Is there a reliable way to determine whether the certificates being issued in the Certificate Transparency Notificantions are because of Cloudflare making Universal SSL certificates/backups versus malicious actors?
What steps have you taken to resolve the issue?
I can compare the validity period in the notice to those in the Dashboard under Doman > SSL/TLS > Edge Certificates for a guess, but there doesn’t appear to be a way to definitively say “yes, this one was just Cloudflare, so don’t worry about it.”
Most certificate alerts are routine. Cloudflare sends alerts whenever a certificate for your domain appears in a log. Certificates expire (and must be reissued), so it is completely normal to receive issuance emails. If your domain is listed in the email, along with reasonable ownership and certificate information, then no action is required .
This means you get these notifications, even if you are not directly affected or if there is no security risk at all. We do not manage Certificate Transparency, but instead, we just send out the emails.
Put another way, if I get an issuance notice from Google Trust Services (an issuer Cloudflare uses) but the expiration dates don’t match those under Edge Certificates, then I shouldn’t worry about anything breaking if I report them to Google? If we didn’t request them, and neither did you, then they are presumably malicious because somebody is planning to use them for something. Waiting until there are reports of problems runs counter to utilizing proactive monitoring.