Introduction of Additional Certificate Authorities

Problem Statement

Cloudflare will introduce new Certificate Authorities (CA) for signing their certificates that may affect some tenants.

Symptoms / Troubleshooting

Most tenant admins will not see any changes. However, anyone who is fingerprinting or pinning certificates will most likely see a warning or an error when trying to access their tenant, since the certificate authority will change.

Tenants using AWS Cognito might experience more errors here. The reasoning is that Cognito suggests certificate pinning, which leads to seeing issues in this case.

Solution

To resolve any challenges with these warnings or errors is to update your site/server settings to unpin or stop fingerprinting certificates. In standard practice it’s best to avoid keeping certificates unpinned to ensure supporting environments are accessible and running as intended.

1 Like