Unauthorized Certificate Issued for Domain

My domain is: thegraph.com

You will need to provide more details.

But, I can make a guess ...

Right now your domain has a cert issued by Cloudflare Inc. And, if you previously tried to proxy your DNS with Cloudflare it may get a Let's Encrypt cert for you. Cloudflare also has a system to warn when certs get issued and it may even warn you about this.

Why do you think an "unauthorized cert" was issued?


Yes to all of the above. We will take it up with CF. None of the domains listed with ours are at all associated. Thanks for your help.


CF is a CDN/hosting service.
As such, they will host many domains from the same system.
It makes sense for them to combine domains [they host] onto a single cert.
[every hosting company does this]

What exactly did they issue that you feel was not correct?


Cloudflare will often bundle the domains from different clients together. They've been doing it less and less, but they do it. You must purchase a SSL from them or an advanced plan to ensure control of how they process certificates. I think under most options they will still add one of their internal domains onto the certificate to get around some deployment issues.

I think they stopped using the multiple-clients certificates in production and only use them for backup certificates. Last year, they announced "Backup Certificates" (Introducing: Backup Certificates) so they can maintain SSL in case of a mass CA revocation or a root being revoked. I think those still combine clients. It's just a stopgap measure, and I don't think it's been utilized yet. They basically grab certs from a second CA / root and keep them shelved unless needed. This way they don't need to somehow instantly order tens of thousands of certificates in a worst-case-scenario..



Thank you so much!! Super useful to know.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.