Revoke and prevent the issuing of certificates

Does it revoke the certificate immediately?
Or will it be valid many months more?

I am using Cloudflare DNS but not CDN, and spotting a cert issued by Cloudflare was very alertly.
How can I be sure it was not presented to my visitors?
I want to revoke the universal certificate immediately.
My domain is btdig.com

As the domain owner I request to revoke the certificate https://crt.sh/?id=3219262129 immediately.

  • I have not authorized issuance of this certificate
  • I do not control its private key
  • this cert cannot authenticate a secure connection to my website, only yo a forged one

Hi @btdig,

This community cannot help you with this request. The certificate will only have been issued if you chose to use Cloudflare and verified ownership of the domain by changing the nameservers. We do not have any access to your account and cannot assist you.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.

Their ticket system is disabled with " We’re currently experiencing extremely high demand for Free support."

Meanwhile they issued one more certificate https://crt.sh/?id=3907810974 without my consent.
I request to revoke it as well
It seems like a major security breach.

The ticket system is not disabled, it may just take longer to receive a response. As I said, we can’t help with this here.

Have you got Universal SSL disabled? That should stop the issuing of any further certificates and would have prevented them issuing originally.

It definitively is.

Submitting a support ticked on a free account is not possible.

The most relevant link on https://dash.cloudflare.com/?account=support is " Please visit the Cloudflare Help Center" which does have “submit the ticket” button which redirects back to the first page

Yes, I have you got Universal SSL disabled.
Even if it would stop issuing further certificates, the already issued ones are valid till 2022.
And I see this as a security issue.

Have you tried the ‘Get more help’ button? That definitely lets you open a ticket, I just checked on a free account.

2 Likes

And if that doesn’t work, email: support AT cloudflare DOT com and you should get a response with a ticket number that you can post here to get more eyes on the case.

1 Like

That sounds like you were able to open a ticket. After you purge cache, are you still encountering an issue?

1 Like

yes, but in looks like the support eng never heard about certificate revocation
you can read the conversation https://archive.md/WAYuc

Hi there,

Sorry for the inconvenience here, currently we do not have the ability to revoke the free Universal SSL certificates, however, after disabling Universal SSL, the certificates are removed from our edge. If you enable it again, new certificates are issued, since we do not have those old certificates anymore.

However, depending on the issuer you may be able to request their revocation directly with the CA:

2 Likes

DigiCert was indeed the first point I contacted.
They directed me to Cloudflare.

Should I end up writing an article for Hacker News to make people aware about the security problem they might hit just after using a domain on Cloudflare?

Also DigiCert has an automated form at https://problemreport.digicert.com/key-compromise/report
It requires the private key.
But I do not have the private key, only Cloudflare has it.

That makes the whole trust system is close to ridiculous.
A lot of actors (Cloudflare, Amazon, …) is able to issue certificate for any domain without consent of the domain owner which cannot even revoke it.

How can such actors issue a cert if they can’t demonstrate control over the domain?

2 Likes

I assume that big actors like Cloudflare and Amazon do not have to demonstrate to someone control over the domains to issue certificates.
They have kind of “god mode”: the CA keys on their premises or something like that.

Cloudflare managed to issue https://crt.sh/?id=3219262129 and https://crt.sh/?id=3907810974 for the domain which was not hosted on Cloudflare and also for the domain which moved away from Cloudflare mentioned in Is there no way to revoke SSL certs after moving a website away from Cloudflare?

But it is conspiracy and offtopic, we could go too far from the issue on how a domain owner could revoke such certificates.

I don’t think it’s off topic. Certificate issuance and revocation is done by CAs using CA/Browser Forum’s guidelines.

Cloudflare is not a CA in these cases. btdig is using Cloudflare DNS, so Cloudflare has control over the domain (DNS).

The CA/B Baseline Requirements apply to everybody. Cloudflare demonstrate control by creating a TXT DNS record. The issuance of certificates (even for test purposes, internal use, etc.) by any CA is taken seriously.

Can I download the private keys for the certificates issued for my domain to try automated revocation tool at https://problemreport.digicert.com/key-compromise/report ?

Sad to say…no. I get how irritating this is. You could try to ask Support for them, as I bet it does exist somewhere. But given how Cloudflare only shows you an Origin Cert’s private key, then never again, I bet they’re locked up tight.

This is definitely worth making a Product Request about

I don’t know about ridiculous. I think of it more like impenetrable. Unlike telling a “trusted” friend a secret, Cloudflare works extremely hard to keep that secret. Breaking trust and/or disclosing secrets is bad for business. Very bad.