloudflared tunnel login and when the browser window opens, select the domain you are wishing to use. This will download a certificate to your origin server.
  3. The downloaded certificate will automatically be placed in ~/.cloudflared/cert.pem.
  4. If you open the certificate file, you will see it has three sections: private key, certificate and Tunnel token. Later on you will replace the private key and certificate sections.


  5. Next you need to generate a certificate for your origin server. Cloudflare offers a free Certificate Authority for generating origin certificates that are only trusted by Cloudflare.

  6. Login to the Cloudflare dashboard and visit the Crypto tab.

  7. Scroll down to the section called Origin Certificates. In that table you will see certificates Tunnel generated for your server.

  8. Click the button labeled ‘Create Certificate’.

  9. When the modal opens, select the checkbox for “Let Cloudflare generate a private key and a CSR”. You may keep RSA selected as the key type. Then list the hostname you need to Warp, such as

  10. Cloudflare will then present you a certificate to use for your origin.

  11. Open up the file at ~/.cloudflared/cert.pem and replace the private key and certificate sections with the values Cloudflare shows in the dashboard.

  12. Once you are finished, you can exit the modal in the dashboard by clicking ‘Ok’.

Note: If you use an encrypted certificate file, the Tunnel client won’t prompt for the passphrase and the certificate will not work.

You can now start Tunnel on a multi-level subdomain.

Note: you will also need a certificate for the connection from the client to Cloudflare’s edge. You manage this in the Edge Certificates section of the Crypto tab in the Cloudflare dashboard. By default, Cloudflare issues certificates for *.your-domain. If you need a certificate for a multi-level hostname, you can buy a dedicated certificate in the Cloudflare dashboard.