Hacker News new | past | comments | ask | show | jobs | submit login

Cloudflare are not a public CA (see bottom), they use public CAs just like the rest of us. I'm sure they have special enterprise arrangements with each of them.

Supported TLS certs via Cloudflare: https://developers.cloudflare.com/ssl/reference/certificate-...

Those public CAs have to verify domain ownership via the methods outlined in the CA/Browser Forum's baseline requirements. None of which Cloudflare would be able to follow (on behalf of these domains in question) if they did not use either of Cloudflare's authoritative nameservers or WAF/CDN.

Now, if Cloudflare were a public CA, they would still have to behave correctly and follow the baseline requirements otherwise they would be distrusted by clients.

Note that Cloudflare have a certificate authority called 'Origin CA' https://blog.cloudflare.com/cloudflare-ca-encryption-origin/, it is not publicly trusted though. It doesn't need to be, it's for website operators to install on their own web server, before it gets fronted by Cloudflare - rather than just running a self-signed cert or serving plaintext.

Trusted root certs:

Apple: https://support.apple.com/en-gb/121672

Mozilla: https://ccadb.my.salesforce-sites.com/mozilla/CAInformationR...

Microsoft: https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...

Chrome: https://chromium.googlesource.com/chromium/src/+/main/net/da...




I'm pretty sure Cloudflare uses Let's Encrypt.

It doesn't look like they are a sponsor of Let's Encrypt though, so I doubt they have any kind of special arrangement with them.


Thanks for the explanation. Also, your username is very appropriate.


I tell it how it is :)




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: