Researchers have identified nine more mis-issued TLS certificates linked to Cloudflare’s 1.1.1.1 DNS resolver, bringing the total mis-issuances to 12. The certificates were issued by the Microsoft-trusted Fina CA and have since been revoked, according to Cloudflare.
Cloudflare said its audit found the nine additional certificates and emphasized that there is currently no evidence any of them were used to cryptographically impersonate 1.1.1.1 or tamper with DNS responses. The company noted it should have detected the mis-issuances earlier through Certificate Transparency (CT) logs, which it helps administer.
Fina CA’s brief statement described the certificates as created for internal testing within a production environment. It attributed the issue to incorrect entry of IP addresses and said the certificates were published on CT log servers as part of standard procedures.
TLS certificates are the foundation of the web’s trust model, with CT logs providing a public record of certificate issuance. Cloudflare has cautioned that while the keys involved may be under a separate control, the incident underlines the fragility and importance of vigilant monitoring of certificate issuance and transparency data.
In the broader PKI ecosystem, Microsoft’s root program and other trusted CAs are under scrutiny. Microsoft has signaled it will move to disallow problematic certificates, and observers say the episode highlights the need for stronger automated checks and more robust certificate-issuance governance to prevent similar lapses in the future.
