On 03/11/16 09:59, Gervase Markham wrote: > On 02/11/16 23:26, gerhard.tin...@gmail.com wrote: >> Befor I contacted this group, I contacted Cloudflare and asked them >> to stop creating certificates with my domain. The answer in short >> was, ... they cannot change it and as long as I am using there >> service, they will continue. > > How would you expect the service to work without them doing that? > >> I also contacted Comodo as the CA and asked them. The answer was >> different but also not helping. In short, ... I can use a CAA DNS >> record (not supported by many DNS providers like Cloudflare) to avoid >> it in the future. But in the next sentence telling me that those >> records are not honoured by many CA's. > > Hopefully this will change before too long. > > However, I still don't get why you want to use Cloudflare's SSL > termination services but are unwilling to allow them to get a > certificate for your domain name. > > AIUI their free tier uses certs they obtain, but if you pay, you can > provide your own cert. So if you want to use Cloudflare but don't want > them obtaining certs for you, join the paying tier.
In my experience, joining Cloudflare's paying tier doesn't guarantee that Cloudflare won't also obtain a free cert. A few weeks ago we moved crt.sh onto Cloudflare. It was in the paying tier from the start, and we uploaded an EV cert straight away. I was surprised when https://crt.sh/atom?q=crt.sh alerted me to https://crt.sh/?id=42619974 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy