Does it revoke the certificate immediately?
Or will it be valid many months more?
I am using Cloudflare DNS but not CDN, and spotting a cert issued by Cloudflare was very alertly.
How can I be sure it was not presented to my visitors?
I want to revoke the universal certificate immediately.
My domain is btdig.com
==== answer to “solved” section below ====
If after the divorce Cloudflare still has private keys, that means that the keys are compromised: Cloudflare becomes a unauthorized (and likely malignant in case of forceful divorce) party which has the private keys. It is not a feature request, it is a serious security issue.
This community cannot help you with this request. The certificate will only have been issued if you chose to use Cloudflare and verified ownership of the domain by changing the nameservers. We do not have any access to your account and cannot assist you.
To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.
Sorry for the inconvenience here, currently we do not have the ability to revoke the free Universal SSL certificates, however, after disabling Universal SSL, the certificates are removed from our edge. If you enable it again, new certificates are issued, since we do not have those old certificates anymore.
However, depending on the issuer you may be able to request their revocation directly with the CA:
That makes the whole trust system is close to ridiculous.
A lot of actors (Cloudflare, Amazon, …) is able to issue certificate for any domain without consent of the domain owner which cannot even revoke it.
I assume that big actors like Cloudflare and Amazon do not have to demonstrate to someone control over the domains to issue certificates.
They have kind of “god mode”: the CA keys on their premises or something like that.
The CA/B Baseline Requirements apply to everybody. Cloudflare demonstrate control by creating a TXT DNS record. The issuance of certificates (even for test purposes, internal use, etc.) by any CA is taken seriously.
Sad to say…no. I get how irritating this is. You could try to ask Support for them, as I bet it does exist somewhere. But given how Cloudflare only shows you an Origin Cert’s private key, then never again, I bet they’re locked up tight.
This is definitely worth making a Product Request about
I don’t know about ridiculous. I think of it more like impenetrable. Unlike telling a “trusted” friend a secret, Cloudflare works extremely hard to keep that secret. Breaking trust and/or disclosing secrets is bad for business. Very bad.