[SSL] Update certificate authorities info (#16679)

* Add ssl.com to certificate-authorities reference page * Update caa-records-added-by-cf partial * Refer ssl.com in other places where CAs used by CF are listed * Add help link to ct-monitoring page * Add ssl.com to custom hostname docs * More information on availability and timeline * Add entrust-distrust and re-order items within migration-guides * Overall review of entrust-distrust and certificate-authorities * Call out CF certificates as alternative to custom issued by same CAs * Fix repeated Digicert info in CAA record content table * Fix SSL.com availability in general CA to cert type table * Update SSL.com browser compatibility with cross-sign info * Add SSL.com DCV tokens validity * Fix issue flagged in Hyperlint check * Update distrust dates * Fix date for Mozilla * Apply suggestions from code review Co-authored-by: Pedro Sousa <[email protected]> * Fix beta capitalization and move content from banner to aside * Update backup-certificates.mdx * Fix apostrophe and remove banner --------- Co-authored-by: Pedro Sousa <[email protected]>
cloudflare · Sep 19, 2024 · bab63fa · bab63fa
1 parent da04da1
commit bab63fa
Show file tree

Hide file tree

Showing 14 changed files with 120 additions and 37 deletions.
diff --git a/...oudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx b/...oudflare-for-platforms/cloudflare-for-saas/reference/token-validity-periods.mdx
@@ -16,7 +16,8 @@ However, these tokens expire after a certain amount of time, depending on your c
 | --------------------- | -------------- |
 | Let's Encrypt         | 7 days         |
 | Google Trust Services | 14 days        |
+| SSL.com | 14 days        |
 
 :::caution
- <Render file="dcv-invalid-token-situations" product="ssl" /> 
+ <Render file="dcv-invalid-token-situations" product="ssl" />
 :::
diff --git a/...-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx b/...-saas/security/certificate-management/issue-and-validate/renew-certificates.mdx
@@ -13,7 +13,7 @@ import { Render } from "~/components"
 
 The exact method for certificate renewal depends on whether that hostname is proxying traffic through Cloudflare and whether it is a wildcard certificate.
 
-Custom hostnames with DigiCert certificates currently have a validity period of one year, though DigiCert is [going to be deprecated](/ssl/reference/migration-guides/digicert-update/) soon as an option. Custom hostnames using Let's Encrypt or Google Trust Services have a 90 day validity period.
+Custom hostnames with DigiCert certificates currently have a validity period of one year, though DigiCert is [going to be deprecated](/ssl/reference/migration-guides/digicert-update/) soon as an option. Custom hostnames using Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period.
 
 Certificates are available for renewal 30 days before their expiration.
 

diff --git a/...sl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx b/...sl/edge-certificates/additional-options/certificate-transparency-monitoring.mdx
@@ -80,6 +80,8 @@ Only Certificate Authorities can revoke malicious certificates. If you believe a
 
 * [Sectigo support](https://sectigo.com/support)
 
+* [SSL.com support](https://www.ssl.com/submit-a-ticket/)
+
 ### Option 2: Contact domain registrars
 
 Domain registrars may be able to **suspend** potentially malicious domains. If, for example, you notice that a malicious domain was registered through GoDaddy, contact GoDaddy’s support team to see if they can help you. Do the same for other registrars.

diff --git a/src/content/docs/ssl/edge-certificates/backup-certificates.mdx b/src/content/docs/ssl/edge-certificates/backup-certificates.mdx
@@ -10,7 +10,7 @@ import { FeatureTable } from "~/components"
 
 If Cloudflare is providing [authoritative DNS](/dns/zone-setups/full-setup/) for your domain, Cloudflare will issue a backup [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) for every standard Universal certificate issued.
 
-Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, or Sectigo — than your domain's primary Universal SSL certificate.
+Backup certificates are wrapped with a different private key and issued from a different Certificate Authority — either Google Trust Services, Let's Encrypt, Sectigo, or SSL.com — than your domain's primary Universal SSL certificate.
 
 These backup certificates are not normally deployed, but they will be deployed automatically by Cloudflare in the event of a certificate revocation or key compromise.
 

diff --git a/.../docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx b/.../docs/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule.mdx
@@ -17,7 +17,7 @@ If you use [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/de
 
 :::note
 
-You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](/api/operations/ssl-verification-edit-ssl-certificate-pack-validation-method), specifying the same `validation_method` as the [method](/ssl/edge-certificates/changing-dcv-method/methods/) you currently use. 
+You can also request an immediate recheck by using the [Edit SSL Certificate Pack Validation Method endpoint](/api/operations/ssl-verification-edit-ssl-certificate-pack-validation-method), specifying the same `validation_method` as the [method](/ssl/edge-certificates/changing-dcv-method/methods/) you currently use.
 :::
 
 ***
@@ -26,14 +26,15 @@ You can also request an immediate recheck by using the [Edit SSL Certificate Pac
 
 The DCV process relies on tokens that are generated by the issuing certificate authority. These tokens have a validity period defined by each CA:
 
-* DigiCert - 30 days
 * Google Trust Services - 14 days
 * Let's Encrypt - 7 days
+* SSL.com - 14 days
+* DigiCert - 30 days
 
 After this period, DCV tokens expire as dictated by the [CA/B Baseline Requirements](https://cabforum.org/baseline-requirements-documents/), and new, valid tokens must be placed.
 
 :::caution
- <Render file="dcv-invalid-token-situations" /> 
+ <Render file="dcv-invalid-token-situations" />
 :::
 
 ***

diff --git a/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx b/src/content/docs/ssl/edge-certificates/custom-certificates/index.mdx
@@ -19,7 +19,10 @@ When you use custom certificates, the following actions should be considered and
 
 :::note
 
-If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them. 
+If your custom certificate does not cover all of your first-level hostnames, you can enable [Universal SSL certificate](/ssl/edge-certificates/universal-ssl/) to cover them.
+
+If your custom certificate is from a [certificate authority that Cloudflare partners with](/ssl/reference/certificate-authorities/), consider switching to a Cloudflare-managed certificate to benefit from automatic issuance and renewal.
+
 :::
 
 ## Certificate packs

diff --git a/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx b/src/content/docs/ssl/edge-certificates/troubleshooting/ca-faq.mdx
@@ -21,7 +21,7 @@ Yes. Cloudflare can issue both RSA and ECDSA certificates.
 
 ### Which certificate authorities does Cloudflare use?
 
-Cloudflare uses Let’s Encrypt, Google Trust Services, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
+Cloudflare uses Let's Encrypt, Google Trust Services, SSL.com, Sectigo, and DigiCert. You can see a complete list of products and available CAs and algorithms in the [certificate authorities reference page](/ssl/reference/certificate-authorities/).
 
 [DigiCert will soon be removed as a CA from the Cloudflare pipeline](/ssl/reference/migration-guides/digicert-update/) and Sectigo is only used for [backup certificates](/ssl/edge-certificates/backup-certificates/).
 

diff --git a/src/content/docs/ssl/reference/certificate-authorities.mdx b/src/content/docs/ssl/reference/certificate-authorities.mdx
@@ -15,24 +15,28 @@ import { Render } from "~/components"
 
 For publicly trusted certificates, Cloudflare partners with different certificate authorities (CAs). Refer to this page to check what CAs are used for each Cloudflare offering and for more details about the CAs [features, limitations, and browser compatibility](#features-limitations-and-browser-compatibility).
 
+:::caution[SSL.com availability]
+SSL.com is currently in beta for select customers and will be further rolled out starting September 2024.
+:::
+
 ## Availability per certificate type and encryption algorithm
 
 
 
-| Certificate                                                                                                       | Algorithm                                                    | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [Sectigo](#sectigo)      | [DigiCert](#digicert-deprecating-soon)                                               |
-| ----------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ------------------------------ | ----------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------ |
-| [Universal](/ssl/edge-certificates/universal-ssl/)                                                                | ECDSA<br /><br /><br />RSA<br /><sub>(Paid plans only)</sub> | ✅<br /><br /><br />✅           | ✅<br /><br /><br />✅                            | N/A<br /><br /><br />N/A | ✅<br /> <sub>Deprecating soon</sub> <br /><br />✅<br /> <sub>Deprecating soon</sub>  |
-| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/)                                                  | ECDSA<br /><br /><br />RSA                                   | ✅<br /><br /><br />✅           | ✅<br /><br /><br />✅                            | N/A<br /><br /><br />N/A | ✅<br /> <sub>Deprecating soon</sub> <br /><br /> ✅<br /> <sub>Deprecating soon</sub> |
-| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/)                                                 | ECDSA<br /><br /><br />RSA                                   | ✅<br /><br /><br />✅           | ✅<br /><br /><br />✅                            | N/A<br /><br /><br />N/A | ❌ <br /><br /><br /> ❌                                                               |
-| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA<br /><br /><br />RSA                                   | ✅<br /><br /><br />✅           | ✅<br /><br /><br />✅                            | N/A<br /><br /><br />N/A | ✅<br /> <sub>Deprecating soon</sub> <br /><br /> ✅<br /> <sub>Deprecating soon</sub> |
-| [Backup](/ssl/edge-certificates/backup-certificates/)                                                             | ECDSA<br /><br />RSA                                         | ✅<br /><br />✅                 | ✅<br /><br />✅                                  | ✅<br /><br />✅           | ❌ <br /><br /> ❌                                                                     |
+| Certificate         | Algorithm | [Let's Encrypt](#lets-encrypt) | [Google Trust Services](#google-trust-services) | [SSL.com](#sslcom) | [Sectigo](#sectigo) | [DigiCert](#digicert-deprecating-soon)                 |
+|---------------------|-------|---------------|-----------------------|-|---------|--------------------------|
+| [Universal](/ssl/edge-certificates/universal-ssl/)| ECDSA<br /><br /><br />RSA<br /><sub>(Paid plans only)</sub> | ✅<br /><br /><br />✅| ✅<br /><br /><br />✅ | ❌<br /><br /><br />❌ | N/A<br /><br /><br />N/A | ✅<br /> <sub>Deprecating soon</sub> <br />✅<br /> <sub>Deprecating soon</sub> |
+| [Advanced](/ssl/edge-certificates/advanced-certificate-manager/) | ECDSA<br /><br /><br />RSA | ✅<br /><br /><br />✅| ✅<br /><br /><br />✅ | ✅<br /> <sub>Gradual roll-out</sub> <br /> ✅<br /> <sub>Gradual roll-out</sub> | N/A<br /><br /><br />N/A | ✅<br /> <sub>Deprecating soon</sub> <br /> ✅<br /> <sub>Deprecating soon</sub> |
+| [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) | ECDSA<br /><br /><br />RSA | ✅<br /><br /><br />✅| ✅<br /><br /><br />✅ | ✅<br /> <sub>Gradual roll-out</sub> <br /> ✅<br /> <sub>Gradual roll-out</sub> | N/A<br /><br /><br />N/A | ❌ <br /><br /><br /> ❌ |
+| [SSL for SaaS](/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/) | ECDSA<br /><br /><br />RSA |✅<br /><br /><br />✅| ✅<br /><br /><br />✅ | ✅<br /> <sub>Gradual roll-out</sub> <br /> ✅<br /> <sub>Gradual roll-out</sub> | N/A<br /><br /><br />N/A | ✅<br /> <sub>Deprecating soon</sub> <br /> ✅<br /> <sub>Deprecating soon</sub> |
+| [Backup](/ssl/edge-certificates/backup-certificates/) | ECDSA<br /><br />RSA | ✅<br /><br />✅| ✅<br /><br />✅ | ✅<br /><br />✅ | ✅<br /><br />✅ | ❌ <br /><br /> ❌ |
 
 
 
 ## Features, limitations and browser compatibility
 
 :::caution[Universal SSL]
- <Render file="universal-ssl-validity" /> 
+ <Render file="universal-ssl-validity" />
 :::
 
 ***
@@ -49,7 +53,7 @@ For publicly trusted certificates, Cloudflare partners with different certificat
 
 #### Browser compatibility
 
-:::caution
+:::caution[Warning]
 
 
 This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Let's Encrypt documentation](https://letsencrypt.org/docs/certificate-compatibility/).
@@ -78,7 +82,7 @@ You can find the full list of supported clients in the [Let's Encrypt documentat
 
 #### Browser compatibility (most compatible)
 
-:::caution
+:::caution[Warning]
 
 
 This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [Google Trust Services documentation](https://pki.goog/faq/).
@@ -94,6 +98,33 @@ You can use the [root CAs list](https://pki.goog/faq/#faq-27) for checking compa
 
 ***
 
+### SSL.com
+
+* Supports [validity periods](/ssl/reference/certificate-validity-periods/) of 14, 30, and 90 days. Enterprise customers using [advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) can also choose a validity period of one year.
+* [DCV tokens](/ssl/edge-certificates/changing-dcv-method/) are valid for 14 days.
+
+#### Limitations
+
+SSL.com DCV tokens are specific for RSA certificates and ECDSA certificates. This means that, for cases where you have to [manually perform DCV](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required), you will have to place two validation tokens per certificate order. To avoid management overhead, consider using a [full setup](/ssl/edge-certificates/changing-dcv-method/#full-dns-setup---no-action-required), or setting up [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/).
+
+#### Browser compatibility
+
+:::caution[Warning]
+
+This section summarizes commonly requested client support information. For the complete and most up-to-date certificate compatibility, refer to [SSL.com documentation](https://www.ssl.com/browser_compatibility/).
+
+:::
+
+SSL.com is highly compatible, being accepted by over 99.9% of browsers, tablets, and mobile devices.
+
+SSL.com certificates are [cross-signed with Certum](https://www.ssl.com/repository/) and the [CA that cross-signs intermediates](https://crt.sh/?caid=840) is from 2004.
+
+#### Other resources
+
+[Acceptable top level domains (TLDs) and current restrictions](https://www.ssl.com/acceptable-top-level-domains-tlds-for-ssl-certificates/)
+
+***
+
 ### Sectigo
 
 * Only used for [Backup certificates](/ssl/edge-certificates/backup-certificates/).
@@ -135,11 +166,11 @@ If you are using Cloudflare as your DNS provider, then the CAA records will be a
 The following table lists the CAA record content for each CA:
 
 
-
 | Certificate authority | CAA record content                       |
-| --------------------- | ---------------------------------------- |
+|-----------------------|------------------------------------------|
 | Let's Encrypt         | `letsencrypt.org`                        |
 | Google Trust Services | `pki.goog; cansignhttpexchanges=yes`     |
-| DigiCert              | `digicert.com; cansignhttpexchanges=yes` |
+| SSL.com               | `ssl.com`                                |
 | Sectigo               | `sectigo.com`                            |
+| DigiCert              | `digicert.com; cansignhttpexchanges=yes` |
 
diff --git a/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx b/src/content/docs/ssl/reference/migration-guides/dcv-update.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: reference
 title: Changes to HTTP DCV
 sidebar:
-  order: 3
+  order: 4
 
 ---
 

diff --git a/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx b/src/content/docs/ssl/reference/migration-guides/digicert-update/index.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: navigation
 title: DigiCert update
 sidebar:
-  order: 2
+  order: 3
 
 ---
 

diff --git a/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx b/src/content/docs/ssl/reference/migration-guides/entrust-distrust.mdx
@@ -0,0 +1,43 @@
+---
+pcx_content_type: reference
+title: Entrust distrust by major browsers
+sidebar:
+  order: 1
+  label: Entrust distrust
+head: []
+description: Chrome and Mozilla have announced they will no longer trust Entrust certificates. Read about this change and how you can use Cloudflare to reduce impact.
+---
+
+import { Details } from "~/components";
+
+Google Chrome and Mozilla have announced they will no longer trust certificates issued from Entrust's root CAs.
+
+Since Entrust is not within the [certificate authorities](/ssl/reference/certificate-authorities/) used by Cloudflare, this change may only affect customers who upload [custom certificates](/ssl/edge-certificates/custom-certificates/) issued by Entrust.
+
+## The decision
+
+New Entrust certificates issued on **November 12, 2024 or after** will not be trusted on Chrome by default. And new Entrust certificates issued on **December 1, 2024 or after** will not be trusted on Mozilla by default.
+
+Refer to the announcements ([Chrome](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html), [Mozilla](https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/jCvkhBjg9Yw?pli=1)) for a full list of roots that will be distrusted.
+
+## Entrust's response
+
+To prevent their customers from facing issues, Entrust has partnered with SSL.com, a different certificate authority, trusted by both Chrome and Mozilla.
+
+This means that Entrust certificates will be issued using SSL.com roots.
+
+## Cloudflare managed certificates
+
+Since Cloudflare also [partners with SSL.com](/ssl/reference/certificate-authorities/), you can switch from uploading custom certificates to using Cloudflare's managed certificates. This change brings the following advantages:
+
+* Use [Advanced certificates](/ssl/edge-certificates/advanced-certificate-manager/) to have more control and flexibility while also benefitting from automatic renewals.
+* Enable [Total TLS](/ssl/edge-certificates/additional-options/total-tls/) to automatically issue certificates for your [proxied hostnames](/dns/manage-dns-records/reference/proxied-dns-records/).
+* Use [Delegated DCV](/ssl/edge-certificates/changing-dcv-method/methods/delegated-dcv/) to reduce manual intervention when renewing certificates for [partial (CNAME) setup](/dns/zone-setups/partial-setup/) zones.
+* If you are a SaaS provider, extend the benefits of automatic renewals to your customers by specifying SSL.com as the certificate authority when [creating](/api/operations/custom-hostname-for-a-zone-create-custom-hostname) or [editing](/api/operations/custom-hostname-for-a-zone-edit-custom-hostname) your custom hostnames (API only).
+
+## More resources
+
+* [Use Cloudflare with SSL.com certificates](/ssl/reference/certificate-authorities/)
+* [Google Security Blog](https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html)
+* [Entrust TLS Certificate Information Center](https://www.entrust.com/tls-certificate-information-center)
+
diff --git a/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx b/src/content/docs/ssl/reference/migration-guides/lets-encrypt-chain.mdx
@@ -2,14 +2,11 @@
 pcx_content_type: reference
 title: Let's Encrypt chain update
 sidebar:
-  order: 1
+  order: 2
 head: []
 description: Review notes on the expiration of ISRG Root X1 cross-signed with
-  DST Root CA X3, and how it may affect Cloudflare customers that use Let’s
+  DST Root CA X3, and how it may affect Cloudflare customers that use Let's
   Encrypt.
-banner:
-    content: |
-        On September 9, 2024, Cloudflare will start rebundling all Let's Encrypt certificates using a new chain.
 ---
 
 import { Details } from "~/components";

diff --git a/src/content/partials/ssl/caa-records-added-by-cf.mdx b/src/content/partials/ssl/caa-records-added-by-cf.mdx
@@ -14,19 +14,24 @@ If Cloudflare has automatically added CAA records on your behalf, these records
 
 ```bash
 ➜  ~ dig example.com caa +short
+
+# CAA records added by Google Trust Services
+0 issue "pki.goog; cansignhttpexchanges=yes"
+0 issuewild "pki.goog; cansignhttpexchanges=yes"
+
+# CAA records added by Let's Encrypt
+0 issue "letsencrypt.org"
+0 issuewild "letsencrypt.org"
+
+# CAA records added by SSL.com
+0 issue "ssl.com"
+0 issuewild "ssl.com"
+
 # CAA records added by DigiCert
 0 issue "digicert.com; cansignhttpexchanges=yes"
 0 issuewild "digicert.com; cansignhttpexchanges=yes"
 
 # CAA records added by Sectigo
 0 issue "sectigo.com"
 0 issuewild "sectigo.com"
-
-# CAA records added by Let's Encrypt
-0 issue "letsencrypt.org"
-0 issuewild "letsencrypt.org"
-
-# CAA records added by Google Trust Services
-0 issue "pki.goog; cansignhttpexchanges=yes"
-0 issuewild "pki.goog; cansignhttpexchanges=yes"
 ```
diff --git a/src/content/partials/ssl/universal-ssl-validity.mdx b/src/content/partials/ssl/universal-ssl-validity.mdx
@@ -5,4 +5,4 @@
 
 For Universal certificates, Cloudflare controls the validity periods and certificate autorities (CAs), making sure that renewal always occur.
 
-Universal certificates issued by Let’s Encrypt or Google Trust Services have a 90 day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.
+Universal certificates issued by Let's Encrypt, Google Trust Services, or SSL.com have a 90-day validity period. Cloudflare no longer uses DigiCert for newly issued Universal certificates and, for existing ones, the validity period is being adjusted from one year to 90 days.