Cloudflare has confirmed that the certification authority Fina issued 12 unauthorized TLS certificates for the IP address 1.1.1.1—Cloudflare’s public DNS resolver—without Cloudflare’s approval. The certificates, dated from February 2024 through August 2025, were surfaced via Certificate Transparency (CT) logs and discussed on the Mozilla dev-security-policy mailing list, prompting swift remediation efforts.
What Happened: Chain of Trust, Scope, and Impact on Windows
The certificates were issued by the subordinate CA Fina RDC 2020 under Fina Root CA. Because Microsoft includes Fina Root CA in the Windows trust store, the trust path affected Windows and Microsoft Edge. By contrast, Google, Mozilla, and Apple representatives stated their browsers do not trust Fina’s root, so Chrome, Firefox, and Safari users required no action.
Security Risk: MITM Against DoH/DoT to 1.1.1.1
A TLS certificate binds an identity (domain or IP) to a public key. If an attacker obtains both a certificate and its private key, they can cryptographically impersonate the target endpoint and conduct man-in-the-middle (MITM) attacks. For DNS over HTTPS (DoH; RFC 8484) and DNS over TLS (DoT; RFC 7858), this could enable interception, decryption, or modification of DNS traffic to 1.1.1.1.
Cloudflare emphasized that traffic protected by WARP VPN is unaffected. However, the company is operating under a worst-case assumption: the private key could exist outside Cloudflare’s control, hence revocation and proactive mitigations are essential.
Vendor Responses: Revocation and Trust Adjustments
Cloudflare contacted Fina, Microsoft, and the relevant TSP regulator, seeking immediate revocation and a review of trust relationships. Microsoft reported it would block the affected certificates across its ecosystem. Because major non-Microsoft browsers never trusted the Fina root, broader browser-level countermeasures were unnecessary.
Why It Matters: PKI Fragility and the Role of Certificate Transparency
Public Key Infrastructure (PKI) is a distributed trust system where the failure of a single CA can undermine the security of many services. Certificate Transparency (RFC 6962) mitigates this risk by requiring publicly auditable logs of issued certificates. In this case, CT made the mis-issuance discoverable, but only because organizations monitor those logs.
Cloudflare acknowledged monitoring gaps: alerts for IP-based certificates related to 1.1.1.1 failed due to noisy filters and incomplete alert coverage. The company is reworking its CT monitoring and automating response workflows to reduce detection latency and human error.
Fina’s Position: “Internal Testing” and Process Failures
Fina attributed the issuance to internal testing in a production environment combined with erroneous IP entry. The CA claims private keys remained in a controlled environment and were destroyed before revocation, and that certificates were published to CT according to procedure. These assertions cannot be independently verified, which is why Cloudflare is treating key compromise as a plausible risk.
Industry Context: Lessons from Past PKI Incidents
This event echoes long-standing PKI issues. In the DigiNotar breach (2011), attackers obtained at least hundreds of fraudulent certificates, leading to the CA’s collapse. In 2017, portions of Symantec’s PKI lost browser trust following policy and compliance failures. Each case shows how mis-issuance or process lapses at a CA can ripple globally, affecting end users and critical infrastructure.
Recommended Actions: Monitoring, Revocation, and Least Privilege
Operations and Monitoring
– Implement continuous CT monitoring for domains and, when applicable, IPs. Use multiple CT log sources and fine-grained alerting to reduce noise. Consider automation for certificate intake, validation, and revocation workflows.
Endpoint and Network Controls
– Enforce OCSP stapling and ensure timely CRL/OCSP fetching on Windows endpoints. Where safe, use certificate pinning in first-party apps and services to reduce exposure to rogue intermediates.
Trust Store Governance
– Periodically audit trusted roots and intermediates. Apply the principle of least privilege to trust stores—limit or remove trust for disputed or unnecessary roots, especially in high-assurance environments.
The Fina incident underscores that PKI resilience depends as much on process as on cryptography. Organizations that actively monitor CT, automate responses to mis-issuance, and minimize their trust surface will better protect DoH/DoT and other critical traffic. Review your CT monitoring and trust store governance now to ensure the roots and intermediates in your environment truly deserve their standing.
