When a third-party platform (like a CRM, portal, or SSO provider) requires its own SSL certificate for a subdomain, things can get confusing—especially if your main WordPress site is already covered by hosting-level SSL (like Let’s Encrypt).
In this guide, we’ll walk through how to handle SSL renewal and installation for a third-party-managed subdomain, including CSR generation, certificate purchasing, and coordination with external providers.
Issue Background
A WordPress site hosted on WP Cloud already had SSL coverage via automatic Let’s Encrypt certificates. However, a third-party platform required a separate SSL certificate for a subdomain used for user login (such as a portal or SSO endpoint).
Key complications included:
- The SSL certificate was expiring soon (time-sensitive)
- The subdomain was hosted and managed externally
- The third-party provider required a Certificate Signing Request (CSR) and specific certificate format (Microsoft IIS 10)
- Questions around wildcard SSL, certificate providers, and ongoing management
Diagnosis
The core issue came down to understanding SSL scope and ownership:
- The main WordPress site already had auto-renewing SSL via Let’s Encrypt
- The third-party subdomain was not covered by hosting SSL
- A separate SSL certificate was required for the external system
The third-party provider:
- Handled installation
- Required certificate files and CSR workflow
- Supported standard Certificate Authorities like DigiCert, GoDaddy, and Namecheap
A wildcard SSL certificate was recommended to support multiple subdomains, while also accounting for annual validation requirements introduced after 2020.
Resolution Steps
1. Confirm where SSL is needed
Determine whether the domain or subdomain is hosted on your server or externally. Third-party hosted environments require separate SSL handling.
2. Request a CSR from the third-party provider
Ask the provider to generate a CSR and confirm required certificate format (e.g., Microsoft IIS 10).
3. Choose the right SSL type
- Standard SSL: Covers a single domain
- Wildcard SSL: Covers all subdomains and is ideal for multi-platform environments
4. Purchase the SSL certificate
Select a Certificate Authority such as Namecheap, DigiCert, or GoDaddy. In this case, a PositiveSSL Wildcard certificate was selected for multi-year coverage.
5. Validate domain ownership
Use DNS verification (typically via CNAME record) to complete validation.
6. Download certificate files
Download the certificate bundle including CRT and CA bundle files. Select Microsoft IIS 10 format if required.
7. Provide files to the third-party provider
Send the certificate files to the provider for installation and configuration.
8. Verify SSL installation
Test across browsers and SSL tools to confirm proper installation and expiration date.
9. Plan for ongoing renewal
Set up reminders and recurring workflows for annual SSL validation and renewal coordination.
Final Outcome
A wildcard SSL certificate was successfully purchased, validated via DNS, and installed by the third-party provider. The subdomain was secured before expiration, and a recurring renewal process was established.
Key takeaways
- Hosting-level SSL does not cover external platforms
- Third-party integrations often require manual SSL workflows
- Wildcard SSL certificates simplify multi-subdomain management
- Annual validation is required even for multi-year SSL certificates
If you need help managing SSL certificates across multiple systems or coordinating with third-party providers, contact Freshy to get expert support.
