Revoke and prevent the issuing of certificates

And if that doesn’t work, email: support AT cloudflare DOT com and you should get a response with a ticket number that you can post here to get more eyes on the case.

1 Like

That sounds like you were able to open a ticket. After you purge cache, are you still encountering an issue?

1 Like

yes, but in looks like the support eng never heard about certificate revocation
you can read the conversation https://archive.md/WAYuc

Hi there,

Sorry for the inconvenience here, currently we do not have the ability to revoke the free Universal SSL certificates, however, after disabling Universal SSL, the certificates are removed from our edge. If you enable it again, new certificates are issued, since we do not have those old certificates anymore.

However, depending on the issuer you may be able to request their revocation directly with the CA:

3 Likes

DigiCert was indeed the first point I contacted.
They directed me to Cloudflare.

Should I end up writing an article for Hacker News to make people aware about the security problem they might hit just after using a domain on Cloudflare?

Also DigiCert has an automated form at https://problemreport.digicert.com/key-compromise/report
It requires the private key.
But I do not have the private key, only Cloudflare has it.

That makes the whole trust system is close to ridiculous.
A lot of actors (Cloudflare, Amazon, …) is able to issue certificate for any domain without consent of the domain owner which cannot even revoke it.

How can such actors issue a cert if they can’t demonstrate control over the domain?

2 Likes

I assume that big actors like Cloudflare and Amazon do not have to demonstrate to someone control over the domains to issue certificates.
They have kind of “god mode”: the CA keys on their premises or something like that.

Cloudflare managed to issue https://crt.sh/?id=3219262129 and https://crt.sh/?id=3907810974 for the domain which was not hosted on Cloudflare and also for the domain which moved away from Cloudflare mentioned in Is there no way to revoke SSL certs after moving a website away from Cloudflare?

But it is conspiracy and offtopic, we could go too far from the issue on how a domain owner could revoke such certificates.

I don’t think it’s off topic. Certificate issuance and revocation is done by CAs using CA/Browser Forum’s guidelines.

Cloudflare is not a CA in these cases. btdig is using Cloudflare DNS, so Cloudflare has control over the domain (DNS).

The CA/B Baseline Requirements apply to everybody. Cloudflare demonstrate control by creating a TXT DNS record. The issuance of certificates (even for test purposes, internal use, etc.) by any CA is taken seriously.

Can I download the private keys for the certificates issued for my domain to try automated revocation tool at https://problemreport.digicert.com/key-compromise/report ?

Sad to say…no. I get how irritating this is. You could try to ask Support for them, as I bet it does exist somewhere. But given how Cloudflare only shows you an Origin Cert’s private key, then never again, I bet they’re locked up tight.

This is definitely worth making a Product Request about

I don’t know about ridiculous. I think of it more like impenetrable. Unlike telling a “trusted” friend a secret, Cloudflare works extremely hard to keep that secret. Breaking trust and/or disclosing secrets is bad for business. Very bad.

The problem is too long validity of cert.
Whether it be 3 months (as on Let’s Encrypt) or shorter, it would be more or less acceptable.
But to trust Cloudflare 1 year after moving away… seems very risky.

Agreed. Even getting it down to 1 year has been a struggle. Let’s Encrypt does it right with 90 days.

https://scotthelme.co.uk/why-we-need-to-do-more-to-reduce-certificate-lifetimes/

I’ll keep searching internally for more information about revoking the Universal SSL certificates, but in case it matters, I’ve never heard of anyone within Cloudflare that has access to the Universal SSL Private keys, I’ve never seen us provide these keys to customers, and neither have I seen any discussion of revocation keys for Universal SSL.

While it doesn’t solve the certificate already provisioned, in the future during the setup process, prior to changing the nameservers at the Registrar, you can already go to SSL > Edge Certificates and disable Universal SSL. So this is an option, if you don’t want them to ever be provisioned.

A big part of this thread seems to be about trust, and that’s right, Cloudflare goes the extra mile to ensure that both, our partner Certificate Authorities and our customers trust us. If we lose that trust, we can’t create certificates, and that’s a big problem.

I’ll follow up here if I learn anything new.

3 Likes

The thing with Cloudflare is there is no way to revoke SSL once you leave.

This an active cert for a domain that has not used Cloudflare since August: https://crt.sh/?id=3013493905&opt=ocsp

It is not acceptable for Cloudflare to have a valid cert to a website with no way of getting it revoked. As Cloudflare is getting themselves set as the default DOH provider, they have the power to redirect my site’s traffic which has not used the service in months and have a valid cert for it.

My new L7 filtered set-up with path.net (via a reseller) uses let’s encrypt that I have full power to revoke at any time by just presenting the publicly available PEM and completing the HTTP verification.

Not giving website owners revoking ability should and just claiming that it will be pulled from the edge nodes is not acceptable and should bring into question whether browsers and operating systems should even trust Cloudflare certs.

1 Like

So, the resume is: unlike all the other SSL-certificates, those issued by Cloudflare during onboarding process are not revokable because there is a Catch-22: DigiCert requires a private key to do the revocation (assuming the domain owner has it) which Cloudflare prefer to “keep safe” from its users.

When Cloudflare kicks a website (what will be the next after DailyStormer? likely Gab) it is able to do man-in-the-middle into SSL traffic for many months after the divorce.

If after the divorce Cloudflare still has private keys, that means that the keys are compromised: Cloudflare becomes a unauthorized (and likely malignant in case of forceful divorce) party which has the private keys. It is a serious security issue.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Okay so after discussing this with the SSL team, the team is aware that customers want this feature, and there are discussions about this topic, and at this time their position is that we do not revoke certificates unless our team has determined the private key was compromised.

Regarding the certificate duration, we recently released the Advanced Certificate Manager, which has the ability to customize the duration:

Advanced Certificate Manager · Cloudflare SSL docs

2 Likes