In 2016, we launched Dedicated Certificates. Today, we are excited to announce that dedicated certs are getting an upgrade… and a new name… introducing Advanced Certificate Manager! Advanced Certificate Manager is a flexible and customizable way to manage your certificates on Cloudflare.
Certificates
TLS Certificates are the reason you can safely browse the Internet, securely transfer money online, and keep your passwords private. They do that by encrypting your sensitive messages using public-key cryptography that is cryptographically linked to the certificate itself. But beyond that, TLS certificates are used to make an assertion about identity — verifying that the server is who they claim to be. Server Certificates — used by every website — include the website's name on the certificate and is issued by a third-party certificate authority (CA) who verifies that the certificate's information is correct and accurate.
Browsers only let you visit a website when it's encrypted using TLS after it has successfully validated the certificate presented by the server — much like how security checks your ID to board a plane.
We are focusing on securing the Internet now more than ever. We want to make it as easy as possible for any customer to be a security-conscious customer. This is why we’re moving towards a certificate management system, so it’s simple to customize your certificates and TLS settings. We are doing this by giving you the right tools to proactively increase the security of your domain.
Let’s start by talking about modifying your certificate’s validity period, a small change that can make a big difference.
Decrease Your Certificate’s Validity Period
The Certification Authority Browser Forum — a voluntary group that sets the industry guidelines for certificates — has been shortening the maximum validity period for publicly trusted certificates over the past several years. You used to be able to get a three-year cert, but now you can only get a one-year cert. Why did they do this?
Rotating a certificate more frequently should — but does not necessarily — mean you're rotating your private key more frequently. Changing secrets more frequently means that if a secret (in this case a private key) is ever compromised, the compromise has a smaller maximum lifespan. This is widely regarded as a better security posture and helps to minimize the risk associated with key compromise.
It also has the added bonus of encouraging automation — the more frequently you have to do a task, the more likely you'll want to automate it. Automation means you're less likely to let a cert expire in production or give a person access to key material.
With Advanced Certificate Manager, you can set your certificate validity period to be as short as 14 days. By shortening the lifecycle of your certificate, you are proactively improving your security posture. As you keep rotating your certificate and private keys upon renewals, you reduce the risk of exposure.
For some, setting a short validity period can increase the risk of downtime. This is because short validity periods require frequent certificate issuance and can overload servers.
At Cloudflare, it’s not a problem. Shorter validity periods encouraged us to keep improving our certificate issuance and renewal pipeline. With ~4.5 million certificates issued a day, we can confidently say that every customer can set a 14-day validity period, and we’ll take care of it.
Overall, the industry is moving towards shortening certificate cycles, so we are very excited to make this an easy option for our customers.
Some customers want to go a step further and control the cipher suites used for TLS. Now, with ACM, you can do just that!
Setting Cipher Suites
A cipher suite is a set of algorithms that help secure a network connection that uses TLS. The set of algorithms that cipher suites contain are :
Key Exchange Algorithm
Authentication Algorithm
Bulk encryption Algorithm
Message Authentication Code (MAC) Algorithm
When two servers want to communicate with one another securely over TLS, they start off by initiating a TLS handshake. During the TLS handshake, the client and the server establish which encryption algorithms they will be using. The client initiates this handshake with the Client Hello message that indicates the cipher suites — or encryption algorithms — it supports. The server then responds with the Server Hello message which contains its choice of cipher based on the list of supported ciphers that the client sent.
When a user connects to a website on Cloudflare’s network, Cloudflare is responsible for choosing a cipher. In the past, we’ve talked about how Cloudflare’s servers prefer certain ciphers. For example, we prioritize ciphers that use ECDHE over those that start with RSA. As discussed in our previous blog post, RSA is more susceptible to security vulnerabilities, especially if an SSL server’s private key were to leak.
While prioritizing certain ciphers over others offers a higher level of security, we are going a step further and giving our customers the ability to choose which cipher suites from Cloudflare’s list of approved ciphers they want their website to support. For those that want to remove weak ciphers and only allow the strongest ciphers available, they can now do so through one API call. To do this, they would use the Cipher Suite Settings endpoint and indicate their allowlist of ciphers for TLS termination.
Customers like OneTrust and Report URI use this functionality to improve their security posture:
Advanced Certificate Manager has simplified the way we manage certificates across our many domains, while still allowing us to meet our strict security requirements. The ability to manage cipher suites, as well as auto-renewal within our parameters, creates for an available and secure environment.- Colin Henderson, Head of Information Security, OneTrust
We've been using Advanced Certificate Manager for fine-grained control over the cipher suites used in our TLS connections and to reduce the lifetime of certificates issued for our domain. With stronger cipher suites and shorter certificates we're better able to protect connections made to our site and the data within them.- Scott Helme, Founder, Report URI
Custom Signing Requests
Some customers want to acquire their own SSL certificate from a certificate authority (CA), but want Cloudflare to generate and store the associated private key. These customers can now use Advanced Certificate Manager to generate a Certificate Signing Request (CSR) with their organization name, location, etc. Then, they would take it to their preferred CA, obtain a certificate, and upload it to Cloudflare. Cloudflare takes key management seriously, with both highly secure key management software and hardware controls. With CSR support, customers can get a certificate from the CA of their choice, all without the private key leaving our network, so that they do not have to worry about any unsafe handling.
Additional Features
Apart from the security features that ACM has to offer, we are excited to give our customers an easy-to-use and configurable certificate management solution. With ACM, customers will now be able to issue up to 100 edge certificates per zone, which includes the zone apex and up to 50 hostnames. This means your certificate now has multi-level support, so you can create certificates for second and third-level hostnames. In addition, customers will be able to choose their preferred validation method (HTTP, TXT, or Email) and their certificate authority (Let’s Encrypt or Digicert).
Compared to our previous CDN, using Cloudflare gives us the lifetime advantage of creating and maintaining wildcard certificates. With just a few lines of Terraform code, Cloudflare does all the work for you.- Nikita Ponomarev, DevOps Engineer at Spark Networks
To learn how to configure ACM settings, check our developer docs.
Upgrading from Dedicated Certificates
For our customers who have been using dedicated certificates, we are excited to announce that we will be upgrading them to Advanced Certificate Manager in the next month.
This will be a zero-downtime migration, and you should expect to see your Certificate Type change in the dashboard from Dedicated to Advanced.
In addition to that, if you have been using our API to issue dedicated certificates, you will need to switch to the new ACM certificate issuance API endpoint. One change to note is that in the API response field, the “type” will change from “Dedicated” to “Advanced”.
{
"success": true,
"errors": [],
"messages": [],
"result": {
"id": "3822ff90-ea29-44df-9e55-21300bb9419b",
"type": "advanced",
"hosts": [
"example.com",
"*.example.com",
"www.example.com"
],
"status": "initializing",
"validation_method": "txt",
"validity_days": 365,
"certificate_authority": "digicert",
"cloudflare_branding": false
}
}
Customers who have already purchased Dedicated Certificates will be grandfathered into their current pricing. For all other Free, Pro, and Business customers, Advanced Certificate Manager will be $10/month per zone. This means customers will get all the benefits of Dedicated Certificates, with the features that ACM offers at no additional cost.
If you are an Enterprise customer interested in Advanced Certificate Manager, talk to your account team.