How to identify which SSL certificate is being used on a site

I have SSLs for a single site on GoDaddy and Cloudflare. How can I tell which is really being used?

These tools:

https://www.digicert.com/help/
https://www.sslshopper.com/ssl-checker.html

show SSL details but not the platform where it was issued or it’s expiration date.

Thanks,
Chris

Can you explain? I don’t understand the post too well.
What’s your domain name so I can look at the issue in your Certificate(s)?

The domains in question are:

promundoglobal.org
promundo.org.br
men-care.org


which all have SSL certificates set up from both GoDaddy and Cloudflare. GoDaddy is requesting we renew the certificates we have issued through them. But since we already have certificates with Cloudflare, I’d like to know what certificates are actually being used on each site, GoDaddy’s or Cloudflare’s. If Cloudflare certificates are the ones being used, I should be okay to not renew GoDaddy’s certificates, right? And to confirm that Cloudflare certificates are the ones being used, I’d like know when those Cloudflare certificates expire. I can see using the tools I posted above that the SSL certificates being used expire on 9/10/2019 but I have no way of knowing if those are in fact the Cloudflare certificates.

@chris8, I too face an ending Certificate Cycle soon. Right now all your Certificates are issued under the GoDaddy’s Let’s Encrypt Certificate for promundoglobal.org. You can disable the Certificates on your GoDaddy is you wish or you could use it as a fallback in case anything happens to Cloudflare’s Certificates or Cloudflare all together. However, I’m not sure if GoDaddy will automatically renew your Certificates upon the Cycle End Date like Cloudflare should.

If you’re not aware, you can click on the “lock icon” on the URL Bars and click “Certificate” this little pop-up offers an insight to your issued Certificate, its fingerprints, algorithms, etc.

Thanks for the reply. How can you tell from clicking on the lock icon that the GoDaddy SSL certificates are being used? If it’s just the fact that the certs are Lets Encrypt, doesn’t Cloudflare use Lets Encrypt certs as well?

Since GoDaddy SSL certs cost $200/year, I don’t think we can afford them just as a fallback so I want make sure I can verify they’re not currently being used and if they are being used, I want to be sure canceling them would just allow Cloudflare SSLs to take over without interruption.

/Chris

Because Cloudflare Certificates are issued by COMODO ECC Domain and issued to Cloudflare’s SSL Domain. Let’s Encrypt Domains are issued by Let’s Encrypt Authority X3 and issued to your domain.

Cloudflare:
s1

Your Domain:
s3

Yeah, I wouldn’t pay for them either because if I did it’d better have my Company name “[Company, Inc.]” in the SSL Bar.

The solution here is pretty easy.

So, if the domain is active on Cloudflare and has its DNS record set to :orange: it will use Cloudflare’s (and should ideally use the GoDaddy one, but any other cert will work fine, read until the end, from the edge to your site to be sure that the whole connection is encrypted). If the record it’s set to :grey: then it will use your origin’s because Cloudflare is not involved anywhere.

Cloudflare’s certificates will auto-renew. I would also suggest to not pay for any certificate, be it EV or not as there are no differences and the only visual cues are all going away (if not already). You can either use Let’s Encrypt (automatically renewed ideally) or one of Cloudflare’s Origin Certificates that you can create yourself in the SSL/TLS app of the CF Dashboard.

1 Like

Just to answer my own question: on GoDaddy, you can go to SSL Certificates > [domain] > History to view the current serial number of that certificate. Then, you can check that against the serial number listed in any SSL checker tool I listed at the top (or the lock icon in your browser’s search bar). The IP address and server type listed will also tell you where the SSL is coming from. In my case, the SSL certificates (issued by Let’s Encrypt Authority X3) being used are coming from Pagely, the host server, not GoDaddy or Cloudflare. (Which makes sense since our Cloudflare records all have a :grey: proxy status).

So since my domains are using Pagely’s SSL certificates, there is in fact no reason to keep GoDaddy’s and we should experience no interruption or issue if we cancel GoDaddy’s. So we are canceling GoDaddy’s and requesting a refund which GoDaddy says we can do since they just recently renewed.

Hi @chris8,

As @matteo said, you do need a certificate on your server for it to keep functioning as it does currently, you can generate a free Cloudflare Origin Certificate if your host will let you install it, rather than a GoDaddy one.

The Cloudflare certificate only works between the visitor and Cloudflare, you still need the cert on the server to secure the connection between Cloudflare and the origin.

If the host is not GoDaddy then no, there is no reason to have a cert there as well.

1 Like

Yep, GoDaddy is just our DNS provider with nameservers pointing to Cloudflare so GoDaddy is not the host and we’re dropping their certs.

And for other domains, we do have SSL certificates set up on Cloudflare which also have SSL certificates on the server. But in this case, there’s no need to generate a Cloudflare Origin Certificate and install it on the host since they supply their own.

Thanks for all the input everyone.

2 Likes

Yes, if GoDaddy isn’t the host there is no need for certs, that’s for sure.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.