Hello, Its resolved close this ticket now.
These sounds like three distinct questions, none of which really have anything to do with Let's Encrypt. Whoever's behind AutoSSL would be best able to explain how it works, Cloudflare would be best able to explain how they provide free SSL, and one or more of the paid certificate providers can surely explain why they need to charge for something Let's Encrypt gives away for free.
5 Likes
Congratulations on your efforts to learn more about certificates and certificate issuance. It is a commendable endeavor that will send you on a long and enlightening journey.
Cloudflare doesn't operate a publicly trusted certificate authority. They primarily use free certificates from Let's Encrypt and Google Trust Services for the public facing edge certificates. They do provide a private CA that can issue certificates that are only trusted by the Cloudflare proxy. Those can be used to secure traffic between the origin server and the Cloudflare proxy. This overview may help you better understand Cloudflare.
Cloudflare also has a community where you can learn more.
https://community.cloudflare.com/
3 Likes
But they do have trusted intermediate certificates (RSA/ECDSA). Looking at the leaf certs of those intermediates, they're also actually used for end users.
Not really. Those were custom branded DigiCert intermediates, and they were deprecated last year. Not all certificates issued by the DigiCert CA have aged out yet, but as they do, they will be renewed using Let's Encrypt and Google Trust Services CAs.
3 Likes
Deprecated maybe, but currently still in use (random site).
But things like custom branded intermediates are a confusing thing! I believe that's when everything is operated by the CA (e.g. DigiCert), but everything LOOKS like it's from a different company, right? Any way to identify these kind of custom branded intermediates?
Follow the chain. Intermediates have an issuer. You can view that data in the intermediate certificate's details. From the certificate in your reply:
Authority Information Access:
OCSP - URI:http://ocsp.digicert.com
CA Issuers - URI:http://cacerts.digicert.com/CloudflareIncRSACA-2.crt
2 Likes
That wouldn't distinguish a subordinate CA from a custom branded intermediate, right?
Subordinate CA sounds like a synonym to Intermediate CA to me. What distinction are you expecting to clarify?
2 Likes
Well, as far as I know, a subordinate CA can be a completely separate company with their own keypairs/HSMs issuing certificates from their subordinate CA certificate. They'd have to have all the audits et cetera like a regular CA.
See for example section 6.2.6 from the current baseline requirements:
If the Issuing CA generated the Private Key on behalf of the Subordinate CA, then the Issuing CA SHALL encrypt the Private Key for transport to the Subordinate CA. If the Issuing CA becomes aware that a Subordinate CA’s Private Key has been communicated to an unauthorized person or an organization not affiliated with the Subordinate CA, then the Issuing CA SHALL revoke all certificates that include the Public Key corresponding to the communicated Private Key.
That's way more than just a custom branded intermediate.
3 Likes
I dont know know how you could make that determination as an outsider. My reference to the Cloudflare branded DigiCert intermediate as such is based on the statements of both current and former Cloudflare employees rather than being something that I deduced. If you find an answer that provides a means to make the determination, I would certainly be interested to know more about it.
3 Likes
Maybe the AIA for a subordinate CA is actually different, I'm just not sure 
One would assume they'd run their own OCSP and CRL et cetera, right?
Ah well, let's not confuse the intern any more than necessary
3 Likes
We don't close resolved threads. Usually the solution to an issue is marked as such with the 
button.
2 Likes