From fb07a9e582ab85d797334343c1b24d8209372959 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 6 Sep 2024 10:45:24 +0100 Subject: [PATCH 01/20] Add ssl.com to certificate-authorities reference page --- .../ssl/reference/certificate-authorities.mdx | 46 +++++++++++++++---- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index 587d59f69860b3b..b3a36200956a58d 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -19,20 +19,20 @@ For publicly trusted certificates, Cloudflare partners with different certificat -| Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon) | -| ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------ | ----------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------ | -| [Universal](/ssl/edge-certificates/universal-ssl/) | ECDSA


RSA
(Paid plans only) | ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | -| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA


RSA | ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | -| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA


RSA | ✅


✅ | ✅


✅ | N/A


N/A | ❌


❌ | -| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA


RSA | ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | -| [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA

RSA | ✅

✅ | ✅

✅ | ✅

✅ | ❌

❌ | +| Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [SSL.com](#sslcom) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon) | +|---------------------|-------|---------------|-----------------------|-|---------|--------------------------| +| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA


RSA
(Paid plans only) | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | +| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | +| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA


RSA | ✅


✅| ✅


✅ | ❌


❌ | N/A


N/A | ❌


❌ | +| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA


RSA |✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | +| [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA

RSA | ✅

✅| ✅

✅ | ✅

✅ | ✅

✅ | ❌

❌ | ## Features, limitations and browser compatibility :::caution[Universal SSL] - + ::: *** @@ -94,6 +94,31 @@ You can use the [root CAs list](https://pki.goog/faq/#faq-27) for checking compa *** +### SSL.com + +* Supports [validity periods](/ssl/reference/certificate-validity-periods/) of 14, 30, and 90 days. Enterprise customers using [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) can also choose a validity period of one year. + +#### Limitations + +SSL.com DCV tokens are specific for RSA certificates and ECDSA certificates. This means that, for cases where you have to [manually perform DCV](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required), you will have to place two validation tokens per certificate order. + +To avoid management overhead, consider using a [full setup](/ssl/edge-certificates/changing-dcv-method/#full-dns-setup---no-action-required), or setting up [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). + +#### Browser compatibility + +:::caution + +This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [SSL.com documentation](https://www.ssl.com/browser_compatibility/). + +::: + +SSL.com is highly compatible, being accepted by over 99.9% of browsers, tablets, and mobile devices. + +#### Other resources +[Acceptable top level domains (TLDs) and current restrictions](https://www.ssl.com/acceptable-top-level-domains-tlds-for-ssl-certificates/) + +*** + ### Sectigo * Only used for [Backup certificates](/ssl/edge-certificates/backup-certificates/). @@ -135,11 +160,12 @@ If you are using Cloudflare as your DNS provider, then the CAA records will be a The following table lists the CAA record content for each CA: - | Certificate authority | CAA record content | -| --------------------- | ---------------------------------------- | +|-----------------------|------------------------------------------| | Let's Encrypt | `letsencrypt.org` | | Google Trust Services | `pki.goog; cansignhttpexchanges=yes` | | DigiCert | `digicert.com; cansignhttpexchanges=yes` | +| SSL.com | `ssl.com` | | Sectigo | `sectigo.com` | +| DigiCert | `digicert.com; cansignhttpexchanges=yes` | From 021e030aa4881378427df915bbf361d9b4906de3 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 6 Sep 2024 11:08:04 +0100 Subject: [PATCH 02/20] Update caa-records-added-by-cf partial --- .../partials/ssl/caa-records-added-by-cf.mdx | 21 ++++++++++++------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/src/content/partials/ssl/caa-records-added-by-cf.mdx b/src/content/partials/ssl/caa-records-added-by-cf.mdx index d9d9e4a541ebc7e..b20254d7e9810ed 100644 --- a/src/content/partials/ssl/caa-records-added-by-cf.mdx +++ b/src/content/partials/ssl/caa-records-added-by-cf.mdx @@ -14,6 +14,19 @@ If Cloudflare has automatically added CAA records on your behalf, these records ```bash ➜ ~ dig example.com caa +short + +# CAA records added by Google Trust Services +0 issue "pki.goog; cansignhttpexchanges=yes" +0 issuewild "pki.goog; cansignhttpexchanges=yes" + +# CAA records added by Let's Encrypt +0 issue "letsencrypt.org" +0 issuewild "letsencrypt.org" + +# CAA records added by SSL.com +0 issue "ssl.com" +0 issuewild "ssl.com" + # CAA records added by DigiCert 0 issue "digicert.com; cansignhttpexchanges=yes" 0 issuewild "digicert.com; cansignhttpexchanges=yes" @@ -21,12 +34,4 @@ If Cloudflare has automatically added CAA records on your behalf, these records # CAA records added by Sectigo 0 issue "sectigo.com" 0 issuewild "sectigo.com" - -# CAA records added by Let's Encrypt -0 issue "letsencrypt.org" -0 issuewild "letsencrypt.org" - -# CAA records added by Google Trust Services -0 issue "pki.goog; cansignhttpexchanges=yes" -0 issuewild "pki.goog; cansignhttpexchanges=yes" ``` From b9651f37bc58ddf466754d72c849171bb4b4cfb6 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 6 Sep 2024 11:12:30 +0100 Subject: [PATCH 03/20] Refer ssl.com in other places where CAs used by CF are listed --- .../docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx | 2 +- src/content/partials/ssl/universal-ssl-validity.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx index 4abf60934d05828..e7275ae1931784c 100644 --- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx +++ b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx @@ -21,7 +21,7 @@ Yes. Cloudflare can issue both RSA and ECDSA certificates. ### Which certificate authorities does Cloudflare use? -Cloudflare uses Let’s Encrypt, Google Trust Services, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/). +Cloudflare uses Let’s Encrypt, Google Trust Services, SSL.com, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/). [DigiCert will soon be removed as a CA from the Cloudflare pipeline](/ssl/reference/migration-guides/digicert-update/) and Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/). diff --git a/src/content/partials/ssl/universal-ssl-validity.mdx b/src/content/partials/ssl/universal-ssl-validity.mdx index f79ecd35b8164d7..c287fd1bede255a 100644 --- a/src/content/partials/ssl/universal-ssl-validity.mdx +++ b/src/content/partials/ssl/universal-ssl-validity.mdx @@ -5,4 +5,4 @@ For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur. -Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days. +Universal certificates issued by Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days. \ No newline at end of file From 0420810b42b6ba65af0789d9fcc774deca0ca60b Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 6 Sep 2024 11:13:03 +0100 Subject: [PATCH 04/20] Add help link to ct-monitoring page --- .../additional-options/certificate-transparency-monitoring.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx b/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx index 7f0c43ed5a5c383..a66574962d27ca7 100644 --- a/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx +++ b/src/content/docs/ssl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx @@ -80,6 +80,8 @@ Only Certificate Authorities can revoke malicious certificates. If you believe a * [Sectigo support](https://sectigo.com/support) +* [SSL.com support](https://www.ssl.com/submit-a-ticket/) + ### Option 2: Contact domain registrars Domain registrars may be able to **suspend** potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars. From 2a570a6d46a192ac6fea0546f2e43f5095a83bc7 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 6 Sep 2024 11:15:50 +0100 Subject: [PATCH 05/20] Add ssl.com to custom hostname docs --- .../issue-and-validate/renew-certificates.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx index db62e45a346158e..353747947a2d479 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx @@ -13,7 +13,7 @@ import { Render } from "~/components" The exact method for certificate renewal depends on whether that hostname is proxying traffic through Cloudflare and whether it is a wildcard certificate. -Custom hostnames with DigiCert certificates currently have a validity period of one year, though DigiCert is [going to be deprecated](/ssl/reference/migration-guides/digicert-update/) soon as an option. Custom hostnames using Let's Encrypt or Google Trust Services have a 90 day validity period. +Custom hostnames with DigiCert certificates currently have a validity period of one year, though DigiCert is [going to be deprecated](/ssl/reference/migration-guides/digicert-update/) soon as an option. Custom hostnames using Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Certificates are available for renewal 30 days before their expiration. From 2a623edb3666da102e569280d7a4238b51199cb6 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Fri, 6 Sep 2024 12:17:17 +0100 Subject: [PATCH 06/20] More information on availability and timeline --- .../docs/ssl/reference/certificate-authorities.mdx | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index b3a36200956a58d..d096b16d6daee50 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -8,7 +8,9 @@ description: For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility. - +banner: + content: | + SSL.com is currently in Beta for select customers and will be further rolled out starting September 2024. --- import { Render } from "~/components" @@ -21,10 +23,10 @@ For publicly trusted certificates, Cloudflare partners with different certificat | Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [SSL.com](#sslcom) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon) | |---------------------|-------|---------------|-----------------------|-|---------|--------------------------| -| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA


RSA
(Paid plans only) | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | -| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | -| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA


RSA | ✅


✅| ✅


✅ | ❌


❌ | N/A


N/A | ❌


❌ | -| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA


RSA |✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon


Deprecating soon | +| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA


RSA
(Paid plans only) | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | +| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | +| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅
Gradual roll-out

Gradual roll-out | N/A


N/A | ❌


❌ | +| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA


RSA |✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | | [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA

RSA | ✅

✅| ✅

✅ | ✅

✅ | ✅

✅ | ❌

❌ | From 26a83539d11fe98bc32aa653af7c4128ab6343ef Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Mon, 9 Sep 2024 18:48:17 +0100 Subject: [PATCH 07/20] Add entrust-distrust and re-order items within migration-guides --- .../reference/migration-guides/dcv-update.mdx | 2 +- .../digicert-update/index.mdx | 2 +- .../migration-guides/entrust-distrust.mdx | 43 +++++++++++++++++++ .../migration-guides/lets-encrypt-chain.mdx | 2 +- 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx diff --git a/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx b/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx index e084278820f9611..74939d1420bb41b 100644 --- a/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx +++ b/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Changes to HTTP DCV sidebar: - order: 3 + order: 4 --- diff --git a/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx b/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx index b92f6966a4cc69a..dde07851813dca4 100644 --- a/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx +++ b/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx @@ -2,7 +2,7 @@ pcx_content_type: navigation title: DigiCert update sidebar: - order: 2 + order: 3 --- diff --git a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx new file mode 100644 index 000000000000000..2c4018bd5ea2b1f --- /dev/null +++ b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx @@ -0,0 +1,43 @@ +--- +pcx_content_type: reference +title: Entrust distrust by popular browsers +sidebar: + order: 1 + label: Entrust distrust +head: [] +description: Chrome and Mozilla have announced they will no longer trust Entrust certificates. Read about this change and how you can use Cloudflare to reduce impact. +--- + +import { Details } from "~/components"; + +Google Chrome and Mozilla have announced they will no longer trust certificates issued from Entrust's root CAs. + +Since Entrust is not within the [certificate authorities](/ssl/reference/certificate-authorities/) used by Cloudflare, this change may only affect customers who upload [custom certificates](/ssl/edge-certificates/custom-certificates/) issued by Entrust. + +## The decision + +New Entrust certificates issued on **November 1, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued or on **December 1, 2024 or after** will not be trusted on Mozilla by default. + +Refer to the announcements ([Chrome](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted. + +## Entrust response + +To prevent their customers from facing issues, Entrust has partnered with SSL.com, a different certificate authority, trusted by both Chrome and Mozilla. + +This means that Entrust certificates will be issued using SSL.com roots. + +## Cloudflare managed certificates + +Since Cloudflare also [partners with SSL.com](/ssl/reference/certificate-authorities/), switching from uploading custom certificates by Entrust to using Cloudflare's managed certificates brings several advantages: + + +* Use [Advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) to have more control and flexibility while also benefitting from automatic renewals. +* Enable [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) to automatically issue certificates for your [proxied hostnames](/dns/manage-dns-records/reference/proxied-dns-records/). +* Use [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) to reduce manual intervention when renewing certificates for [partial (CNAME) setup](/dns/zone-setups/partial-setup/) zones. +* If you are a SaaS provider, extend the benefits of automatic renewals to your customers by specifying SSL.com as the certificate authority when [creating](/api/operations/custom-hostname-for-a-zone-create-custom-hostname) or [editing](/api/operations/custom-hostname-for-a-zone-edit-custom-hostname) your custom hostnames (API only). + +## More resources + +* [Google Security Blog](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html) +* [Entrust TLS Certificate Information Center](https://www.entrust.com/tls-certificate-information-center) + diff --git a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx index 8e6554f69f63034..62fb113f0cef180 100644 --- a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx +++ b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx @@ -2,7 +2,7 @@ pcx_content_type: reference title: Let's Encrypt chain update sidebar: - order: 1 + order: 2 head: [] description: Review notes on the expiration of ISRG Root X1 cross-signed with DST Root CA X3, and how it may affect Cloudflare customers that use Let’s From 1df0cf842c480c010774189410676fe49578c9f5 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 10 Sep 2024 08:41:56 +0100 Subject: [PATCH 08/20] Overall review of entrust-distrust and certificate-authorities --- .../docs/ssl/reference/certificate-authorities.mdx | 6 +++--- .../ssl/reference/migration-guides/entrust-distrust.mdx | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index d096b16d6daee50..eaf4a6cb2216add 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -51,7 +51,7 @@ For publicly trusted certificates, Cloudflare partners with different certificat #### Browser compatibility -:::caution +:::caution[Warning] This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Let's Encrypt documentation](https://letsencrypt.org/docs/certificate-compatibility/). @@ -80,7 +80,7 @@ You can find the full list of supported clients in the [Let's Encrypt documentat #### Browser compatibility (most compatible) -:::caution +:::caution[Warning] This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Google Trust Services documentation](https://pki.goog/faq/). @@ -108,7 +108,7 @@ To avoid management overhead, consider using a [full setup](/ssl/edge-certificat #### Browser compatibility -:::caution +:::caution[Warning] This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [SSL.com documentation](https://www.ssl.com/browser_compatibility/). diff --git a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx index 2c4018bd5ea2b1f..4fe1e6801c5bbd5 100644 --- a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx +++ b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx @@ -1,6 +1,6 @@ --- pcx_content_type: reference -title: Entrust distrust by popular browsers +title: Entrust distrust by major browsers sidebar: order: 1 label: Entrust distrust @@ -20,7 +20,7 @@ New Entrust certificates issued on **November 1, 2024 or after** will not be tru Refer to the announcements ([Chrome](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted. -## Entrust response +## Entrust's response To prevent their customers from facing issues, Entrust has partnered with SSL.com, a different certificate authority, trusted by both Chrome and Mozilla. @@ -28,8 +28,7 @@ This means that Entrust certificates will be issued using SSL.com roots. ## Cloudflare managed certificates -Since Cloudflare also [partners with SSL.com](/ssl/reference/certificate-authorities/), switching from uploading custom certificates by Entrust to using Cloudflare's managed certificates brings several advantages: - +Since Cloudflare also [partners with SSL.com](/ssl/reference/certificate-authorities/), you can switch from uploading custom certificates to using Cloudflare's managed certificates. This change brings the following advantages: * Use [Advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) to have more control and flexibility while also benefitting from automatic renewals. * Enable [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) to automatically issue certificates for your [proxied hostnames](/dns/manage-dns-records/reference/proxied-dns-records/). @@ -38,6 +37,7 @@ Since Cloudflare also [partners with SSL.com](/ssl/reference/certificate-authori ## More resources +* [Use Cloudflare with SSL.com certificates](/ssl/reference/certificate-authorities/) * [Google Security Blog](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html) * [Entrust TLS Certificate Information Center](https://www.entrust.com/tls-certificate-information-center) From 54cebbc8428f42752b84549dbbbf8d0e10db75fc Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 10 Sep 2024 08:51:48 +0100 Subject: [PATCH 09/20] Call out CF certificates as alternative to custom issued by same CAs --- .../docs/ssl/edge-certificates/custom-certificates/index.mdx | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx index c4828c50ab9f471..02ffd0ce20f7837 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx @@ -19,7 +19,10 @@ When you use custom certificates, the following actions should be considered and :::note -If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them. +If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them. + +If your custom ceritificate is from a [certificate authority that Cloudflare partners with](/ssl/reference/certificate-authorities/), consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal. + ::: ## Certificate packs From 6cd1849772bbcb1a6382da2478f39eacff10b2e8 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 10 Sep 2024 15:19:22 +0100 Subject: [PATCH 10/20] Fix repeated Digicert info in CAA record content table --- src/content/docs/ssl/reference/certificate-authorities.mdx | 1 - 1 file changed, 1 deletion(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index eaf4a6cb2216add..57d66a023d4357d 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -166,7 +166,6 @@ The following table lists the CAA record content for each CA: |-----------------------|------------------------------------------| | Let's Encrypt | `letsencrypt.org` | | Google Trust Services | `pki.goog; cansignhttpexchanges=yes` | -| DigiCert | `digicert.com; cansignhttpexchanges=yes` | | SSL.com | `ssl.com` | | Sectigo | `sectigo.com` | | DigiCert | `digicert.com; cansignhttpexchanges=yes` | From fc3928798ebe13e24e9aed507b89259d19596771 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 10 Sep 2024 15:23:55 +0100 Subject: [PATCH 11/20] Fix SSL.com availability in general CA to cert type table --- src/content/docs/ssl/reference/certificate-authorities.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index 57d66a023d4357d..1614c4601db581f 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -23,10 +23,10 @@ For publicly trusted certificates, Cloudflare partners with different certificat | Certificate | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [SSL.com](#sslcom) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon) | |---------------------|-------|---------------|-----------------------|-|---------|--------------------------| -| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA


RSA
(Paid plans only) | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | -| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | +| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA


RSA
(Paid plans only) | ✅


✅| ✅


✅ | ❌


❌ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | +| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅
Gradual roll-out

Gradual roll-out | N/A


N/A | ✅
Deprecating soon

Deprecating soon | | [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA


RSA | ✅


✅| ✅


✅ | ✅
Gradual roll-out

Gradual roll-out | N/A


N/A | ❌


❌ | -| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA


RSA |✅


✅| ✅


✅ | ✅


✅ | N/A


N/A | ✅
Deprecating soon

Deprecating soon | +| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA


RSA |✅


✅| ✅


✅ | ✅
Gradual roll-out

Gradual roll-out | N/A


N/A | ✅
Deprecating soon

Deprecating soon | | [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA

RSA | ✅

✅| ✅

✅ | ✅

✅ | ✅

✅ | ❌

❌ | From 9b92100967a7e36387029714cb48b073e850f78b Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 10 Sep 2024 15:37:55 +0100 Subject: [PATCH 12/20] Update SSL.com browser compatibility with cross-sign info --- src/content/docs/ssl/reference/certificate-authorities.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index 1614c4601db581f..6c18545454ead95 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -102,9 +102,7 @@ You can use the [root CAs list](https://pki.goog/faq/#faq-27) for checking compa #### Limitations -SSL.com DCV tokens are specific for RSA certificates and ECDSA certificates. This means that, for cases where you have to [manually perform DCV](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required), you will have to place two validation tokens per certificate order. - -To avoid management overhead, consider using a [full setup](/ssl/edge-certificates/changing-dcv-method/#full-dns-setup---no-action-required), or setting up [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). +SSL.com DCV tokens are specific for RSA certificates and ECDSA certificates. This means that, for cases where you have to [manually perform DCV](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required), you will have to place two validation tokens per certificate order. To avoid management overhead, consider using a [full setup](/ssl/edge-certificates/changing-dcv-method/#full-dns-setup---no-action-required), or setting up [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/). #### Browser compatibility @@ -116,6 +114,8 @@ This section summarizes commonly requested client support information. For the c SSL.com is highly compatible, being accepted by over 99.9% of browsers, tablets, and mobile devices. +SSL.com certificates are [cross-signed with Certum](https://www.ssl.com/repository/) and the [CA that cross-signs intermediates](https://crt.sh/?caid=840) is from 2004. + #### Other resources [Acceptable top level domains (TLDs) and current restrictions](https://www.ssl.com/acceptable-top-level-domains-tlds-for-ssl-certificates/) From d199abd019547de92131327055a5e80f443d0c3a Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 11 Sep 2024 08:52:42 +0100 Subject: [PATCH 13/20] Add SSL.com DCV tokens validity --- .../reference/token-validity-periods.mdx | 3 ++- .../changing-dcv-method/validation-backoff-schedule.mdx | 7 ++++--- src/content/docs/ssl/reference/certificate-authorities.mdx | 1 + 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx index adc65dd699f349b..f7d0844637236ed 100644 --- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx +++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx @@ -16,7 +16,8 @@ However, these tokens expire after a certain amount of time, depending on your c | --------------------- | -------------- | | Let's Encrypt | 7 days | | Google Trust Services | 14 days | +| SSL.com | 14 days | :::caution - + ::: diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx index 321c2c4225f993b..ddc331f09831d33 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx @@ -17,7 +17,7 @@ If you use [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/de :::note -You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](/api/operations/ssl-verification-edit-ssl-certificate-pack-validation-method), specifying the same `validation_method` as the [method](/ssl/edge-certificates/changing-dcv-method/methods/) you currently use. +You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](/api/operations/ssl-verification-edit-ssl-certificate-pack-validation-method), specifying the same `validation_method` as the [method](/ssl/edge-certificates/changing-dcv-method/methods/) you currently use. ::: *** @@ -26,14 +26,15 @@ You can also request an immediate recheck by using the [Edit SSL Certificate Pac The DCV process relies on tokens that are generated by the issuing certificate authority. These tokens have a validity period defined by each CA: -* DigiCert - 30 days * Google Trust Services - 14 days * Let's Encrypt - 7 days +* SSL.com - 14 days +* DigiCert - 30 days After this period, DCV tokens expire as dictated by the [CA/B Baseline Requirements](https://cabforum.org/baseline-requirements-documents/), and new, valid tokens must be placed. :::caution - + ::: *** diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index 6c18545454ead95..630c060454b4a66 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -99,6 +99,7 @@ You can use the [root CAs list](https://pki.goog/faq/#faq-27) for checking compa ### SSL.com * Supports [validity periods](/ssl/reference/certificate-validity-periods/) of 14, 30, and 90 days. Enterprise customers using [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) can also choose a validity period of one year. +* [DCV tokens](/ssl/edge-certificates/changing-dcv-method/) are valid for 14 days. #### Limitations From 19a935dfa5897e5680eef6904b2e9cda85ae3dd0 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 17 Sep 2024 16:10:53 +0100 Subject: [PATCH 14/20] Fix issue flagged in Hyperlint check --- .../docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx index e7275ae1931784c..bad4a2afea90379 100644 --- a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx +++ b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx @@ -21,7 +21,7 @@ Yes. Cloudflare can issue both RSA and ECDSA certificates. ### Which certificate authorities does Cloudflare use? -Cloudflare uses Let’s Encrypt, Google Trust Services, SSL.com, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/). +Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/). [DigiCert will soon be removed as a CA from the Cloudflare pipeline](/ssl/reference/migration-guides/digicert-update/) and Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/). From cbead5b89757f0fe9e9c3ee2e432b2d98a2864b4 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 17 Sep 2024 17:50:19 +0100 Subject: [PATCH 15/20] Update distrust dates --- .../docs/ssl/reference/migration-guides/entrust-distrust.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx index 4fe1e6801c5bbd5..4c0722cf958299d 100644 --- a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx +++ b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx @@ -16,7 +16,7 @@ Since Entrust is not within the [certificate authorities](/ssl/reference/certifi ## The decision -New Entrust certificates issued on **November 1, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued or on **December 1, 2024 or after** will not be trusted on Mozilla by default. +New Entrust certificates issued on **November 12, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued on **November 30, 2024 or after** will not be trusted on Mozilla by default. Refer to the announcements ([Chrome](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted. From 22a6d05ed989699461796e7fe2a9de4059e912e6 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Tue, 17 Sep 2024 19:30:52 +0100 Subject: [PATCH 16/20] Fix date for Mozilla --- .../docs/ssl/reference/migration-guides/entrust-distrust.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx index 4c0722cf958299d..84160f659fd43a1 100644 --- a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx +++ b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx @@ -16,7 +16,7 @@ Since Entrust is not within the [certificate authorities](/ssl/reference/certifi ## The decision -New Entrust certificates issued on **November 12, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued on **November 30, 2024 or after** will not be trusted on Mozilla by default. +New Entrust certificates issued on **November 12, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued on **December 1, 2024 or after** will not be trusted on Mozilla by default. Refer to the announcements ([Chrome](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted. From b89b28e63f3ed27271a6d24f6f2cb69fd60e71ff Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro <62246989+RebeccaTamachiro@users.noreply.github.com> Date: Wed, 18 Sep 2024 11:18:49 +0100 Subject: [PATCH 17/20] Apply suggestions from code review Co-authored-by: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> --- .../docs/ssl/edge-certificates/custom-certificates/index.mdx | 2 +- src/content/docs/ssl/reference/certificate-authorities.mdx | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx index 02ffd0ce20f7837..fc0ce23e4f245d5 100644 --- a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx +++ b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx @@ -21,7 +21,7 @@ When you use custom certificates, the following actions should be considered and If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them. -If your custom ceritificate is from a [certificate authority that Cloudflare partners with](/ssl/reference/certificate-authorities/), consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal. +If your custom certificate is from a [certificate authority that Cloudflare partners with](/ssl/reference/certificate-authorities/), consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal. ::: diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index 630c060454b4a66..808d7e21ea097ba 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -118,6 +118,7 @@ SSL.com is highly compatible, being accepted by over 99.9% of browsers, tablets, SSL.com certificates are [cross-signed with Certum](https://www.ssl.com/repository/) and the [CA that cross-signs intermediates](https://crt.sh/?caid=840) is from 2004. #### Other resources + [Acceptable top level domains (TLDs) and current restrictions](https://www.ssl.com/acceptable-top-level-domains-tlds-for-ssl-certificates/) *** From 0e9964616931d9341f97f0a788791e0e23c42787 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Wed, 18 Sep 2024 11:32:09 +0100 Subject: [PATCH 18/20] Fix beta capitalization and move content from banner to aside --- .../docs/ssl/reference/certificate-authorities.mdx | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx index 808d7e21ea097ba..3703589d2979c1b 100644 --- a/src/content/docs/ssl/reference/certificate-authorities.mdx +++ b/src/content/docs/ssl/reference/certificate-authorities.mdx @@ -8,15 +8,17 @@ description: For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs features, limitations, and browser compatibility. -banner: - content: | - SSL.com is currently in Beta for select customers and will be further rolled out starting September 2024. + --- import { Render } from "~/components" For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs [features, limitations, and browser compatibility](#features-limitations-and-browser-compatibility). +:::caution[SSL.com availability] +SSL.com is currently in beta for select customers and will be further rolled out starting September 2024. +::: + ## Availability per certificate type and encryption algorithm From def75e7ca891ee8be828394af654e12cd3f72646 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 19 Sep 2024 08:50:55 +0100 Subject: [PATCH 19/20] Update backup-certificates.mdx --- src/content/docs/ssl/edge-certificates/backup-certificates.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ssl/edge-certificates/backup-certificates.mdx b/src/content/docs/ssl/edge-certificates/backup-certificates.mdx index eb7bcd63e933e6e..cac358e781f5ead 100644 --- a/src/content/docs/ssl/edge-certificates/backup-certificates.mdx +++ b/src/content/docs/ssl/edge-certificates/backup-certificates.mdx @@ -10,7 +10,7 @@ import { FeatureTable } from "~/components" If Cloudflare is providing [authoritative DNS](/dns/zone-setups/full-setup/) for your domain, Cloudflare will issue a backup [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) for every standard Universal certificate issued. -Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, or Sectigo — than your domain's primary Universal SSL certificate. +Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, Sectigo, or SSL.com — than your domain's primary Universal SSL certificate. These backup certificates are not normally deployed, but they will be deployed automatically by Cloudflare in the event of a certificate revocation or key compromise. From 9b86289361a3ea2277dc0f27e6db255003a782f1 Mon Sep 17 00:00:00 2001 From: Rebecca Tamachiro Date: Thu, 19 Sep 2024 09:27:03 +0100 Subject: [PATCH 20/20] Fix apostrophe and remove banner --- .../ssl/reference/migration-guides/lets-encrypt-chain.mdx | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx index 62fb113f0cef180..9a91dac624d3796 100644 --- a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx +++ b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx @@ -5,11 +5,8 @@ sidebar: order: 2 head: [] description: Review notes on the expiration of ISRG Root X1 cross-signed with - DST Root CA X3, and how it may affect Cloudflare customers that use Let’s + DST Root CA X3, and how it may affect Cloudflare customers that use Let's Encrypt. -banner: - content: | - On September 9, 2024, Cloudflare will start rebundling all Let's Encrypt certificates using a new chain. --- import { Details } from "~/components";