Cloudflare CA deprecated?
We've got multiple domains under different plans (one partial enterprise, most business, the rest free) that are proxied.
Many/most of our domains were looking like
CN=sni.cloudflaressl.com, CA=Cloudflare Inc - but nowadays we're getting a lot of Google and Let's Encrypt issuances with hostnames as CN.
Are the:
CAs being deprecated? If they're sticking around, we're missing an injected CAA record for it, should we have something?15 Replies
Yeah, they are slowly removing them. Those certs were signed by DigiCert, and afaik Cloudflare is slowly moving toward Google and LE only
(with Comodo as backup) thanks, got it! Should we continue to expect future issuances from that CA or once all our domains have transitioned it's safe to modify our monitoring to test against CN=domain?
Ther may still be some products issuing certs from DigiCert, I’m not sure
DigiCert update · Cloudflare SSL/TLS docs
In the latter half of 2023, Cloudflare will begin deprecating DigiCert as a Certificate Authority available for a variety of certificates:
I'm a bit confused, is the
CN=Cloudflare issuer part of the DigiCert depreication as well?Digicert was the root of those certs
it was just Cloudflare's intermediary
anywhere you see Digicert mentioned in CF it's that
there's a nice table here: https://developers.cloudflare.com/ssl/reference/certificate-authorities/
Certificate authorities · Cloudflare SSL/TLS docs
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for …
Thanks, yeah I guess to clarify my question:
Will Cloudflare continue to maintain their own intermediary (getting signed by someone else or becoming their own root and going through the process of becoming part of the root store for various OSes and browsers)?
Or Cloudflare will no longer do any certificate authority management in house (other than Origin CA) and instead 100% rely on other CAs for issuances?
Will Cloudflare continue to maintain their own intermediary (getting signed by someone else or becoming their own root and going through the process of becoming part of the root store for various OSes and browsers)?At the moment at least it seems not. I kinda doubt they would try their own root, Let's Encrypt and GTS both are cross-signed to provide support for older android phones, would take a while to be trusted by most devices. Green names/champs aren't CF Employees though, so of course we don't know for sure, but none of the current ones are like that and they've opted to not renew the digicert one
Thanks! Yeah I’m hoping to get some clarity here, because “we are deprecating DigiCert” doesn’t also necessarily mean “we are deprecating our Cloudflare intermediaries which are signed by DigiCert”
That is what it means though
Thank you! Appreciate the double check as the language wasn't clear 🙂
No worries