Advanced Certificate Manager Query

Hello,

I’m planning to use Advanced Certificate Manager (ACM). I have some questions, I already tried looking into community but didn’t got any confirm answer. I need your help on these questions:

  1. I am currently on Universal certificate which has common name as sni.cloudflaressl.com. If I get $10ACM plan, will I be able to get the common name as *.example.com for my certificate? Or I will get example.com only as the common name?

  2. The current issuer for my SSL certificate is Cloudflare Inc ECC CA-3. With ACM certificate, will the issuer remain same?

  3. If the answer to question # 2 is No, who will be the new issuer? Can I select a CA approved by Cloudflare?

  4. Lastly, can I change SHA type for new certificates. As it is currently SHA256, can I get SHA384?

Thanks for any help in advance.

Regards.

  1. With ACM the common name will always be example.com, but you can add additional SANs.

  2. You can choose either Digicert or Let’s Encrypt. With the current Digicert certs, the issuing certificate is Cloudflare managed, and is either Cloudflare Inc ECC CA-3 or Cloudflare Inc RSA CA-2. The other available certificate chain is from Let’s Encrypt, which uses the normal LE chain. With the Digicert chains, you can use ACM to change the ciphers to only allow ECC ciphers, if the RSA cert is not wanted. Be aware, that if you are pinning against the intermediate it can and will change.

  3. You can select from the two currently provided, but there may be others in the future. Other CAs require you to use a Custom certificate, but you have to manage that cert yourself and upload using the API or web interface.

  4. The ACM keys are managed, and you currently do not have the ability to select SHA384. Again, Custom certs get around that if needed.

2 Likes

With the current Digicert certs, the issuing certificate is Cloudflare managed, and is either Cloudflare Inc ECC CA-3 or Cloudflare Inc RSA CA-2.

Thanks for your reply michael! It answered almost all of my queries :blush:

Just to confirm, for Digicerts certs, as you mentioned it is managed by Cloudflare, that means the issuing authority is automatically selected by Cloudflare and we can’t explicitly select, for example, if we want Cloudflare Inc RSA CA-2 only.

Regards.

With the Digicert certs, Cloudflare issue two certs, one RSA and one ECC. However, you can adjust the ciphers that are used so that the RSA is never seen.

Scott Helme did this recently with Report URI, and only the ECC cert is visible. You can see in the CT logs that on 2020-08-15 two certs were issued, but looking at SSL Labs, only the ECC cert is visible.

1 Like

Is the reverse is also possible? That is, can I adjust ciphers so that ECC is not seen and only RSA is seen?

Thanks for all your help!

Yes. Not sure why you would want to do that, but it can be done.

I was just confirming the possibility :blush: Thanks again, really appreciate your help!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.