​
​
: [https://community.cloudflare.com/t/revoke-and-prevent-the-issuing-of-certificates/235478/24](https://community.cloudflare.com/t/revoke-and-prevent-the-issuing-of-certificates/235478/24)
​
​
@btdig:
So, the resume is: unlike all the other SSL-certificates, those issued by Cloudflare during onboarding process are not revokable because there is a Catch-22: DigiCert requires a private key to do the revocation (assuming the domain owner has it) which Cloudflare prefer to “keep safe” from its users.
When Cloudflare kicks a website (what will be the next after DailyStormer? likely Gab) it is able to do man-in-the-middle into SSL traffic for many months after the divorce.
If after the divorce Cloudflare still has private keys, that means that the keys are compromised: Cloudflare becomes a unauthorized (and likely malignant in case of forceful divorce) party which has the private keys. It is a serious security issue.
​
@matthew.mtw:
The thing with Cloudflare is there is no way to revoke SSL once you leave.
It is not acceptable for Cloudflare to have a valid cert to a website with no way of getting it revoked. As Cloudflare is getting themselves set as the default DOH provider, they have the power to redirect my site’s traffic which has not used the service in months and have a valid cert for it.