How to cancel the ssl universal certificate?

#1

How to cancel the ssl universal certificate? I saw cloudflare issued a certificate for me in the google transparency report, I am worried that if the universal certificate (including multiple domain names) private key leaked out, someone can conduct a man-in-the-middle attack. So I want to know how to cancel the universal certificate.

0 Likes

Why cloudflare issued the added domain in default when I added the domain each times? Is there no way to revoke the previous universal certificates?
Why the universal certificate "dns name" only include my domain without other people's domains?
#3

But that’s just that I disabled it and the certificate has not been revoked, which lasts for 1 year.

0 Likes

#4

No worries. This is an SNI certificate and no website owner has access to the private keys.
This certificate are valid only for a few months.

You can buy a dedicated certificate from Cloudflare.

1 Like

#5

Why cloudflare issue universal certificate in default? Does it issue my domain when I add domain every times?

0 Likes

#6

Why cloudflare issued the added domain in default when I added the domain each times? Is there no way to revoke the previous universal certificates?
I see the Google transparency report that cloudflare issued my domain many certificates.

0 Likes

#7

Why the universal certificate “dns name” only include my domain without other people’s domains? Before this, I used the universal certificates whose “dns name” included other people’s domain name.

0 Likes

#8

I believe it is because previously Cloudflare used other CA providers to generate the certs and perhaps it was easier for them to “add to an existing cert”, whereas now they’re a CA on their own, so they can locally generate certificates internally, and there’s really no reason your cert will include other names and pollute the transparency logs :slight_smile:

0 Likes

#9

By the way, why cloudflare issued cerificate each times when I add domain to cloudflare? I have my own certificates and I don’t want to use the cloudflare’s certificate. I know this from Google Transparency Report. It showed that Cloudflare Inc. ECC CA 2 issued my domain. Is there any way to refuse Cloudflare will issue my domains when I add domains to cloudflare?

0 Likes

#10

You don’t have to go to Google’s Transparency Report - it’s right there in the Crypto tab that Cloudflare tells you that they’re doing it.

I’m un-aware of a way to add a domain without it automatically producing certificates… you can later DISABLE the “Universal SSL” at the bottom of the Crypto page, to avoid those certs from being renewed in the future.

I find it annoying as well that this is enabled by default for sites that I would want to issue other certs (either by Cloudflare or Bring Your Own) due to the spam of the CT logs, but this is probably the only reason.

If you’re concerned about security, then this is kind of silly IMHO, and I’ll explain why.

Scenario I: Say you don’t want SSL at all, so that means you don’t care about security at all; you probably shouldn’t care that someone can have certs with your site’s listed on them to MITM attack you, as it is possible anyway because you’re running plaintext.

Scenario II: You care about security, and you’re even bringing your own certs, which are somehow “better” than CF’s (OK maybe if you have OV or EV certs?) - and you don’t want CFs inferior certs to be leaked by CF and used by others - you don’t trust CF to hold the private keys for those certs. Instead, you give them the private keys of your other certs, which presumably be guarded “better”, even though it’s the same infrastructure and the same servers holding your key (the ones terminating your TLS connections)

Scenario III: You’re using Cloudflare without really using Cloudflare - i.e. your purpose is to get a Route-53-like service, but for free, maybe even utilizing DNSSEC. This is obviously not the idea behind the service - which is mostly to stop attacks on layer 7 of the HTTP protocol (“DNS” is just one dashboard tab out of many) - and is probably the only case where there is a “redundant” cert flying around, that if compromised can have your site served elsewhere (if someone can crack Cloudflare’s infrastructure, again the same one you trust to run the most sensitive part of your business - the DNS - and the one that if cracked into can easily create a DV cert on any CA even if you have CAA; You’ll obviously KNOW about it [because you follow CT logs] - but you won’t be able to do much about it because your whole domain was hijacked anyway…)

Did I miss any possible scenario?

0 Likes

#11

Yes as long as Universal SSL is activated.

Buy dedicated certificatess If you’re concerned about… what ever. It doesn’t affect the security of your sites nor does Google care about SNI when it comes to page rankings. This is Just cosmetic. I for myself don’t care but I would if I would run pages for kids for example. Then I’d buy dedicated certificates, before they spot porn sites or other adult or questionable content. Though it’s unlikely because the nornal user doesn’t care about the certificate details. There’s a padlock, it’s green, it’s secured.

Why? To make SSL easy to use for everyone. There are a lot of people with less experience than you and me. They may care, but certificates are usually expensive and almost no one with a private project would effort 100 bugs a year. Or can’t…

It doesn’t. Google changed the way how they display the certificate details with one of the latest updates and use Windows stuff to show them. They had their own certificate view a few versions ago but Chrome mobile will show all the domains.

0 Likes

#12

I noticed this a while back on my domains. It depends when they were added to cloudflare. Older ones have Universal (Shared) certificates issued to sniXXXXXX.cloudflaressl.com with many domains on. Newer ones have Universal ones that are just issued to sni.cloudflaressl.com with only your domain on them.

It is just a slight change in the way the certs are issued since Cloudflare now is a Trusted CA.

I saw other posts. The universal certificate only has one domain, not include other domains now.

1 Like

#13

Yes @junrongit, that is my post you quoted from.

The new certs do only contain their domain. Such as the difference between the certs on domjh.com and planetweb.uk, the old certs (domjh.com), the multi domain ones, show all the other domains in Chrome mobile and show them all under subject alternative name in chrome desktop. The new ones (planetweb.uk) are issued by CF and only contain yourdomain.com and *.yourdomain.com

I will do a wiki post on this soon.

1 Like

#14

I don’t know your meaning. I opened “domjh.com” both in Chrome Deskop and Mobile, the Chrome Deskop “DNS NAME” showed other domains, the Chrome Mobile SAN also showed other domains.

0 Likes

#15

The two domains I posted were just examples to show the two types of universal certificates that have been issued by Cloudflare.

Just to illustrate what I meant in the above post, yes, the certificates used to all be (universal (shared)) like the one on domjh.com, with multiple domains on them. These show in chrome.

The new certificates (universal) look like the one on planetweb.uk, they only show sni.cloudflaressl.com and your domain.

0 Likes

#16

For reference, I have created the wiki post:

0 Likes

closed #17

This topic was automatically closed after 30 days. New replies are no longer allowed.

0 Likes