Does cloudflare certificates works in older smart tvs?

Given that even BBC had issues with certificates and old smart tvs (like 2010+) can we trust that cloudflare certificates will be trusted by old tvs? Like tvs from 2009+ ?

Also, is there a way to make cloudflare allow more ciphers?

You can only do that with Advanced Certificate Manager (ACM)

https://developers.cloudflare.com/ssl/ssl-tls/cipher-suites#restricting-at-edge

I ordered a advanced certificate, disabled universal ssl, waited a lot and it still seems to be using cloudflare universal certs :frowning:

Can you tell me when the root certificate from digicert was issued ? I need to be at last 2009 or older

In my case, the root cert was issued in 2000

(Yes, I am using ACM)

What’s your website?

1 Like

I prefer to not reveal my website…

https://scotthelme.co.uk/impending-doom-root-ca-expiring-legacy-clients/

Do you think this Baltimore CA is trusted enough to be sure it will be in the root store of tvs? I tried to enable https on all my traffic and failed to support older tv models not matter what… then i discovered that most old smart tvs won’t recognize lets encrypt and many other CAs…

This is generally not needed for Smart TVs. They actually have relatively good cipher support. I’m in the process of using ACM to remove most of the default Cloudflare ciphers, and smart TVs don’t have an issue. This is especially true if you use both RSA and ECDSA certificates. (edit. I’ll need to check how far back we go in smart TV support. Due to other requirements, like DRM, some very old TVs have fallen off our support matrix)

The main issue with older smart TVs is their trusted certificate store. Finding a match is tricky. It is not helped by the fact that most ‘smart’ TVs ship with a version of the Mozilla trust store that is very old at the time they are shipped, the TV manufacturers do not generally update the certificate store in firmware updates, and even if they did, most people do not regularly update the firmware on their TVs.

I use a GlobalSign certificate on my Cloudflare property just for this use case, with a relatively specific certificate chain, like those shown below. Your mileage may vary depending on the brand and age of the TV you are trying to support.

**2** GlobalSign RSA OV SSL CA 2018
Fingerprint SHA256: b676ffa3179e8812093a1b5eafee876ae7a6aaf231078dad1bfb21cd2893764a
Pin SHA256: hETpgVvaLC0bvcGG3t0cuqiHvr4XyP2MTwCiqhgRWwU=
RSA 2048 bits (e 65537) / SHA256withRSA
**3** GlobalSign
Fingerprint SHA256: 445eec78bc61215044a0379656aa2d5db5e42f76cb70b8d14c2077aa943d4ebb
Pin SHA256: cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A=
RSA 2048 bits (e 65537) / SHA256withRSA
**4** GlobalSign Root CA Self-signed
Fingerprint SHA256: ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99
Pin SHA256: K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=
RSA 2048 bits (e 65537) / SHA1withRSA


**2** GlobalSign ECC OV SSL CA 2018
Fingerprint SHA256: 87c71553445eb3c33c3e0710711b99e9c7773f04d91ac38a9f4c082ee24101ea
Pin SHA256: KJpedoXG+Rd6IJnYeOJjxUjlaDEDI8K1vCBBgzeJkC4=
EC 384 bits / SHA384withECDSA
**3** GlobalSign
Fingerprint SHA256: 3f319b2afed4a0f75127be59925550d0428e68763a09e273eb6a9ff8d18dbb5b
Pin SHA256: fg6tdrtoGdwvVFEahDVPboswe53YIFjqbABPAdndpd8=
EC 384 bits / SHA384withRSA
**4** GlobalSign
Fingerprint SHA256: 445eec78bc61215044a0379656aa2d5db5e42f76cb70b8d14c2077aa943d4ebb
Pin SHA256: cGuxAXyFXFkWm61cF4HPWX8S0srS9j0aSqN0k4AP+4A=
RSA 2048 bits (e 65537) / SHA256withRSA
**5** GlobalSign Root CA Self-signed
Fingerprint SHA256: ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99
Pin SHA256: K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q=
RSA 2048 bits (e 65537) / SHA1withRSA
1 Like

I’d have to pay for $200 plan to upload my own certificate right? :confused:

Yes. Custom Certificates are limited to Business or Enterprise plans.

You should get a copy of the root certificate store for the TV models you are interested in, and compare to the root certificates used by Cloudflare on the available ACM certificate types. If there is no match, you have no other choice really if you need to support really old devices.

Do you know if old smart tvs support wildcards certs too ?

Personal experience is that there is no issue with wildcard certs. I have used them for over a decade with TVs, games consoles and other miscellaneous junk. Just FYI, the BBC BiDi CDN uses the same GlobalSign ECC chain I posted above.

https://www.ssllabs.com/ssltest/analyze.html?d=b1rbsov.bidi.live.bbc.co.uk

1 Like

I have confirmed that cloudflare is not using the cert from digicert who I ordered… waited >6 hours and when I open any of my domains I only see Common Name (CN) sni.cloudflaressl.com :confused: