Cloudflare 1.1.1.1 Hit by 12 Unauthorized Certificates: Fina CA’s Misissuance Raises Microsoft Trust Concerns

Yesterday, we reported that security researchers had discovered three unauthorized digital certificates for Cloudflare’s public DNS server 1.1.1.1, issued by Croatia’s Fina CA. These certificates could, in theory, be exploited to decrypt traffic or conduct interception attacks.

The situation, however, has proven to be far more serious than initially thought. An investigation revealed that since February 2024, Fina CA had in fact issued twelve certificates for 1.1.1.1—an issue that went undetected for nineteen months.

The industry had long introduced the Certificate Transparency (CT) framework to prevent such misissuance or abuse, ensuring every certificate is logged and auditable. Yet, this case underscores how little attention the CT system is sometimes given.

Upon receiving reports from the security community, Cloudflare launched an internal investigation, which uncovered that Fina CA had not issued three, but twelve unauthorized certificates for 1.1.1.1 since early 2024—all without Cloudflare’s consent.

While Cloudflare emphasized that there was no evidence the certificates had been actively abused—such as being used to impersonate its encrypted DNS services—the company admitted it should have detected the misissuance sooner. Nonetheless, neither Cloudflare nor other certificate authorities in the ecosystem identified the anomaly in time.

In an emailed statement, Fina CA claimed the certificates were generated as part of an internal test of its issuance pipeline in a production environment. The company said an incorrect IP address entry caused the misissuance.

According to Fina, the certificates were properly logged to CT servers, their private keys never left controlled environments, and they were destroyed before the certificates were revoked. The company insists the misissued certificates posed no risk to users or any other systems.

Yet this explanation does not absolve Fina. The fundamental principle of certificate issuance is that no certificate should be created without explicit authorization. By issuing certificates for 1.1.1.1 without Cloudflare’s request, Fina committed a serious violation.

Cloudflare acknowledged three shortcomings on its end:

1. Its systems do not generate alerts for certificates tied to IP addresses rather than domain names.
2. Even if an alert had been triggered, Cloudflare lacked sufficient filtering controls, as the sheer volume of domains and certificates it manages makes manual review impractical.
3. Excessive monitoring noise—the overwhelming number of managed assets—meant that alerts could not feasibly be enabled across all domains. The company is now working to remedy these deficiencies.

If Fina’s assurances about unused private keys were false, the largest group of potential victims would be Microsoft users. This is because, to date, only Microsoft and the EU Trust Service recognize Fina CA as a trusted authority.

By contrast, Google, Apple, and Mozilla have never trusted Fina CA, meaning that Chrome, Safari, and Firefox users were entirely unaffected. But those relying on Windows or Microsoft Edge remained exposed, since Microsoft continued to trust certificates from Fina CA.

Public Key Infrastructure (PKI) experts note that the problem is not with the 1.1.1.1 certificate itself, but with Microsoft’s continued trust in a CA with a track record of serious violations. Typically, the industry responds to such misconduct by revoking trust in the offending CA. Why Microsoft has maintained trust in Fina CA, when its peers have not, remains an open question.

Related Posts:

• A Misissued Certificate Found for Cloudflare’s 1.1.1.1 DNS Service
• Microsoft Releases PowerShell Script for UEFI Certificate Update
• Apple to distrust Symantec certificate authorities
• Cloudflare Pulls the Plug on HTTP: API Now HTTPS-Only