Certificate being issued by GoogleTrustServicesLLC

Today I got a Certificate Transparency Notification that one of my domains had a certificate issued by CN=GTS CA 1P5,O=Google Trust Services LLC,C=US

I don’t use any Google services and have never had Google issue a certificate to me in the past. I use Cloudflare as my DNS registrar, there was a renewal of the cert 5 hours before hand from CN=Cloudflare Inc ECC CA-3,O=Cloudflare, Inc.,C=US which is fine and expected. I checked crt.sh and can see indeed both certs were issued today.

My Cloudflare audit log has an Unknown Action logged with the resource of Certificate pack.

Is this something new Cloudflare is doing using Google CA as a backup or something to be concerned about?

Precisely.

Thanks michael, great to know. Is there any advice on setting up CAA records in regards to all the different issuers Cloudflare uses to avoid future surprises?

Yes. Ignore all the CAs that you think Cloudflare uses, they will take care of those themselves. But add CAA headers for all of the certificates that you issue, even if they overlap with Cloudflares.

The logic is that Cloudflare might add (as with Google) or even remove CAs. If you are depending on an automatically added CAA it might stop being automatically added.

2 Likes

I guess from my point of view it was very unexpected to see, I’m sure others will see the same certificate transparency and be taken by surprise. I did a search myself prior to opening up this thread and found https://developers.cloudflare.com/ssl/ssl-tls/certificate-authorities/ but it does not list Google and the blog you listed didn’t even so just from a stand point of security and trust with no notification it was a bit scary to see.

I received emails on all my accounts notifying that backup certs were to be issued.

Whether Cloudflare should notify every user of every CA that is, is not, might, might not, should or should not be used is debatable. It’s a managed product, so the details might change as the manager sees fit. (The manager being Cloudflare). I’d like to see a list of the certificate fingerprints on the Dashboard so that I can verify that a cert I see in CT logs is a managed cert. That actually might be available via the API, I haven’t looked.

1 Like

I also didn’t receive any notification email about backup certs, so I’m glad I found this community post.

I totally agree that all managed certificates must be listed in the dashboard. Showing some certs but not all is misleading at best, so hopefully Cloudflare will address this.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.