Certificate transparency monitoring - is this cloudflare creating the cert?

I enabled “Certificate transparency monitoring” (see https://blog.cloudflare.com/introducing-certificate-transparency-monitoring/) today for all my domains.

A couple hours after the “activation” email, I suddenly get an email for a lot of my zones, notifying me about the issuing of an SSL cert for the domain of my zone.
I however didn’t create any certificates.

Content is:
Cloudflare has observed issuance of the following certificate for mydomain or one of its subdomains:

Log date: 2019-08-13 18:06:16 UTC
Issuer: CN=COMODO ECC Domain Validation Secure Server CA 2,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Validity: 2019-08-13 00:00:00 UTC - 2020-02-19 23:59:59 UTC
DNS Names: => list of all kinds of domains, among 1 is mine.

I am using Cloudflare shared SSL.

  1. Am I assuming correctly that this was cloudflare creating the SSLs on my behalf for the “shared SSL”?

  2. Would it be possible to filter out (aka not report) the cases where Cloudflare itself creates the ssl cert on my behalf?

It most likely is. Those will pop up frequently for the old style certificates shared across multiple domains. I suggest you don’t filter this out so you can be sure the Comodo cert that was issued is legitimate.

Ok, the question is however: how do I know whether it was Cloudflare creating the certificate vs some malicious third party?

Just from the details in the email it’s impossible to know.

I was going to say to just check the cert on your website, as it should match, but looking at a recent one of mine, it doesn’t match. Not even close. Different dates, different domains in the list (other than mine), and different clousdlfaressl subdomain. @cloonan?

1 Like

Hi @sdayman, I guessing you’ve broken something found a defect that’s showing a false positive, but the idea behind monitoring is to avoid tampering with certs. Either way this is not ideal - neither false positive nor malicious cert are good. Can you let Support know?

1 Like

Done. Ticket # 1734446
The CT notification was for a certificate that expired about two months ago.

1 Like

@sdayman my case is covered in this ticket too or should I open a separate ticket?

You should first verify that the certificate that shows up in your notification is or is not the one currently used for the hostname listed. You didn’t post the hostname, so I can’t take a look.

Yes it’s the one currently used (issued for sni31468.cloudflaressl.com) by cloudflare for my domain.

Ok, then it sounds like you’ve answered your own question.

Yes, 1)

but 2): Would it be possible to filter out (aka not report) the cases where Cloudflare itself creates the ssl cert on my behalf?

Because having to check 100 domains for a certificate change everytime cloudflare does change something is cumbersome and useless, if it’s cloudflare itself doing it.