TL;DR – Cloudflare Inc ECC CA-X & Cloudflare Inc RSA CA-X: so long, and thanks for all the fish!


1. What does that mean?

A few weeks ago, Cloudflare silently announced that they will start deprecating their DigiCert certification authority starting on September 12, 2022. This will affect the following intermediate certificates:

  • Cloudflare Inc ECC CA-3 (free and paid users)
  • Cloudflare Inc RSA CA-2 (paid only)

The changes will start applying for Enterprise customers on the date mentioned before, but will arrive weeks later to regular users. There are some things you need to know about this:

  1. Existing certificates won’t be revoked/deleted.
  2. Starting at a specific date, you’ll not be able to issue new DigiCert certificates for your account. This includes universal/custom hostname SSL certificates.
  3. Starting at a later date this year, you won’t be able to renew your existing DigiCert certificates.
  4. ACM DigiCert CA deprecation will happen on February, 2023.

Currently, there is little public information about this deprecation. I will update this post when I receive news about this. Meanwhile, check this developer page.

2. What can I do now to minimize the impact of this change?

You’ll mainly need to use the API to perform the following changes.

First of all:

  1. If you are an Enterprise customer using Custom Hostnames, contact your account manager for more information.
  2. If you are not an Enterprise customer, but you are using Custom Hostnames (like me, they’re great), you were probably not obtaining DigiCert certificates from there (only Let’s Encrypt or Google Trust Services).
  3. If you’re using Universal SSL or Advanced Certificate Manager (ACM), continue reading below:

If you are using Universal SSL, you should change your Universal SSL CA from DigiCert to Let’s Encrypt or Google Trust Services. The following instructions assume that you are using bash and you have cURL installed:

Execute:

export cfzoneid='your_domain_zone_id' export cfemail='your_cloudflare_account_email' export cfglobalkey='your_cloudflare_account_global_api_key'
Code language: Bash (bash)

to set up the necessary environment variables.

Then run the following command to make the switch (remember to change PREFERRED_CA to lets_encrypt or google):

curl -sX PATCH "https://api.cloudflare.com/client/v4/zones/$cfzoneid/ssl/universal/settings" \ -H "X-Auth-Email: $cfemail" \ -H "X-Auth-Key: $cfglobalkey" \ -H "Content-Type: application/json" \ --data '{"certificate_authority":"<span class="highlight">PREFERRED_CA</span>"}'
Code language: Bash (bash)

If everything went right, you should see that your universal SSL will be issued by either LE or GTS.

If you are instead using Advanced Certificate Manager (ACM), you can change your CA to Let’s Encrypt or Google Trust Services within the UI. You can also get one from Sectigo if you use the API and you select "sectigo" as the value for the certificate_authority parameter. Hope that it gets added to the UI!

To sum up, I know many of you will miss out the DigiCert certificate functionality in Cloudflare, but there are other great options available there, like Let’s Encrypt, Google Trust Services and even Sectigo (for ACM users). However, to keep an historical record of the greatness of Cloudflare Inc ECC CA-3 and Cloudflare Inc RSA CA-2, I’ve issued an SSL certificates from each of those CAs for lumito.net. You can find them in the following links: ECC, RSA.

Timeline:

September:

  • Sep. 12, 2022 – Cloudflare will stop using the DigiCert CA for universal SSL (starting on enterprise zones). However, as of Sep 26 2022, I’ve been able to obtain Universal SSL certificates from DigiCert.
  • Sep. 26, 2022 – Cloudflare will stop issuing new DigiCert certificates for Custom Hostnames. Renewals are not affected (yet). API users should start changer their CA to either Google Trust Services "google" or Let’s Encrypt "lets_encrypt", and the certificate validity days to 90 (if using Let’s Encrypt) or 14, 30, 90 (if using Google Trust Services).

October:

  • Oct. 31, 2022 – Cloudflare will stop issuing DigiCert certificates for Custom Hostnames renewals.

February:

  • Feb. 6, 2023 – Cloudflare will stop issuing new DigiCert certificates for Advanced Certificates (ACM). Renewals are not affected (yet). API users should start changer their CA to either Google Trust Services "google", Let’s Encrypt "lets_encrypt" or Sectigo "sectigo", and the certificate validity days to 90 (if using Let’s Encrypt) or 14, 30, 90 (if using Google Trust Services) or keeping it as-is if you start using Sectigo.
  • Feb. 13, 2023 – Cloudflare will stop issuing DigiCert certificates for Advanced Certificates (ACM) renewals. RIP Cloudflare’s DigiCert CA.

Thanks a lot for taking your time on my website!

Categories: News

Lumito

A junior open-source developer on GitHub (github.com/LumitoLuma) and owner of this website (www.lumito.net). His favorite programming language is C++, followed by C, C# and Java.

1 Comment

Lumito · August 6, 2022 at 12:11 AM

A huge thanks to eva2000 for the following post: https://community.letsencrypt.org/t/cloudflare-universal-ssl-switch-letsencrypt-to-digicert-ca/162358

Leave a Reply

Avatar placeholder