Privacy Question


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: getflywheel.com

I ran this command: n/a

It produced this output: n/a

My web server is (include version): getflywheel

The operating system my web server runs on is (include version):getflywheel

My hosting provider, if applicable, is: getflywheel

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

Client wants ssl certificate but does not want to provide city and state location and identifying information for privacy reasons. If we use client’s domain registration private registration for location, as called for on getflywheel, will this impact certificate issuance or validity? Also, can domain owner be traced back and revealed, when domain ownership is private, through an ssl certificate?

Thank you


#2

“Domain validated” certificates such as the ones you would get from Let’s Encrypt do not contain any information in the subject such as city and state. In fact, if you submit a certificate request that contains that information, it will be stripped from the final certificate. The only identifying information contained within the certificate is the domain name (or names) you want it to be valid for.


#3

Thank you for the reply.

Flywheel asks for “City” “State” “Country” “organization name” “contact department” “email” The last two are optional. This is what’s causing the concern. Is it that these fields flywheel is requesting can take any information (will use domain privacy registrars info) and that it will be irrelevant to your generating the certificate?

Thank you again!


#4

Also, and please forgive my lack of knowledge, is a “domain validate” certificate the same as an ssl certificate?

Here’s the flywheel text that prompted the client concern about privacy: “To install your SSL certificate, we need a bit of information to generate your CSR. Use the link below to fill out the form.”

I had asked them first and they referred us to you.

Thank you!


#5

“Domain Validation” (DV) is a category/type of SSL/TLS certificate. It indicates the amount of identify verification a Certificate Authority must perform to generate a certificate. Other categories include things like OV (Organization Validation) and EV (Extended Validation). With DV, you only need to prove that you control/own the domain you’re requesting a certificate for such as being able to edit DNS records for the domain.

I’m not familiar with Flywheel. But they appear to be a hosting provider who is generating certificates on your behalf. And if they directed you here, it implies they’re using Let’s Encrypt for those certificates. But if that’s the case, they shouldn’t need or want anything but the domain name in order to request that certificate.

This might help.


#6

The documentation of “Simple SSL”, presumably the ACME client used by FlyWheel, indeed mentions all those information is required for the generation of a CSR which is used to get a Let’s Encrypt certificate: https://getflywheel.com/wordpress-support/how-do-i-add-simple-ssl-to-my-site/

Fortunately, Let’s Encrypt doesn’t use the CSR directly. It only extracts the information it needs, being the public key, the domains for which the certificate is requested and optionally a (few?) other options like “Must Staple”. But not all those City, Country and State information.

So you can enter anything you want. You might want to choose “NotTellingYou” as City and “PrivacyConcerns” as Organisation. The Let’s Encrypt servers wouldn’t care less.


#7

The need for the city/state information is clearly only a FlyWheel requirement.
Why? Only FlyWheel can answer that.
…
Maybe they are worried about exporting encryption concerns…


#8

I think they just thought: “the CSR needs to be filled with something, let’s just ask the customer…” instead of leaving the fields empty.


#9

This is a super helpful! Thank you for the careful explanation!! Very appreciated!!!