From bab63fab8d283e3920b7d5e75326e1f823326964 Mon Sep 17 00:00:00 2001
From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com>
Date: Thu, 19 Sep 2024 09:55:48 +0100
Subject: [PATCH] [SSL] Update certificate authorities info (#16679)
* Add ssl.com to certificate-authorities reference page
* Update caa-records-added-by-cf partial
* Refer ssl.com in other places where CAs used by CF are listed
* Add help link to ct-monitoring page
* Add ssl.com to custom hostname docs
* More information on availability and timeline
* Add entrust-distrust and re-order items within migration-guides
* Overall review of entrust-distrust and certificate-authorities
* Call out CF certificates as alternative to custom issued by same CAs
* Fix repeated Digicert info in CAA record content table
* Fix SSL.com availability in general CA to cert type table
* Update SSL.com browser compatibility with cross-sign info
* Add SSL.com DCV tokens validity
* Fix issue flagged in Hyperlint check
* Update distrust dates
* Fix date for Mozilla
* Apply suggestions from code review
Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
* Fix beta capitalization and move content from banner to aside
* Update backup-certificates.mdx
* Fix apostrophe and remove banner
---------
Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
---
.../reference/token-validity-periods.mdx | 3 +-
.../issue-and-validate/renew-certificates.mdx | 2 +-
.../certificate-transparency-monitoring.mdx | 2 +
.../edge-certificates/backup-certificates.mdx | 2 +-
.../validation-backoff-schedule.mdx | 7 ++-
.../custom-certificates/index.mdx | 5 +-
.../troubleshooting/ca-faq.mdx | 2 +-
.../ssl/reference/certificate-authorities.mdx | 57 ++++++++++++++-----
.../reference/migration-guides/dcv-update.mdx | 2 +-
.../digicert-update/index.mdx | 2 +-
.../migration-guides/entrust-distrust.mdx | 43 ++++++++++++++
.../migration-guides/lets-encrypt-chain.mdx | 7 +--
.../partials/ssl/caa-records-added-by-cf.mdx | 21 ++++---
.../partials/ssl/universal-ssl-validity.mdx | 2 +-
14 files changed, 120 insertions(+), 37 deletions(-)
create mode 100644 src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx
index adc65dd699f349b..f7d0844637236ed 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx
@@ -16,7 +16,8 @@ However, these tokens expire after a certain amount of time, depending on your c
| --------------------- | -------------- |
| Let's Encrypt | 7 days |
| Google Trust Services | 14 days |
+| SSL.com | 14 days |
:::caution
-
+
:::
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx
index db62e45a346158e..353747947a2d479 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx
@@ -13,7 +13,7 @@ import { Render } from "~/components"
The exact method for certificate renewal depends on whether that hostname is proxying traffic through Cloudflare and whether it is a wildcard certificate.
-Custom hostnames with DigiCert certificates currently have a validity period of one year, though DigiCert is [going to be deprecated](/ssl/reference/migration-guides/digicert-update/) soon as an option. Custom hostnames using Let's Encrypt or Google Trust Services have a 90 day validity period.
+Custom hostnames with DigiCert certificates currently have a validity period of one year, though DigiCert is [going to be deprecated](/ssl/reference/migration-guides/digicert-update/) soon as an option. Custom hostnames using Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period.
Certificates are available for renewal 30 days before their expiration.
diff --git a/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx b/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx
index 7f0c43ed5a5c383..a66574962d27ca7 100644
--- a/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx
+++ b/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx
@@ -80,6 +80,8 @@ Only Certificate Authorities can revoke malicious certificates. If you believe a
* [Sectigo support](https://sectigo.com/support)
+* [SSL.com support](https://www.ssl.com/submit-a-ticket/)
+
### Option 2: Contact domain registrars
Domain registrars may be able to **suspend** potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars.
diff --git a/src/content/docs/ssl/edge-certificates/backup-certificates.mdx b/src/content/docs/ssl/edge-certificates/backup-certificates.mdx
index eb7bcd63e933e6e..cac358e781f5ead 100644
--- a/src/content/docs/ssl/edge-certificates/backup-certificates.mdx
+++ b/src/content/docs/ssl/edge-certificates/backup-certificates.mdx
@@ -10,7 +10,7 @@ import { FeatureTable } from "~/components"
If Cloudflare is providing [authoritative DNS](/dns/zone-setups/full-setup/) for your domain, Cloudflare will issue a backup [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) for every standard Universal certificate issued.
-Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, or Sectigo — than your domain's primary Universal SSL certificate.
+Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, Sectigo, or SSL.com — than your domain's primary Universal SSL certificate.
These backup certificates are not normally deployed, but they will be deployed automatically by Cloudflare in the event of a certificate revocation or key compromise.
diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx
index 321c2c4225f993b..ddc331f09831d33 100644
--- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx
+++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx
@@ -17,7 +17,7 @@ If you use [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/de
:::note
-You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](/api/operations/ssl-verification-edit-ssl-certificate-pack-validation-method), specifying the same `validation_method` as the [method](/ssl/edge-certificates/changing-dcv-method/methods/) you currently use.
+You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](/api/operations/ssl-verification-edit-ssl-certificate-pack-validation-method), specifying the same `validation_method` as the [method](/ssl/edge-certificates/changing-dcv-method/methods/) you currently use.
:::
***
@@ -26,14 +26,15 @@ You can also request an immediate recheck by using the [Edit SSL Certificate Pac
The DCV process relies on tokens that are generated by the issuing certificate authority. These tokens have a validity period defined by each CA:
-* DigiCert - 30 days
* Google Trust Services - 14 days
* Let's Encrypt - 7 days
+* SSL.com - 14 days
+* DigiCert - 30 days
After this period, DCV tokens expire as dictated by the [CA/B Baseline Requirements](https://cabforum.org/baseline-requirements-documents/), and new, valid tokens must be placed.
:::caution
-
+
:::
***
diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx
index c4828c50ab9f471..fc0ce23e4f245d5 100644
--- a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx
+++ b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx
@@ -19,7 +19,10 @@ When you use custom certificates, the following actions should be considered and
:::note
-If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them.
+If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them.
+
+If your custom certificate is from a [certificate authority that Cloudflare partners with](/ssl/reference/certificate-authorities/), consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal.
+
:::
## Certificate packs
diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
index 4abf60934d05828..bad4a2afea90379 100644
--- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
+++ b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
@@ -21,7 +21,7 @@ Yes. Cloudflare can issue both RSA and ECDSA certificates.
### Which certificate authorities does Cloudflare use?
-Cloudflare uses Let’s Encrypt, Google Trust Services, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
+Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
[DigiCert will soon be removed as a CA from the Cloudflare pipeline](/ssl/reference/migration-guides/digicert-update/) and Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/).
diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx
index 587d59f69860b3b..3703589d2979c1b 100644
--- a/src/content/docs/ssl/reference/certificate-authorities.mdx
+++ b/src/content/docs/ssl/reference/certificate-authorities.mdx
@@ -15,24 +15,28 @@ import { Render } from "~/components"
For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs [features, limitations, and browser compatibility](#features-limitations-and-browser-compatibility).
+:::caution[SSL.com availability]
+SSL.com is currently in beta for select customers and will be further rolled out starting September 2024.
+:::
+
## Availability per certificate type and encryption algorithm
-| Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon) |
-| ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------ | ----------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------ |
-| [Universal](/ssl/edge-certificates/universal-ssl/) | ECDSA
RSA
(Paid plans only) | ✅
✅ | ✅
✅ | N/A
N/A | ✅
Deprecating soon
✅
Deprecating soon |
-| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA
RSA | ✅
✅ | ✅
✅ | N/A
N/A | ✅
Deprecating soon
✅
Deprecating soon |
-| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA
RSA | ✅
✅ | ✅
✅ | N/A
N/A | ❌
❌ |
-| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA
RSA | ✅
✅ | ✅
✅ | N/A
N/A | ✅
Deprecating soon
✅
Deprecating soon |
-| [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA
RSA | ✅
✅ | ✅
✅ | ✅
✅ | ❌
❌ |
+| Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [SSL.com](#sslcom) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon) |
+|---------------------|-------|---------------|-----------------------|-|---------|--------------------------|
+| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA
RSA
(Paid plans only) | ✅
✅| ✅
✅ | ❌
❌ | N/A
N/A | ✅
Deprecating soon
✅
Deprecating soon |
+| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA
RSA | ✅
✅| ✅
✅ | ✅
Gradual roll-out
✅
Gradual roll-out | N/A
N/A | ✅
Deprecating soon
✅
Deprecating soon |
+| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA
RSA | ✅
✅| ✅
✅ | ✅
Gradual roll-out
✅
Gradual roll-out | N/A
N/A | ❌
❌ |
+| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA
RSA |✅
✅| ✅
✅ | ✅
Gradual roll-out
✅
Gradual roll-out | N/A
N/A | ✅
Deprecating soon
✅
Deprecating soon |
+| [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA
RSA | ✅
✅| ✅
✅ | ✅
✅ | ✅
✅ | ❌
❌ |
## Features, limitations and browser compatibility
:::caution[Universal SSL]
-
+
:::
***
@@ -49,7 +53,7 @@ For publicly trusted certificates, Cloudflare partners with different certificat
#### Browser compatibility
-:::caution
+:::caution[Warning]
This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Let's Encrypt documentation](https://letsencrypt.org/docs/certificate-compatibility/).
@@ -78,7 +82,7 @@ You can find the full list of supported clients in the [Let's Encrypt documentat
#### Browser compatibility (most compatible)
-:::caution
+:::caution[Warning]
This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Google Trust Services documentation](https://pki.goog/faq/).
@@ -94,6 +98,33 @@ You can use the [root CAs list](https://pki.goog/faq/#faq-27) for checking compa
***
+### SSL.com
+
+* Supports [validity periods](/ssl/reference/certificate-validity-periods/) of 14, 30, and 90 days. Enterprise customers using [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) can also choose a validity period of one year.
+* [DCV tokens](/ssl/edge-certificates/changing-dcv-method/) are valid for 14 days.
+
+#### Limitations
+
+SSL.com DCV tokens are specific for RSA certificates and ECDSA certificates. This means that, for cases where you have to [manually perform DCV](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required), you will have to place two validation tokens per certificate order. To avoid management overhead, consider using a [full setup](/ssl/edge-certificates/changing-dcv-method/#full-dns-setup---no-action-required), or setting up [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
+
+#### Browser compatibility
+
+:::caution[Warning]
+
+This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [SSL.com documentation](https://www.ssl.com/browser_compatibility/).
+
+:::
+
+SSL.com is highly compatible, being accepted by over 99.9% of browsers, tablets, and mobile devices.
+
+SSL.com certificates are [cross-signed with Certum](https://www.ssl.com/repository/) and the [CA that cross-signs intermediates](https://crt.sh/?caid=840) is from 2004.
+
+#### Other resources
+
+[Acceptable top level domains (TLDs) and current restrictions](https://www.ssl.com/acceptable-top-level-domains-tlds-for-ssl-certificates/)
+
+***
+
### Sectigo
* Only used for [Backup certificates](/ssl/edge-certificates/backup-certificates/).
@@ -135,11 +166,11 @@ If you are using Cloudflare as your DNS provider, then the CAA records will be a
The following table lists the CAA record content for each CA:
-
| Certificate authority | CAA record content |
-| --------------------- | ---------------------------------------- |
+|-----------------------|------------------------------------------|
| Let's Encrypt | `letsencrypt.org` |
| Google Trust Services | `pki.goog; cansignhttpexchanges=yes` |
-| DigiCert | `digicert.com; cansignhttpexchanges=yes` |
+| SSL.com | `ssl.com` |
| Sectigo | `sectigo.com` |
+| DigiCert | `digicert.com; cansignhttpexchanges=yes` |
diff --git a/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx b/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx
index e084278820f9611..74939d1420bb41b 100644
--- a/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx
+++ b/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx
@@ -2,7 +2,7 @@
pcx_content_type: reference
title: Changes to HTTP DCV
sidebar:
- order: 3
+ order: 4
---
diff --git a/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx b/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx
index b92f6966a4cc69a..dde07851813dca4 100644
--- a/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx
+++ b/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx
@@ -2,7 +2,7 @@
pcx_content_type: navigation
title: DigiCert update
sidebar:
- order: 2
+ order: 3
---
diff --git a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx
new file mode 100644
index 000000000000000..84160f659fd43a1
--- /dev/null
+++ b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx
@@ -0,0 +1,43 @@
+---
+pcx_content_type: reference
+title: Entrust distrust by major browsers
+sidebar:
+ order: 1
+ label: Entrust distrust
+head: []
+description: Chrome and Mozilla have announced they will no longer trust Entrust certificates. Read about this change and how you can use Cloudflare to reduce impact.
+---
+
+import { Details } from "~/components";
+
+Google Chrome and Mozilla have announced they will no longer trust certificates issued from Entrust's root CAs.
+
+Since Entrust is not within the [certificate authorities](/ssl/reference/certificate-authorities/) used by Cloudflare, this change may only affect customers who upload [custom certificates](/ssl/edge-certificates/custom-certificates/) issued by Entrust.
+
+## The decision
+
+New Entrust certificates issued on **November 12, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued on **December 1, 2024 or after** will not be trusted on Mozilla by default.
+
+Refer to the announcements ([Chrome](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted.
+
+## Entrust's response
+
+To prevent their customers from facing issues, Entrust has partnered with SSL.com, a different certificate authority, trusted by both Chrome and Mozilla.
+
+This means that Entrust certificates will be issued using SSL.com roots.
+
+## Cloudflare managed certificates
+
+Since Cloudflare also [partners with SSL.com](/ssl/reference/certificate-authorities/), you can switch from uploading custom certificates to using Cloudflare's managed certificates. This change brings the following advantages:
+
+* Use [Advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) to have more control and flexibility while also benefitting from automatic renewals.
+* Enable [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) to automatically issue certificates for your [proxied hostnames](/dns/manage-dns-records/reference/proxied-dns-records/).
+* Use [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) to reduce manual intervention when renewing certificates for [partial (CNAME) setup](/dns/zone-setups/partial-setup/) zones.
+* If you are a SaaS provider, extend the benefits of automatic renewals to your customers by specifying SSL.com as the certificate authority when [creating](/api/operations/custom-hostname-for-a-zone-create-custom-hostname) or [editing](/api/operations/custom-hostname-for-a-zone-edit-custom-hostname) your custom hostnames (API only).
+
+## More resources
+
+* [Use Cloudflare with SSL.com certificates](/ssl/reference/certificate-authorities/)
+* [Google Security Blog](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html)
+* [Entrust TLS Certificate Information Center](https://www.entrust.com/tls-certificate-information-center)
+
diff --git a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx
index 8e6554f69f63034..9a91dac624d3796 100644
--- a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx
+++ b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx
@@ -2,14 +2,11 @@
pcx_content_type: reference
title: Let's Encrypt chain update
sidebar:
- order: 1
+ order: 2
head: []
description: Review notes on the expiration of ISRG Root X1 cross-signed with
- DST Root CA X3, and how it may affect Cloudflare customers that use Let’s
+ DST Root CA X3, and how it may affect Cloudflare customers that use Let's
Encrypt.
-banner:
- content: |
- On September 9, 2024, Cloudflare will start rebundling all Let's Encrypt certificates using a new chain.
---
import { Details } from "~/components";
diff --git a/src/content/partials/ssl/caa-records-added-by-cf.mdx b/src/content/partials/ssl/caa-records-added-by-cf.mdx
index d9d9e4a541ebc7e..b20254d7e9810ed 100644
--- a/src/content/partials/ssl/caa-records-added-by-cf.mdx
+++ b/src/content/partials/ssl/caa-records-added-by-cf.mdx
@@ -14,6 +14,19 @@ If Cloudflare has automatically added CAA records on your behalf, these records
```bash
➜ ~ dig example.com caa +short
+
+# CAA records added by Google Trust Services
+0 issue "pki.goog; cansignhttpexchanges=yes"
+0 issuewild "pki.goog; cansignhttpexchanges=yes"
+
+# CAA records added by Let's Encrypt
+0 issue "letsencrypt.org"
+0 issuewild "letsencrypt.org"
+
+# CAA records added by SSL.com
+0 issue "ssl.com"
+0 issuewild "ssl.com"
+
# CAA records added by DigiCert
0 issue "digicert.com; cansignhttpexchanges=yes"
0 issuewild "digicert.com; cansignhttpexchanges=yes"
@@ -21,12 +34,4 @@ If Cloudflare has automatically added CAA records on your behalf, these records
# CAA records added by Sectigo
0 issue "sectigo.com"
0 issuewild "sectigo.com"
-
-# CAA records added by Let's Encrypt
-0 issue "letsencrypt.org"
-0 issuewild "letsencrypt.org"
-
-# CAA records added by Google Trust Services
-0 issue "pki.goog; cansignhttpexchanges=yes"
-0 issuewild "pki.goog; cansignhttpexchanges=yes"
```
diff --git a/src/content/partials/ssl/universal-ssl-validity.mdx b/src/content/partials/ssl/universal-ssl-validity.mdx
index f79ecd35b8164d7..c287fd1bede255a 100644
--- a/src/content/partials/ssl/universal-ssl-validity.mdx
+++ b/src/content/partials/ssl/universal-ssl-validity.mdx
@@ -5,4 +5,4 @@
For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur.
-Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
+Universal certificates issued by Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
\ No newline at end of file