TL;DR – Cloudflare Inc ECC CA-X & Cloudflare Inc RSA CA-X: so long, and thanks for all the fish!
1. What does that mean?
A few weeks ago, Cloudflare silently announced that they will start deprecating their DigiCert certification authority starting on September 12, 2022. This will affect the following intermediate certificates:
- Cloudflare Inc ECC CA-3 (free and paid users)
- Cloudflare Inc RSA CA-2 (paid only)
The changes will start applying for Enterprise customers on the date mentioned before, but will arrive weeks later to regular users. There are some things you need to know about this:
- Existing certificates won’t be revoked/deleted.
- Starting at a specific date, you’ll not be able to issue new DigiCert certificates for your account. This includes universal/custom hostname SSL certificates.
- Starting at a later date this year, you won’t be able to renew your existing DigiCert certificates.
- ACM DigiCert CA deprecation will happen on February, 2023.
Currently, there is little public information about this deprecation. I will update this post when I receive news about this. Meanwhile, check this developer page.
2. What can I do now to minimize the impact of this change?
You’ll mainly need to use the API to perform the following changes.
First of all:
- If you are an Enterprise customer using Custom Hostnames, contact your account manager for more information.
- If you are not an Enterprise customer, but you are using Custom Hostnames (like me, they’re great), you were probably not obtaining DigiCert certificates from there (only Let’s Encrypt or Google Trust Services).
- If you’re using Universal SSL or Advanced Certificate Manager (ACM), continue reading below:
If you are using Universal SSL, you should change your Universal SSL CA from DigiCert to Let’s Encrypt or Google Trust Services. The following instructions assume that you are using bash and you have cURL installed:
Execute:
export cfzoneid='your_domain_zone_id'
export cfemail='your_cloudflare_account_email'
export cfglobalkey='your_cloudflare_account_global_api_key'
Code language: Bash (bash)
to set up the necessary environment variables.
Then run the following command to make the switch (remember to change PREFERRED_CA
to lets_encrypt
or google
):
curl -sX PATCH "https://api.cloudflare.com/client/v4/zones/$cfzoneid/ssl/universal/settings" \
-H "X-Auth-Email: $cfemail" \
-H "X-Auth-Key: $cfglobalkey" \
-H "Content-Type: application/json" \
--data '{"certificate_authority":"<span class="highlight">PREFERRED_CA</span>"}'
Code language: Bash (bash)
If everything went right, you should see that your universal SSL will be issued by either LE or GTS.
If you are instead using Advanced Certificate Manager (ACM), you can change your CA to Let’s Encrypt or Google Trust Services within the UI. You can also get one from Sectigo if you use the API and you select "sectigo"
as the value for the certificate_authority
parameter. Hope that it gets added to the UI!
To sum up, I know many of you will miss out the DigiCert certificate functionality in Cloudflare, but there are other great options available there, like Let’s Encrypt, Google Trust Services and even Sectigo (for ACM users). However, to keep an historical record of the greatness of Cloudflare Inc ECC CA-3 and Cloudflare Inc RSA CA-2, I’ve issued an SSL certificates from each of those CAs for lumito.net. You can find them in the following links: ECC, RSA.
Thanks a lot for taking your time on my website!
A huge thanks to eva2000 for the following post: https://community.letsencrypt.org/t/cloudflare-universal-ssl-switch-letsencrypt-to-digicert-ca/162358