Cloudflare CA deprecated?

We've got multiple domains under different plans (one partial enterprise, most business, the rest free) that are proxied. Many/most of our domains were looking like CN=sni.cloudflaressl.com, CA=Cloudflare Inc - but nowadays we're getting a lot of Google and Let's Encrypt issuances with hostnames as CN. Are the:
Issuer: CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
Issuer: CN=Cloudflare Inc RSA CA-2,O=Cloudflare\, Inc.,C=US
Issuer: CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US
Issuer: CN=Cloudflare Inc RSA CA-2,O=Cloudflare\, Inc.,C=US
CAs being deprecated? If they're sticking around, we're missing an injected CAA record for it, should we have something?
15 Replies
Hello, I’m Allie!
Yeah, they are slowly removing them. Those certs were signed by DigiCert, and afaik Cloudflare is slowly moving toward Google and LE only
lee
leeOP11mo ago
(with Comodo as backup) thanks, got it! Should we continue to expect future issuances from that CA or once all our domains have transitioned it's safe to modify our monitoring to test against CN=domain?
Hello, I’m Allie!
Ther may still be some products issuing certs from DigiCert, I’m not sure
Erisa
Erisa11mo ago
DigiCert update · Cloudflare SSL/TLS docs
In the latter half of 2023, Cloudflare will begin deprecating DigiCert as a Certificate Authority available for a variety of certificates:
lee
leeOP11mo ago
I'm a bit confused, is the CN=Cloudflare issuer part of the DigiCert depreication as well?
Chaika
Chaika11mo ago
Digicert was the root of those certs it was just Cloudflare's intermediary
Chaika
Chaika11mo ago
No description
Chaika
Chaika11mo ago
anywhere you see Digicert mentioned in CF it's that
Chaika
Chaika11mo ago
Certificate authorities · Cloudflare SSL/TLS docs
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for …
lee
leeOP11mo ago
Thanks, yeah I guess to clarify my question: Will Cloudflare continue to maintain their own intermediary (getting signed by someone else or becoming their own root and going through the process of becoming part of the root store for various OSes and browsers)? Or Cloudflare will no longer do any certificate authority management in house (other than Origin CA) and instead 100% rely on other CAs for issuances?
Chaika
Chaika11mo ago
Will Cloudflare continue to maintain their own intermediary (getting signed by someone else or becoming their own root and going through the process of becoming part of the root store for various OSes and browsers)?
At the moment at least it seems not. I kinda doubt they would try their own root, Let's Encrypt and GTS both are cross-signed to provide support for older android phones, would take a while to be trusted by most devices. Green names/champs aren't CF Employees though, so of course we don't know for sure, but none of the current ones are like that and they've opted to not renew the digicert one
lee
leeOP10mo ago
Thanks! Yeah I’m hoping to get some clarity here, because “we are deprecating DigiCert” doesn’t also necessarily mean “we are deprecating our Cloudflare intermediaries which are signed by DigiCert”
Erisa
Erisa10mo ago
That is what it means though
lee
leeOP10mo ago
Thank you! Appreciate the double check as the language wasn't clear 🙂
Erisa
Erisa10mo ago
No worries
Want results from more Discord servers?
Add your server