Skip to main content

Why You Still Need A SSL Certificate When Using a CNAME For A Vanity Domain

When setting up a CNAME (Canonical Name) record to point one domain to another, you’ll need a valid SSL/TLS certificate for the starting (source) domain if you want HTTPS to work without security errors.


Understanding CNAME and HTTPS

A CNAME record is a type of DNS entry that tells the Internet:

“This domain is just an alias—go look over there instead.”

For example:

helpdesk.school.org → CNAME → school.incidentiq.com


When someone visits https://helpdesk.school.org, their browser:

  1. Looks up the DNS record and sees the CNAME pointing to school.incidentiq.com.

  2. Resolves school.incidentiq.com to an IP address.

  3. Connects to that IP but still expects the server to present a valid certificate for helpdesk.school.org (the domain the user typed in).


Why Certificates Are Needed for Both Domains

  1. Browsers Validate the Domain in the Address Bar
    Even though DNS points to another domain, HTTPS certificates must match the hostname in the browser’s address bar, not the CNAME target.

    1. If the user enters helpdesk.school.org, the web server must present a certificate that includes helpdesk.school.org in its Subject Alternative Name (SAN) field.

    2. If the server only has a certificate for school.incidentiq.com, the browser will throw a “certificate mismatch” error.

  2. Security & Compliance Requirements
    For security standards, all domains serving HTTPS must have valid certificates. This avoids man-in-the-middle attacks and maintains encryption trust.


Best Practices

  • Work with your Web or Network team to add your custom domain to their SSL certificate (often via SAN or wildcard).

  • Use wildcard certificates (e.g., *.school.org) if you have multiple subdomains pointing to the same target.

  • Regularly check certificate expiration dates to prevent downtime.

  • Review our article Setting up an Incident IQ Vanity Domain with SSL in Microsoft Azure for information on using Microsoft Azure.

  • You may use a 301 Redirect to reduce the need for an SSL/TLS certificate for the source domain - Incident IQ only suggests using this method if you are already familiar with how to set one up.


Key Takeaway

A CNAME does not replace the need for an SSL/TLS certificate on the source domain. The browser validates security against the name the user typed, so every domain, source, and target must have its own valid certificate for HTTPS to work without errors.

Did this answer your question?