Checking for newer or revocation of Authenticated Origin Pull CA cert?

I’m looking to add additional monitoring for the Origin Pull CA cert beyond expiration.

Eg, if Cloudflare intends to revoke/expire, or has published a new one.

I didn’t see a CRL or OSCP on the CA cert, but I think that would only help with revocations rather than a new one being published or intending to revoke soon.

Of course one method could be downloading the CA cert periodically and checking the hash or so. The URL for the CA cert doesn’t seem that static though, unlike the IP ranges URL.

Besides keeping an eye out for any email notifications, and only the cert expiration, is there any other more-automated methods I could use?


There are 3 methods outlined for Origin Authenticated Pull

  1. The default method which is can be worked around/flawed as all CF sites use same CF root cert so protection is bypassed for any other CF site pointing to your real server IP - Zone-Level Authenticated Origin Pull using Cloudflare certificates
  2. Using custom CA Root/client TLS at apex domain top level i.e. - Zone-Level Authenticated Origin Pull using customer certificates
  3. Using custom CA Root/client TLS at custom subdomain level i.e. - Per-Hostname Authenticated Origin Pull using customer certificates {#per-hostname}

So technically, you can script your own custom CA root/CA Intermediate and use it to sign your own client TLS certs for Cloudflare Authenticated Origin Pull configurations and upload them via CF API. So you can automate revocation/renewal.

Note: one important note is that you remember to record the id of your custom client TLS uploaded certificate from CF API upload command’s output. The reason is CF does not have an API endpoint to list custom client TLS uploaded certificates. So you won’t be able to update or remove the custom uploaded client TLS certificate without that id.

I create my own custom CA Root certificate/signed client TLS certs for custom hostnames via my own custom scripted process at (gen-client mode) using Cloudflare’s own cfssl as the underlying tool. The script is also used for my own Centmin Mod Nginx client TLS authentication processes outside of Cloudflare proxied configurations :smiley:

For default CF Authenticated Origin Pull CA cert, I wrote a script to check for cert expiry but as you said, this relies on the new cert URL being the same/static. @cs-cf would be nice if CA cert had a static URL. Right now it’s something like maybe something like would be better ?


This topic was automatically closed after 30 days. New replies are no longer allowed.