[SSL] Call out proxy requirement for certs on subdomains (#23900)

simon-says · RebeccaTamachiro · web-flow · commit fe2e5d119a1b · 2025-07-31T09:31:55.000Z
* Update ssltls-subdomains.mdx

Clarify that Cloudflare SSL/TLS will only work for a subdomain if the DNS record is proxied

* Update limitations.mdx

Clarify that Cloudflare SSL/TLS will only work for a subdomain if the DNS record is proxied

* Small Style Guide adjustments

* Add title to note and move it lower in the partial

* Adjust title case

---------

Co-authored-by: Rebecca Tamachiro &lt;rtamachiro@cloudflare.com&gt;
diff --git a/src/content/docs/dns/proxy-status/index.mdx b/src/content/docs/dns/proxy-status/index.mdx
@@ -10,7 +10,7 @@ sidebar:
 
 import { Render, Example, Details, GlossaryTooltip } from "~/components";
 
-While your [DNS records](/dns/manage-dns-records/) make your website or application available to visitors and other web services, the **Proxy status** of a DNS record defines how Cloudflare treats incoming DNS queries for that record.
+While your [DNS records](/dns/manage-dns-records/) make your website or application available to visitors and other web services, the proxy status of a DNS record defines how Cloudflare treats incoming DNS queries for that record.
 
 The records you can proxy through Cloudflare are [records used for IP address resolution](/dns/manage-dns-records/reference/dns-record-types/#ip-address-resolution) — meaning A, AAAA, or CNAME records.
 
diff --git a/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx b/src/content/docs/ssl/edge-certificates/universal-ssl/limitations.mdx
@@ -14,6 +14,10 @@ import { GlossaryTooltip } from "~/components"
 
 Universal SSL certificates present some limitations.
 
+## Proxy status
+
+Cloudflare can only serve an SSL/TLS certificate for a DNS record when you set the record's [proxy status](/dns/proxy-status/) to **Proxied**. If you do not do this, the origin server your record points to will be responsible for supporting SSL/TLS connections.
+
 ## Hostname coverage
 
 ### Full setup
@@ -60,4 +64,4 @@ Due to internal limitations, Universal SSL certificates do not cover [load balan
 
 ## Browser support
 
-For more on browser support, see [Browser compatibility](/ssl/reference/browser-compatibility/).
+For more on browser support, see [Browser compatibility](/ssl/reference/browser-compatibility/).
diff --git a/src/content/partials/dns/ssltls-subdomains.mdx b/src/content/partials/dns/ssltls-subdomains.mdx
@@ -6,3 +6,7 @@
 If your main domain is using Cloudflare's [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/), that certificate also covers all first-level subdomains (`blog.example.com`).
 
 For deeper subdomains (`dev.blog.example.com`), use a [different type of certificate](/ssl/edge-certificates/universal-ssl/limitations/#full-setup).
+
+:::note[Proxy status]
+Cloudflare can only serve an SSL/TLS certificate for a DNS record when you set the record's [proxy status](/dns/proxy-status/) to **Proxied**. If you do not do this, the origin server your record points to will be responsible for supporting SSL/TLS connections.
+:::
