Who is my issuer for my custom certificate?

I’m managing an installation left insufficiently documented by the previous administrator. I see under Edge Certificates we have a custom cert set to legacy. I presume this was set up to accommodate clients with ancient browsers not supporting SNI. I see this custom cert was issued by Sectigo. I have no record of an account of ours with Sectigo.

I see from this page that Cloudflare issues certs from Sectigo, so I’m trying to determine whether it’s possible that this cert was actually issued from Cloudflare rather than Sectigo directly?

Basically, I’m trying to determine who I need to contact when it’s time to renew, and I want to make sure it’s not Cloudflare before I go through the trouble of trying to recover the (apparently) lost account with Sectigo.

[UPDATE] Please refer to next post by Michael.

That is not the case. I have to set the legacy bundle method when uploading my custom certificates.

It might be through one of a large number of resellers. I get my Sectigo certs from ssls.com, who are 90% cheaper than Sectigo direct.

There are a few things to consider here before you do anything. The main one is why a Custom cert was used in the first place. It might have been to enable cert pinning somewhere, to support multi-level hostnames not covered by the Universal cert, for the SNI-less capability, or just for vanity!

If it is pinning, then you need to investigate that more before touching the cert in CF, as you can do some real damage if you don’t plan correctly. If it is multi-level hostnames, probably easiest to switch to Cloudflare ACM. If it was for SNI free clients, probably best to send them a fax telling them to upgrade to something less than 10 years old, and vanity is irrelevant.

Pinning is the worst case scenario, and you would need to have the original key to be sure that can be maintained. I don’t know if CF can even extract the keys to give you. I would not be surprised if they couldn’t extract them.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.