Google backup certificate needs to be revoked

Similar to this post:
"Certificate being issued by GoogleTrustServicesLLC " from last year.

There was an explanation, but no solution.

I had a certificate issued by Cloudflare some time ago and revoked it a few months ago.

But now, how do I revoke the backup security certificate? Why wasn’t the backup also revoked?

The Cloudflare certificate transparency notification is great in informing me every few weeks that Google “Trust” is issuing a new certificate for my domain dot com and *.domain dot com. But this is for an unwanted certificate that I definitely neither need or want.

Am I stuck with “big advertising” having its paws on my domain forever more? Is there no way out?

That backup should be revoked when a customer revokes the main certificate!

Thanks.

Why. They serve two separate certificates and the backup is only used if Cloudflare believes there is a need to switch.

They don’t have any control over your domain. It is just an SSL certificate, no idea goes through google.

1 Like

With Advanced Certificates you can:

  • Choose the certificate authority (CA) to issue the certificate.

This is no answer, just user excuses. The company, Cloudflare, apparently set up a backup certificate plan. While the main certificate can be revoked, there is apparently no ability to revoke a backup cert. So each month, I keep getting emails:

Cloudflare has observed issuance of the following certificate for [domain-name].com or one of its subdomains:

Log date: 2023-09-08 23:01:33 UTC
Issuer: CN=GTS CA 2A1,O=Google Trust Services LLC,C=US
Validity: 2023-09-08 22:01:32 UTC - 2023-10-23 22:01:31 UTC
DNS Names:

Cloudflare’s own cool tool exposes an unwanted, never requested issuance of a certificate that apparently will never expire.

Where is the solution?

You could turn off the certificate issuance notification emails. They aren’t particularly useful.

I’m not sure what you mean by

and

You can clearly see the expiration:

All certificates issued by public certificate authorities are published in transparency logs. If that is what you are considering exposed, the only way to stop that is to stop using publicly trusted certificates.

It’s not entirely clear what you perceive to be troublesome here or why you feel that way.

By never expire, I mean that this continually renews over and over. There is no mechanism to stop renewals from happening in perpetuity.

Have you disabled Cloudflare’s Universal SSL?

2 Likes

I have the same problem on a few of my domains. I previously just presumed it was the backup certificate until I had a few phishing and identity theft issues. On closer inspection, the backup certificate from Cloudflare is valid for a rolling 3mth period. However the certificates I’m being alerted on are a rolling 1mth period.

How can I get this checked out?

Daniel

Same question here. What is the exact reason for you Cloudflare to issue a 45-day certificate backup instead of the regular 90-day? Even worse, the certificate renewal happens when your servers detect that the certificate is going to expire in 30 days - which means, I receive an email every 15 days. Why this design?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.