We’re excited to announce that we’re going to be adding SSL.com as a certificate authority that Cloudflare customers can use. This means that Cloudflare customers that are currently relying on Entrust as a CA and uploading their certificate manually to Cloudflare will now be able to rely on Cloudflare’s certificate management pipeline for automatic issuance and renewal of SSL.com certificates. 

With great power comes great responsibility Every publicly trusted certificate authority (CA) is responsible for maintaining a high standard of security and compliance to ensure that the certificates they issue are trustworthy. The security of millions of websites and applications relies on a CA’s commitment to these standards, which are set by the CA/Browser Forum, the governing body that defines the baseline requirements for certificate authorities. These standards include rules regarding certificate issuance, validation, and revocation, all designed to secure the data transferred over the Internet. 

However, as with all complex software systems, it’s inevitable that bugs or issues may arise, leading to the mis-issuance of certificates. Improperly issued certificates pose a significant risk to Internet security, as they can be exploited by malicious actors to impersonate legitimate websites and intercept sensitive data. 

To mitigate such risk, publicly trusted CAs are required to communicate issues as soon as they are discovered, so that domain owners can replace the compromised certificates immediately. Once the issue is communicated, CAs must revoke the mis-issued certificates within 5 days to signal to browsers and clients that the compromised certificate should no longer be trusted. This level of transparency and urgency around the revocation process is essential for minimizing the risk posed by compromised certificates. 

Why Chrome and Mozilla are distrusting Entrust The decision made by Chrome and Mozilla to distrust Entrust’s public TLS certificates stems from concerns regarding Entrust’s incident response and remediation process. In several instances, Entrust failed to report critical issues and did not revoke certificates in a timely manner. The pattern of delayed action has eroded the browsers’ confidence in Entrust’s ability to act quickly and transparently, which is crucial for maintaining trust as a CA. 

Google and Mozilla cited the ongoing lack of transparency and urgency in addressing mis-issuances as the primary reason for their distrust decision. Google specifically pointed out that over the past 6 years, Entrust has shown a "pattern of compliance failures" and failed to make the "tangible, measurable progress" necessary to restore trust. Mozilla echoed these concerns, emphasizing the importance of holding Entrust accountable to ensure the integrity and security of the public Internet. 

Entrust’s response to the distrust announcement  In response to the distrust announcement from Chrome and Mozilla, Entrust has taken proactive steps to ensure continuity for their customers. To prevent service disruption, Entrust has announced that they are partnering with SSL.com, a CA that’s trusted by all major browsers, including Chrome and Mozilla, to issue certificates for their customers. By issuing certificates from SSL.com’s roots, Entrust aims to provide a seamless transition for their customers, ensuring that they can continue to obtain certificates that are recognized and trusted by the browsers their users rely on. 

In addition to their partnership with SSL.com, Entrust stated that they are working on a number of improvements, including changes to their organizational structure, revisions to their incident response process and policies, and a push towards automation to ensure compliant certificate issuances. 

Now available: SSL.com as a certificate authority for Advanced Certificate Manager and SSL for SaaS certificates We’re excited to announce that customers using Advanced Certificate Manager will now be able to select SSL.com as a certificate authority for Advanced certificates and Total TLS certificates. Once the certificate is issued, Cloudflare will handle all future renewals on your behalf. 

By default, Cloudflare will issue SSL.com certificates with a 90 day validity period. However, customers using Advanced Certificate Manager will have the option to set a custom validity period (14, 30, or 90 days) for their SSL.com certificates. In addition, Enterprise customers will have the option to obtain 1-year SSL.com certificates. Every SSL.com certificate order will include 1 RSA and 1 ECDSA certificate.

Note: We are gradually rolling this out and customers should see the CA become available to them through the end of September and into October. 

If you’re using Cloudflare as your DNS provider, there are no additional steps for you to take to get the certificate issued. Cloudflare will validate the ownership of the domain on your behalf to get your SSL.com certificate issued and renewed. 

If you’re using an external DNS provider and have wildcard hostnames on your certificates, DNS based validation will need to be used, which means that you’ll need to add TXT DCV tokens at your DNS provider in order to get the certificate issued. With SSL.com, two tokens are returned for every hostname on the certificate. This is because SSL.com uses different tokens for the RSA and ECDSA certificates. To reduce the overhead around certificate management, we recommend setting up DCV Delegation to allow Cloudflare to place domain control validation (DCV) tokens on your behalf. Once DCV Delegation is set up, Cloudflare will automatically issue, renew, and deploy all future certificates for you. 

Advanced Certificates: selecting SSL.com as a CA through the UI or API Customers can select SSL.com as a CA through the UI or through the Advanced Certificate API endpoint by specifying “ssl_com” in the certificate_authority parameter. 

If you’d like to use SSL.com as a CA for an advanced certificate, you can select “SSL.com” as your CA when creating a new Advanced certificate order. 

If you’d like to use SSL.com as a CA for all of your certificates, we recommend setting your Total TLS CA to SSL.com. This will issue an individual certificate for each of your proxied hostname from the CA. 

Note: Total TLS is a feature that’s only available to customers that are using Cloudflare as their DNS provider. 

SSL for SaaS: selecting SSL.com as a CA through the UI or API Enterprise customers can select SSL.com as a CA through the custom hostname creation UI or through the Custom Hostnames API endpoint by specifying “ssl_com” in the certificate_authority parameter. 

All custom hostname certificates issued from SSL.com will have a 90 day validity period. If you have wildcard support enabled for custom hostnames, we recommend using DCV Delegation to ensure that all certificate issuances and renewals are automatic.  

Cloudflare customers that use Entrust as their CA are required to manually handle all certificate issuances and renewals. Since Cloudflare does not directly integrate with Entrust, customers have to get their certificates issued directly from the CA and upload them to Cloudflare as custom certificates. Once these certificates come up for renewal, customers have to repeat this manual process and upload the renewed certificates to Cloudflare before the expiration date. 

Manually managing your certificate’s lifecycle is a time-consuming and error prone process. With certificate lifetimes decreasing from 1 year to 90 days, this cycle needs to be repeated more frequently by the domain owner. 

As Entrust transitions to issuing certificates from SSL.com roots, this manual management process will remain unless customers switch to Cloudflare’s managed certificate pipeline. By making this switch, you can continue to receive SSL.com certificates without the hassle of manual management — Cloudflare will handle all issuances and renewals for you!

In early October, we will be reaching out to customers who have uploaded Entrust certificates to Cloudflare to recommend migrating to our managed pipeline for SSL.com certificate issuances, simplifying your certificate management process. 

If you’re ready to make the transition today, simply go to the SSL/TLS tab in your Cloudflare dashboard, click “Order Advanced Certificate”, and select “SSL.com” as your certificate authority. Once your new SSL.com certificate is issued, you can either remove your Entrust certificate or simply let it expire. Cloudflare will seamlessly transition to serving the managed SSL.com certificate before the Entrust certificate expires, ensuring zero downtime during the switch. 

Today, we’re excited to announce Total TLS — a one-click feature that will issue individual TLS certificates for every subdomain in our customer’s domains.

By default, all Cloudflare customers get a free, TLS certificate that covers the apex and wildcard (example.com, *.example.com) of their domain. Now, with Total TLS, customers can get additional coverage for all of their subdomains with just one-click! Once enabled, customers will no longer have to worry about insecure connection errors to subdomains not covered by their default TLS certificate because Total TLS will keep all the traffic bound to the subdomains encrypted.

In 2014, we announced Universal SSL — a free TLS certificate for every Cloudflare customer. Universal SSL was built to be a simple “one-size-fits-all” solution. For customers that use Cloudflare as their authoritative DNS provider, this certificate covers the apex and a wildcard e.g. example.com and *.example.com. While a Universal SSL certificate provides sufficient coverage for most, some customers have deeper subdomains like a.b.example.com for which they’d like TLS coverage. For those customers, we built Advanced Certificate Manager — a customizable platform for certificate issuance that allows customers to issue certificates with the hostnames of their choice.

For customers that want flexibility and choice, we build Advanced certificates which are available as a part of Advanced Certificate Manager. With Advanced certificates, customers can specify the exact hostnames that will be included on the certificate.

That means that if my Universal SSL certificate is insufficient, I can use the Advanced certificates UI or API to request a certificate that covers “a.b.example.com” and “a.b.c.example.com”. Today, we allow customers to place up to 50 hostnames on an Advanced certificate. The only caveat — customers have to tell us which hostnames to protect.

This may seem trivial, but some of our customers have thousands of subdomains that they want to keep protected. We have customers with subdomains that range from a.b.example.com to a.b.c.d.e.f.example.com and for those to be covered, customers have to use the Advanced certificates API to tell us the hostname that they’d like us to protect. A process like this is error-prone, not easy to scale, and has been rejected as a solution by some of our largest customers.

Instead, customers want Cloudflare to issue the certificates for them. If Cloudflare is the DNS provider then Cloudflare should know what subdomains need protection. Ideally, Cloudflare would issue a TLS certificate for every subdomain that’s proxying its traffic through the Cloudflare Network… and that’s where Total TLS comes in.

Total TLS is a one-click button that signals Cloudflare to automatically issue TLS certificates for every proxied DNS record in your domain. Once enabled, Cloudflare will issue individual certificates for every proxied hostname. This way, you can add as many DNS records and subdomains as you need to, without worrying about whether they’ll be covered by a TLS certificate.

If you have a DNS record for a.b.example.com, we’ll issue a TLS certificate with the hostname a.b.example.com. If you have a wildcard record for *.a.b.example.com then we’ll issue a TLS certificate for “*.a.b.example.com”. Here’s an example of what this will look like in the Edge Certificates table of the dashboard:

Total TLS is now available to use as a part of Advanced Certificate Manager for domains that use Cloudflare as an Authoritative DNS provider. One of the superpowers of having Cloudflare as your DNS provider is that we’ll always add the proper Domain Control Validation (DCV) records on your behalf to ensure successful certificate issuance and renewal.

Enabling Total TLS is easy — you can do it through the Cloudflare dashboard or via API. In the SSL/TLS tab of the Cloudflare dashboard, navigate to Total TLS. There, choose the issuing CA — Let’s Encrypt, Google Trust Services, or No Preference, if you’d like Cloudflare to select the CA on your behalf then click on the toggle to enable the feature.

One pain point that we wanted to address for all customers was visibility. From looking at support tickets and talking to customers, one of the things that we realized was that customers don’t always know whether their domain is covered by a TLS certificate —  a simple oversight that can result in downtime or errors.

To prevent this from happening, we are now going to warn every customer if we see that the proxied DNS record that they’re creating, viewing, or editing doesn’t have a TLS certificate covering it. This way, our customers can get a TLS certificate issued before the hostname becomes publicly available, preventing visitors from encountering this error:

At Cloudflare, we love building products that help secure all Internet properties. Interested in achieving this mission with us? Join the team!

In 2016, we launched Dedicated Certificates. Today, we are excited to announce that dedicated certs are getting an upgrade… and a new name… introducing Advanced Certificate Manager! Advanced Certificate Manager is a flexible and customizable way to manage your certificates on Cloudflare.

TLS Certificates are the reason you can safely browse the Internet, securely transfer money online, and keep your passwords private. They do that by encrypting your sensitive messages using public-key cryptography that is cryptographically linked to the certificate itself. But beyond that, TLS certificates are used to make an assertion about identity — verifying that the server is who they claim to be. Server Certificates — used by every website — include the website's name on the certificate and is issued by a third-party certificate authority (CA) who verifies that the certificate's information is correct and accurate.

Browsers only let you visit a website when it's encrypted using TLS after it has successfully validated the certificate presented by the server — much like how security checks your ID to board a plane.

We are focusing on securing the Internet now more than ever. We want to make it as easy as possible for any customer to be a security-conscious customer. This is why we’re moving towards a certificate management system, so it’s simple to customize your certificates and TLS settings. We are doing this by giving you the right tools to proactively increase the security of your domain.

Let’s start by talking about modifying your certificate’s validity period, a small change that can make a big difference.

The Certification Authority Browser Forum — a voluntary group that sets the industry guidelines for certificates — has been shortening the maximum validity period for publicly trusted certificates over the past several years. You used to be able to get a three-year cert, but now you can only get a one-year cert. Why did they do this?

Rotating a certificate more frequently should — but does not necessarily — mean you're rotating your private key more frequently. Changing secrets more frequently means that if a secret (in this case a private key) is ever compromised, the compromise has a smaller maximum lifespan. This is widely regarded as a better security posture and helps to minimize the risk associated with key compromise.

It also has the added bonus of encouraging automation — the more frequently you have to do a task, the more likely you'll want to automate it. Automation means you're less likely to let a cert expire in production or give a person access to key material.

With Advanced Certificate Manager, you can set your certificate validity period to be as short as 14 days. By shortening the lifecycle of your certificate, you are proactively improving your security posture. As you keep rotating your certificate and private keys upon renewals, you reduce the risk of exposure.

For some, setting a short validity period can increase the risk of downtime. This is because short validity periods require frequent certificate issuance and can overload servers.

At Cloudflare, it’s not a problem. Shorter validity periods encouraged us to keep improving our certificate issuance and renewal pipeline. With ~4.5 million certificates issued a day, we can confidently say that every customer can set a 14-day validity period, and we’ll take care of it.

Overall, the industry is moving towards shortening certificate cycles, so we are very excited to make this an easy option for our customers.

Some customers want to go a step further and control the cipher suites used for TLS. Now, with ACM, you can do just that!

A cipher suite is a set of algorithms that help secure a network connection that uses TLS. The set of algorithms that cipher suites contain are :

• Key Exchange Algorithm

• Authentication Algorithm

• Bulk encryption Algorithm

• Message Authentication Code (MAC) Algorithm

When two servers want to communicate with one another securely over TLS, they start off by initiating a TLS handshake. During the TLS handshake, the client and the server establish which encryption algorithms they will be using. The client initiates this handshake with the Client Hello message that indicates the cipher suites — or encryption algorithms — it supports. The server then responds with the Server Hello message which contains its choice of cipher based on the list of supported ciphers that the client sent.

When a user connects to a website on Cloudflare’s network, Cloudflare is responsible for choosing a cipher. In the past, we’ve talked about how Cloudflare’s servers prefer certain ciphers. For example, we prioritize ciphers that use ECDHE over those that start with RSA. As discussed in our previous blog post, RSA is more susceptible to security vulnerabilities, especially if an SSL server’s private key were to leak.

While prioritizing certain ciphers over others offers a higher level of security, we are going a step further and giving our customers the ability to choose which cipher suites from Cloudflare’s list of approved ciphers they want their website to support. For those that want to remove weak ciphers and only allow the strongest ciphers available, they can now do so through one API call. To do this, they would use the Cipher Suite Settings endpoint and indicate their allowlist of ciphers for TLS termination.

Customers like OneTrust and Report URI use this functionality to improve their security posture:

Advanced Certificate Manager has simplified the way we manage certificates across our many domains, while still allowing us to meet our strict security requirements. The ability to manage cipher suites, as well as auto-renewal within our parameters, creates for an available and secure environment.- Colin Henderson, Head of Information Security, OneTrust

We've been using Advanced Certificate Manager for fine-grained control over the cipher suites used in our TLS connections and to reduce the lifetime of certificates issued for our domain. With stronger cipher suites and shorter certificates we're better able to protect connections made to our site and the data within them.- Scott Helme, Founder, Report URI

Some customers want to acquire their own SSL certificate from a certificate authority (CA), but want Cloudflare to generate and store the associated private key. These customers can now use Advanced Certificate Manager to generate a Certificate Signing Request (CSR) with their organization name, location, etc. Then, they would take it to their preferred CA, obtain a certificate, and upload it to Cloudflare. Cloudflare takes key management seriously, with both highly secure key management software and hardware controls. With CSR support, customers can get a certificate from the CA of their choice, all without the private key leaving our network, so that they do not have to worry about any unsafe handling.

Apart from the security features that ACM has to offer, we are excited to give our customers an easy-to-use and configurable certificate management solution. With ACM, customers will now be able to issue up to 100 edge certificates per zone, which includes the zone apex and up to 50 hostnames. This means your certificate now has multi-level support, so you can create certificates for second and third-level hostnames. In addition, customers will be able to choose their preferred validation method (HTTP, TXT, or Email) and their certificate authority (Let’s Encrypt or Digicert).

Compared to our previous CDN, using Cloudflare gives us the lifetime advantage of creating and maintaining wildcard certificates. With just a few lines of Terraform code, Cloudflare does all the work for you.- Nikita Ponomarev, DevOps Engineer at Spark Networks

To learn how to configure ACM settings, check our developer docs.

For our customers who have been using dedicated certificates, we are excited to announce that we will be upgrading them to Advanced Certificate Manager in the next month.

This will be a zero-downtime migration, and you should expect to see your Certificate Type change in the dashboard from Dedicated to Advanced.

In addition to that, if you have been using our API to issue dedicated certificates, you will need to switch to the new ACM certificate issuance API endpoint. One change to note is that in the API response field, the “type” will change from “Dedicated” to “Advanced”.

{
  "success": true,
  "errors": [],
  "messages": [],
  "result": {
    "id": "3822ff90-ea29-44df-9e55-21300bb9419b",
    "type": "advanced",
    "hosts": [
      "example.com",
      "*.example.com",
      "www.example.com"
    ],
    "status": "initializing",
    "validation_method": "txt",
    "validity_days": 365,
    "certificate_authority": "digicert",
    "cloudflare_branding": false
  }
}

Customers who have already purchased Dedicated Certificates will be grandfathered into their current pricing. For all other Free, Pro, and Business customers, Advanced Certificate Manager will be $10/month per zone. This means customers will get all the benefits of Dedicated Certificates, with the features that ACM offers at no additional cost.

If you are an Enterprise customer interested in Advanced Certificate Manager, talk to your account team.