The CloudFlare Origin SSL Certificate Authority expired today (14/11/19). I can see looking on the help/support pages there is a newer Origin CA that expires on 16/08/2029, but whenever I create an origin web server cert it is being signed by the expired CA.
Does anyone know if a) it’s something I’m doing wrong, or b) there is a way to get the origin web server cert to be issued by the valid CA?
Just getting the same thing, Azure considers the certificate expired on the Application Gateways because of the CA expiration, however if you take the AG out of the picture, Cloudflare will accept it the origin.
How are you identifying that new OriginCA leaf certificates are being issued against the expired CA? We’ve renewed both CAs (RSA and ECDSA) with the same keys respectively so the Authority Key Identifier (AKI) on newly issued leaf certificates and the Subject Key Identifiers (SKI) on the roots remain the same while the Not Before and Not After dates have changed (both roots now expire on 2029-08-15T17:00:00Z). Renewing the CAs in this way allows leaf certificates issued before the renewal to remain valid.
If you haven’t installed the new roots on any clients, these are available in the article below.
I was opening the origin server certs on Windows and OSX and looking at the chain. I had installed the new Origin CA, but perhaps there was a caching issue.
I’ve now removed the old Origin CA from everywhere and installed the new one and things appear to be working again.