Universal SSL

Last week, our Universal Certificate was deleted - more specifically “zone_set_universal_ssl_certificate_authority”. This was attributed to “user” actor, however, the metadata state was blank “{}”. The next series of logs entries indicate that another certificate was created, ordered, then deployed. Unfortunately, this adversely impacted our app, as it uses certificate pinning and pulls data from the domain. Regardless, I have a few questions:

Is this the method that CloudFlare uses to renew their Universal Certificates?
Does anyone know if CloudFlare keeps records of the CSRs & Keys and if so, who would one go about obtaining these?

Many thanks for any input.

As I look through my audit log, I see an Order, then five seconds later a Delete and then an immediate Deployed. And that’s it. No other related audit log entries for that zone. I don’t see zone_set_universal_ssl_certificate_authority anywhere.

I doubt they’ll give you a CSR or private key. I can only suggest that if it’s a critical failure point, then it would be worth the $5 per month to get a Dedicated SSL certificate. I’d expect those to be more predictable, though it’s been a while since I’ve used one.

You’re welcome to ask Support and get a more official answer:
Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

Cloudflare doesn’t provide either for certificates it manages. If you want control/predictability you should upload your own certificate. Cloudflare could upgrade/renew a cert It manages at any point.


Thanks for the feedback. We will purchase our own dedicated SSL and manage the CSR & Keys moving forward.