diff --git a/haproxy_mcp/tools/domains.py b/haproxy_mcp/tools/domains.py
index 3a10537..2ca657e 100644
--- a/haproxy_mcp/tools/domains.py
+++ b/haproxy_mcp/tools/domains.py
@@ -33,14 +33,17 @@ from ..file_ops import (
     remove_domain_from_map,
     find_available_pool,
 )
+from ..db import db_load_certs
 from ..utils import parse_servers_state, disable_server_slot
 
 
 def _check_subdomain(domain: str, registered_domains: set[str]) -> tuple[bool, Optional[str]]:
-    """Check if a domain is a subdomain of an existing registered domain.
+    """Check if a domain is a subdomain of an existing registered domain or certificate domain.
 
     For example, vault.anvil.it.com is a subdomain if anvil.it.com exists.
-    Subdomains should not have wildcard entries added to avoid conflicts.
+    nocodb.inouter.com is a subdomain if inouter.com has a certificate.
+    Subdomains should not have wildcard entries added to avoid conflicts,
+    because wildcard certs (*.example.com) only cover one level deep.
 
     Args:
         domain: Domain name to check (e.g., "api.example.com").
@@ -49,10 +52,14 @@ def _check_subdomain(domain: str, registered_domains: set[str]) -> tuple[bool, O
     Returns:
         Tuple of (is_subdomain, parent_domain or None).
     """
+    # Combine registered domains and certificate domains as known base domains
+    cert_domains = set(db_load_certs())
+    known_domains = registered_domains | cert_domains
+
     parts = domain.split(".")
     for i in range(1, len(parts)):
         candidate = ".".join(parts[i:])
-        if candidate in registered_domains:
+        if candidate in known_domains:
             return True, candidate
     return False, None