Misleading Transparency Monitoring Alerts due Backup cert. service

As some others, I received an alert from the cert. transparency monitoring service for my domain:

Cloudflare has observed issuance of the following certificate for xxx.com or one of its subdomains:
Log date: 2022-05-31 12:24:47 UTC
I>ssuer: CN=GTS CA 1P5,O=Google Trust Services LLC,C=US
Validity: 2022-05-31 11:24:47 UTC - 2022-08-29 11:24:46 UTC
DNS Names: *.xxx.com, xxx.com

I was concerned that someone managed to create a cert for my domain for malicious reasons. I contacted Google Trust Service (GTS) Support as I was not aware that I ever used GTS for my certs.

They investigated and found out that this is caused by Cloudflare’s backup cert. service:

Cloudflare recently announced a new feature called Backup Certificates. This feature maintains a backup certificate in case one of their customers’ certificates has to be revoked, so they can mitigate the impact immediately and avoid outages. They describe our involvement here.

I really appreciate the Cloudflare services around CT monitoring and the backup cert. service! I even think Cloudflare is doing a great job to making internet/websites more secure in general by providing their free services!

However, it would be really great to exclude cases from notifications/alarms where Cloudflare itself issued a new cert. due the cert backup service.

Similar issues have been reported here (Post IDs; cannot add more links :frowning: )
113008
384523

The service alerts on every certificate issued. Just because you the rogue DNS admin at %company% has configured a DNS record to use a Cloudflare service doesn’t mean your organization will be unable to track your nefarious actions.

1 Like

As it currently stands, it is very difficult to tell if a particular cert was actually a properly issued Cloudflare managed cert. Right now you have to manually check the public facing cert fingerprint against the CT logs. And you cannot do that with the backup certs.

It would be useful if there was a list of the currently valid CF managed certs in one place on the Dashboard/API, with some data to indicate their purpose. (Pages, ACM, Universal, Backup etc.)

Right now, if a rogue admin was able to access one of the well known email addresses, well known directories on a domain etc. they can issue a cert for a domain from GTS and I don’t have enough data to say that the cert visible in the CT log is a CF Backup cert or a rogue employee.

2 Likes