From a8b85ffeb21fda93de186f252d8c423a9553e2f2 Mon Sep 17 00:00:00 2001 From: Bryan AuBuchon Date: Mon, 29 Jun 2026 16:47:24 -0400 Subject: [PATCH 1/2] Clarify the two certificates used in Keyless SSL + DNS-only key server note Adds a "Certificates used in Keyless SSL" section to the Public DNS setup page distinguishing the edge (Keyless SSL) certificate from the key server authentication certificate, with a caution against adding the key server hostname to the public edge cert SAN (unnecessary; leaks internal hostnamesinto CT logs). Also adds a note that a key server hostname on a Cloudflare zone must use a DNS-only (grey-cloud) record to avoid NXDOMAIN handshake failures. --- .../keyless-ssl/configuration/public-dns.mdx | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx b/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx index c98bcd35c15..4385f00024f 100644 --- a/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx +++ b/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx @@ -37,6 +37,29 @@ As a security measure, you should hide the hostname of your key server. ::: +:::note + +If your key server hostname is on a zone you have on Cloudflare, you must create a **DNS-only** (grey-clouded) record for it — do not proxy it. If the record is proxied or missing, Cloudflare's edge resolver returns `NXDOMAIN` and the Keyless TLS handshake fails. The fix is the DNS-only record — not adding the hostname to a certificate SAN. + +::: + +--- + +## Certificates used in Keyless SSL + +Keyless SSL involves **two different certificates**. Confusing them is the most common setup error. + +| Certificate | What it is | SAN should contain | +| --- | --- | --- | +| **Edge (Keyless SSL) certificate** | The public certificate Cloudflare serves for your site. | Your site hostnames only (for example, `www.example.com`) | +| **Key server authentication certificate** | The certificate your key server uses to prove itself to Cloudflare. | The key server hostname only | + +:::caution + +Do **not** add your key server hostname to the SAN of your public edge certificate. It is not required, and it leaks internal hostnames into the public certificate and Certificate Transparency logs. + +::: + --- ## 2. Upload Keyless SSL Certificates From 794a64eaafb25910563e50d81602637c13e41d6c Mon Sep 17 00:00:00 2001 From: Bryan AuBuchon Date: Mon, 29 Jun 2026 17:05:39 -0400 Subject: [PATCH 2/2] Apply suggestion from @ask-bonk[bot] Co-authored-by: ask-bonk[bot] <249159057+ask-bonk[bot]@users.noreply.github.com> --- src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx b/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx index 4385f00024f..adba0655280 100644 --- a/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx +++ b/src/content/docs/ssl/keyless-ssl/configuration/public-dns.mdx @@ -39,7 +39,7 @@ As a security measure, you should hide the hostname of your key server. :::note -If your key server hostname is on a zone you have on Cloudflare, you must create a **DNS-only** (grey-clouded) record for it — do not proxy it. If the record is proxied or missing, Cloudflare's edge resolver returns `NXDOMAIN` and the Keyless TLS handshake fails. The fix is the DNS-only record — not adding the hostname to a certificate SAN. +If your key server hostname is on a Cloudflare zone, you must create a **DNS-only** (grey cloud) record for it — do not proxy it. If the record is proxied or missing, Cloudflare's edge resolver returns `NXDOMAIN` and the Keyless SSL handshake fails. The fix is the DNS-only record — not adding the hostname to a certificate Subject Alternative Name (SAN). :::