Last week it emerged that the little-known certificate authority Fina issued 12 unauthorized TLS certificates for 1.1.1.1 (Cloudflare’s popular DNS service) from February 2024 to August 2025, without the company’s permission. The certificates could have been used to decrypt queries encrypted via DNS over HTTPS and DNS over TLS.
The issuance of the suspicious certificates became known almost by accident: the first to draw attention to it was a researcher on the Mozilla dev-security-policy mailing list.
The certificates were issued by Fina RDC 2020, a certificate authority subordinate to the Fina Root CA. It soon emerged that Microsoft trusts the Fina Root CA certificates, which means they are trusted by Windows and Microsoft Edge.
Shortly thereafter, Cloudflare representatives took note of the situation and confirmed that the certificates had been issued improperly.
“Cloudflare did not authorize Fina to issue these certificates. Upon seeing the report on the certificate-transparency mailing list, we immediately began an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory authority, who can resolve the issue by revoking trust in Fina or in the misissued certificates,” Cloudflare said.
The company’s statement also emphasized that the issue did not affect data encrypted via WARP VPN.
In turn, Microsoft representatives reported that they had contacted the certificate authority and demanded immediate action. The company assured that it is already taking steps to block these certificates.
Representatives of Google, Mozilla, and Apple stated that their browsers have never trusted Fina’s certificates, and users do not need to take any action.
The issue is that certificates are a key part of the TLS (Transport Layer Security) protocol. They contain a public key and information about the domain for which they were issued, and the certificate authority (an organization authorized to issue trusted certificates) holds the private key that attests to the certificate’s validity.
A certificate authority uses its private key to sign certificates, and browsers verify them using trusted public keys. In practice, this means that anyone who possesses a certificate and its corresponding private key can cryptographically impersonate the domain for which it was issued.
Thus, the holder of the certificates for 1.1.1.1 could potentially use them in man-in-the-middle attacks, intercepting communications between users and Cloudflare’s DNS service. As a result, third parties in possession of 1.1.1.1 certificates would be able to decrypt, view, and modify the traffic of Cloudflare’s DNS service.
“The certificate authority ecosystem is like a castle with many doors: the failure of a single certificate authority can compromise the security of the entire castle. Misbehavior by certificate authorities — whether intentional or not — poses a persistent and significant threat to Cloudflare. From the very beginning, Cloudflare helped develop and launch Certificate Transparency, which made it possible to detect this case of improper certificate issuance,” Cloudflare noted.
At the end of last week, Cloudflare specialists published a detailed report on this incident. According to the company’s audit, the number of improperly issued certificates totaled twelve, not three as initially reported. Worse yet, the first of them were issued back in February 2024.
Fina representatives commented on the incident in a brief email, stating that the certificates were “issued for internal testing of the certificate issuance process in a production environment.”
The certificate authority stated that an error occurred during the issuance of test certificates “due to incorrect input of IP addresses.” It was emphasized that, as part of the standard procedure, the certificates were published in the Certificate Transparency logs.
Fina assured that the private keys never left the environment controlled by the certificate authority and were “destroyed immediately, even before the certificates were revoked.” The company says the improperly issued certificates “in no way compromised the security of users or any other systems.”
Nevertheless, Cloudflare stated that they are taking this incident very seriously. The company emphasizes that it is forced to “assume that the corresponding private key exists and is not under Cloudflare’s control,” since there is no way to verify Fina’s claims.
The company acknowledges that the risks ultimately faced by millions of Windows users who rely on 1.1.1.1 are, in part, Cloudflare’s own fault. The fact is, Cloudflare failed to implement regular monitoring of Certificate Transparency logs, which index the issuance of every TLS certificate, and discovered the problem too late.
“We failed three times. The first time because 1.1.1.1 is a certificate for an IP address, but our system didn’t alert us to these cases. The second time because even if we were receiving certificate issuance notifications like any of our customers, we hadn’t implemented sufficient filtering. Given the huge number of names and issuances we manage, manual checks aren’t feasible. Finally, because our monitoring was too ‘noisy,’ we didn’t enable alerts for all our domains. We’re working to address all three of these shortcomings,” Cloudflare writes.