9

CloudFlare provides a reverse proxy, and it offers SSL support ("flexible", "full", "strict full", and "keyless").

How does CloudFlare manage to get a valid certificate for domains it does not own? Don't the certificate authorities normally require proof that you own the domain, at the very least sending a verification email to an email address of that domain? How does CloudFlare skip this step?

Anders
  • 64,406
  • 24
  • 178
  • 215
Flimm
  • 1,230
  • 3
  • 13
  • 22

3 Answers3

15

Simply put, the webmaster of the site uploads the certificate to CloudFlare.

See this article for details.

The Keyless mode doesn't have this requirement. It uses an on premise key server instead, to provide the private key of the server. See the diagram here for details on how this works.

For free accounts

Cloudflare state in their blog:

For all customers, we will now automatically provision a SSL certificate on CloudFlare's network that will accept HTTPS connections for a customer's domain and subdomains. Those certificates include an entry for the root domain (e.g., example.com) as well as a wildcard entry for all first-level subdomains (e.g., www.example.com, blog.example.com, etc.).

Cloudflare do control the domain, because the customer has pointed their DNS records to it, this means that they can gain a Domain Validated certificate. Domain validation procedures do not have to involve sending an email to the domain, which wouldn't be possible for Cloudflare to intercept because the MX record is not repointed. They can instead prove that they own the domain by putting a randomly named text file containing a random key for the CA to query in order to prove control of the domain. The CA will specify the name and contents of this file that they will then be able to check. Cloudflare could then intercept requests for the URL and display the necessary validation code.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • 3
    What if you don't want use to CloudFlare's network anymore ? Won't that let them with a valid certificate for your website at least for a period of time, before you can point the DNS to a domain you control, then contact a CA or something ? And about websites that deal with sensitive data (like credit cards, medical information) does this impact compliance ? It must be noted that while the ssl certificate from cloudflare can protect your customers, they can also read all the traffic. which sometimes **is** a problem, and sometimes not...but still worth noting. – Freedo Oct 01 '15 at 05:08
1

Exactly! You point your DNS to CloudFlare. But it doesn't let you to use your own SSL-certificate if you don't have the Business ($200/month) or Enterprise ($5000/month) plan. You can use a flexible SSL-certificate that they provide. So if you want to use your own EV-SSL-certificate, you need does plans. I do recommend using Incapsula Enterprise instead. Much better Web Application Firewall with DDoS-protection!

  • I understand that you can't use your own certificate with the free plan. My question is why does the free plan even work: why do certificate authorities validate CloudFlare free certificates? I can't upvote your answer for this reason but thanks for participating :) – Flimm Oct 01 '15 at 11:14
1

CloudFlare nowadays has its own CA so they can fabricate any certificate they want. Their policy is to create certificates for only domains that are hosted on their DNS server but there are no and cannot be such technical limitations.

Correction: CloudFlare is running Origin CA but they are not a public CA. The "Origin CA" allows CloudFlare to sign and revoke certificates for the connection between CloudFlare and the real origin host (usually not publicly known). These certificates do not have trust chain to commonly used user agents' trust store. That means that certificates signed by "Origin CA" are not trusted by e.g. Firefox, Chrome or Safari. That's okay because the use case for these certificates is to secure connection between CloudFlare the front end server (technically HTTP reverse proxy with TLS support) and the real host backend server.

For all sites served through CloudFlare, they support Universal SSL which seems to be currently backed by public COMODO CA. Inspecting the certificates of a couple of sites running via CloudFlare suggests that they are getting "Domain Control Validated" certificates from COMODO where CN record points to actual CloudFlare controlled reverse proxy (e.g. sni9922.cloudflaressl.com) and Subject Alternative Names lists actual domains that are served via CloudFlare. Each certificate is used for a handful of domains.

I'm not sure why they have such and arrangement. They obviously need SNI to figure out which certificate to give to any new connection but they should be able to acquire a real certificate for any domain they control (that is, every certificate could have CN record pointing directly to actually hosted domain instead of something that looks like sni9922.cloudflaressl.com).

They are obviously able to get "Domain Control Validated" certificates for any host running via them because they control the DNS records (your DNS records must point to CloudFlare to use CloudFlare for your host) and any new HTTP (or HTTPS) connections go to their front end servers.

TL;DR: CloudFlare cannot provide a valid SSL/TLS certificate for domains not under its control. However, all clients of CloudFlare have to host their DNS records on CloudFlare and as a result, CloudFlare has domain control for all its clients.

  • That link does not say that CloudFlare is its own CA. – Flimm Feb 17 '17 at 14:09
  • After looking around for more information, I believe you're right. CloudFlare only has "origin CA" which does not have trust chain to commonly used browser CA stores. The "origin CA" is used only for securing the connection from CloudFlare to backend "origin" host: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/ -- I'll fix the answer. – Mikko Rantalainen Feb 21 '17 at 06:24