Yep they will auto generate an SSL that will be valid and cover both the primary and dev site, but you don't have to have them in active mode, can bypass the primary site if you don't want them in play for that. Even the free plan would suffice, it just doesn't have the WAF functionality, but the $20 pro plan is preferred. If the site is with us reach out to TAC too as there are scenarios where we'll include it and do all the config for you.

Cool, I only need to say "Thanks David" once!

The Cloudflare thing seems like it might be the expedient tactic. I assume a free Cloudflare would suffice for the SSL. I'm not quite what I would do for the DNS though.

Scott

The underlying library MMT uses verifies SSL certs by default and there is no way to override this from within MMT. SSH authentication will be no different as the private key is used to sign the HTTP request is all.

I think you'd still have the issue as SSH keys can be used for authentication but you're still using https as the transport. You could put Cloudflare in front of the site to work around this.