I’m looking to add additional monitoring for the Origin Pull CA cert beyond expiration.
Eg, if Cloudflare intends to revoke/expire, or has published a new one.
I didn’t see a CRL or OSCP on the CA cert, but I think that would only help with revocations rather than a new one being published or intending to revoke soon.
Of course one method could be downloading the CA cert periodically and checking the hash or so. The URL for the CA cert doesn’t seem that static though, unlike the IP ranges URL.
Besides keeping an eye out for any email notifications, and only the cert expiration, is there any other more-automated methods I could use?
So technically, you can script your own custom CA root/CA Intermediate and use it to sign your own client TLS certs for Cloudflare Authenticated Origin Pull configurations and upload them via CF API. So you can automate revocation/renewal.
Note: one important note is that you remember to record the id of your custom client TLS uploaded certificate from CF API upload command’s output. The reason is CF does not have an API endpoint to list custom client TLS uploaded certificates. So you won’t be able to update or remove the custom uploaded client TLS certificate without that id.
I create my own custom CA Root certificate/signed client TLS certs for custom hostnames via my own custom scripted process at https://github.com/centminmod/cfssl-ca-ssl (gen-client mode) using Cloudflare’s own cfssl as the underlying tool. The script is also used for my own Centmin Mod Nginx client TLS authentication processes outside of Cloudflare proxied configurations
For default CF Authenticated Origin Pull CA cert, I wrote a script to check for cert expiry but as you said, this relies on the new cert URL being the same/static. @cs-cf would be nice if CA cert had a static URL. Right now it’s something like https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem maybe something like certs.cloudflare.com/origin-pull-ca.pem would be better ?
