We have a mobile application that uses SSL/TLS certificate security while communication with the APIs. The certificate has been stored as a static file inside the mobile application build and due to this, everytime the certificate expired, we do have to rollout a new application version with updated certificate file.
Now, we have decided to use public key inside of certificate file for https://ticket-generator.com/. So we wanted to know how the Cloudflare certificate renewal works. Will public key change on renewing a certificate?
Our website (ticket-generator.com) SSL/TLS encryption mode is Full.
As far as I’ve observed, public keys will change with each renewal. Universal SSL makes no guarantees to you as to which CA will be used to issue your certificate and that can change at any time, even before the expiry date.
Something like mTLS works better for authenticating clients that talk to your API. https://developers.cloudflare.com/api-shield/security/mtls/
thanks for the reply
So universal SSL makes no guarantee but how about the dedicated certificate?
Using your own Certificate Signing Request (which is where the public key is pulled from) with Advanced Certificate Manager is only available to Enterprise customers - https://developers.cloudflare.com/ssl/edge-certificates/additional-options/certificate-signing-requests/
There’s Custom Certificates which is available to Business or Enterprise customers but that means you’re managing all of your certificates yourself and purely providing them to Cloudflare to serve. https://developers.cloudflare.com/ssl/edge-certificates/custom-certificates/
Those are the only two methods for you to get your own CSR, and therefore a ‘static’ public key, into a certificate presented by Cloudflare.
I’d advise going down the route of making sure you have DNSSEC & CAA records that’ll help prevent issuance of certificates by anyone but yourself and Cloudflare as well as seeing if mTLS meets your use-case.
ok thanks a lot @KianNH
Will try research more about mTLS and other things.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.