Heads up - Azure CDN custom domain TLS certificates can include bad neighbours

Wed, 2017-08-23 08:43

I'm staying Colombo these days, and I was sipping a hot cuppa tea. It's 32 Celsius outside but yeah, a hot tea. "threee.... threee", suddenly my phone vibrated. I was excited and expected see a Clash Royale notification - may be Super Magical Chest is open so I can collect the reward. But no, it was an email from Facebook.

Nobody reads my blog posts except may be my mom, so I'll explain: Mom, Facebook is a social network that you like each others photos, memes, Buzzfeed instant articles, and use it to login to other crappy web services. One useful tool the Facebook developer team has built is a Certificate Transparency Monitoring Tool that you can enter your domain name, and opt in to receive emails whenever a public Certificate Transparency log has a record of some Certificate Authority issuing a certificate for your domain names. I'm a multi-millionaire who makes a lot of moneeees from domain names, so I get this kind of emails quite a lot. In fact, I think Frank Schilling is jelly of me because of the massive number of domains I have... I don't really have that many domain names and Frank fella isn't really jealous of me either. I am a multi-millionaire though... if you count my money in Vietnamese Dongs. And yes, the Vietnamese call their currency Dongs. In all seriousness, I had a great time at my last time in Vietnam, and I cannot recommend it enough for a great solo trip.

Back to my awesome story...

I use Amazon CloudFront as my CDN provider. For almost every project I have online, they are the CDN. CloudFront has custom TLS certificate support, HTTP/2 support, edge compression, custom headers support, IPv6 dual stack support, etc. The only thing I don't like about them is their pricing. You have to pay for bandwidth (about 8 cents for every GB egress to North America. Other continents cost 2-3 times more) , and for the HTTP(S) requests made to it. HTTPS requests cost slightly more.

I have been looking for several alternatives, but most alternatives do not support custom domain TLS support, some of them don't have HTTP/2, and are not truly Pay-As-You-Go. Microsoft Azure was an exception. They have custom domain support, TLS support, IPv6, HTTP/2, and do not charge for the number of HTTP(s) requests made. I already had an active Azure account that I pay for some of their other services, so I signed up for the CDN as well. Created a delivery endpoint, and added a custom domain and then enabled HTTPS support.

Azure has partnered with DigiCert to issue the custom domain certificates. From what I can see, they issue standard RSA 2048 certificates, and has Certificate Transparency SCT embedded in the certificate (the best kind, delivering SCTs in TLS handshake or OCSP responses is additional overhead to your TLS terminating servers). So far, so good. DigiCert certificates often cost more (they don't have DV certificates; only OV and EV), so I was kinda happy that Azure partnered with DigiCert instead of some cheap CA.

^ I don't think I managed to put this many abbreviations in a single paragraph before. Phew.

There was a step that DigiCert sent me an email (the domain owner) asking to confirm certificate issuance. Obviously, I accepted it because I initiated it. A couple hours later, DigiCert has issued the certificate, and HTTPS started to work in the CDN. I was happy and if IIRC, I had a chocolate cake that night.

From the email I received from Facebook CT monitoring tool, I saw that Azure has issued a new certificate for the custom domain name I used with Azure CDN. However, the SAN field showed a few more domain names that I do not identify.

openssl output of the certificate text, grepped to highlight the SAN fields, issued by DigiCert for Azure CDN

Above is the output of openssl x509 decoder, and the output grep'd to highlight the Subject Alternative Name" field.

cdn4.downloadgram.com is my custom domain name I configured with Azure CDN, but buy.advantech.eu is not mine! The private key is still with Azure CDN so I can't impersonate buy.advantech.eu nor can they. However, this defeats the very purpose of having a custom domain added to a CDN provider and using a TLS certificate there. I certainly understand the deployment challenges with custom domains any CDN provider might have. But if CloudFront can pull it off, so can everyone. For your comparison, here is a certificate issued by Amazon (Amazon itself is a CA):

openssl output of the certificate text, grepped to highlight the SAN fields, issued by Amazon

TL;DR;

  • 👍 Azure CDN custom domain certificates are issued by DigiCert.
  • 👎 Azure CDN-managed certificates are actually SAN certificates with unknown domain names.
  • 👍 Amazon-issued certificates only include your custom domain name or domain names you explicitly request a certificate for.
  • 🎂 I like Chocolate cakes.