Revoke and prevent the issuing of certificates

The problem is too long validity of cert.
Whether it be 3 months (as on Let’s Encrypt) or shorter, it would be more or less acceptable.
But to trust Cloudflare 1 year after moving away… seems very risky.

Agreed. Even getting it down to 1 year has been a struggle. Let’s Encrypt does it right with 90 days.

https://scotthelme.co.uk/why-we-need-to-do-more-to-reduce-certificate-lifetimes/

I’ll keep searching internally for more information about revoking the Universal SSL certificates, but in case it matters, I’ve never heard of anyone within Cloudflare that has access to the Universal SSL Private keys, I’ve never seen us provide these keys to customers, and neither have I seen any discussion of revocation keys for Universal SSL.

While it doesn’t solve the certificate already provisioned, in the future during the setup process, prior to changing the nameservers at the Registrar, you can already go to SSL > Edge Certificates and disable Universal SSL. So this is an option, if you don’t want them to ever be provisioned.

A big part of this thread seems to be about trust, and that’s right, Cloudflare goes the extra mile to ensure that both, our partner Certificate Authorities and our customers trust us. If we lose that trust, we can’t create certificates, and that’s a big problem.

I’ll follow up here if I learn anything new.

3 Likes

The thing with Cloudflare is there is no way to revoke SSL once you leave.

This an active cert for a domain that has not used Cloudflare since August: https://crt.sh/?id=3013493905&opt=ocsp

It is not acceptable for Cloudflare to have a valid cert to a website with no way of getting it revoked. As Cloudflare is getting themselves set as the default DOH provider, they have the power to redirect my site’s traffic which has not used the service in months and have a valid cert for it.

My new L7 filtered set-up with path.net (via a reseller) uses let’s encrypt that I have full power to revoke at any time by just presenting the publicly available PEM and completing the HTTP verification.

Not giving website owners revoking ability should and just claiming that it will be pulled from the edge nodes is not acceptable and should bring into question whether browsers and operating systems should even trust Cloudflare certs.

1 Like

So, the resume is: unlike all the other SSL-certificates, those issued by Cloudflare during onboarding process are not revokable because there is a Catch-22: DigiCert requires a private key to do the revocation (assuming the domain owner has it) which Cloudflare prefer to “keep safe” from its users.

When Cloudflare kicks a website (what will be the next after DailyStormer? likely Gab) it is able to do man-in-the-middle into SSL traffic for many months after the divorce.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.

Okay so after discussing this with the SSL team, the team is aware that customers want this feature, and there are discussions about this topic, and at this time their position is that we do not revoke certificates unless our team has determined the private key was compromised.

Regarding the certificate duration, we recently released the Advanced Certificate Manager, which has the ability to customize the duration:

Advanced Certificate Manager · Cloudflare SSL docs

1 Like