Skip to main content
Troubleshooting

Unauthorized issuer alerts

What it means when CertShield flags a certificate as "unauthorized" and how to respond.

An unauthorized issuer alert fires when a certificate is issued for one of your domains by a Certificate Authority that you haven’t added to the allow-list for that domain. This is one of the most important alerts CertShield offers — and also one of the most commonly misunderstood.

Why it matters

The TLS world is built on trust in roughly 100 Certificate Authorities. Any of them can issue a valid certificate for any domain, in principle. That means if any CA is compromised — or if an attacker tricks one with a bad domain validation — a valid-looking certificate can be issued for your domain without your consent. A browser will happily accept it.

Certificate Transparency logs exist specifically so you can watch for this. CertShield watches for you.

If CertShield tells you that example.com just got a certificate from a CA you’ve never used, one of two things is happening:

  1. Someone on your team switched providers and didn’t tell you. 90% of the time.
  2. Your domain is being misused. 10% of the time — but this is exactly the case you must catch quickly.

Setting up the allow-list

On the Domains page, expand a domain row and scroll to Authorized certificate authorities. You can add one or more issuer patterns. A pattern matches the CA’s name as it appears in the certificate — for example:

  • Let's Encrypt — matches Let’s Encrypt’s R3, R10, E5, etc.
  • DigiCert* — matches any DigiCert-issued certificate.
  • Sectigo — matches Sectigo certificates.

CertShield gives you suggestions for the common CAs. If you leave the list empty, no alerts are generated — you’ve implicitly trusted all CAs, which is not recommended.

The usual setup is: list the CAs you actually use, and let CertShield alert you on anything else.

What to do when you get an alert

  1. Don’t panic. Most of these are benign — a teammate tried a new provider, a load balancer auto-provisioned a cert from a CA you forgot about, etc.
  2. Click through to the alert on the Activity Log. You’ll see the certificate, the CA that issued it, when, and for which hostname.
  3. Check with your team — did anyone intentionally issue this?
  4. If yes, add the CA to the allow-list on the Domains page and move on.
  5. If no, this is a potential incident. Contact the CA that issued it and request revocation, rotate any secrets that could have been used in a domain-validation attack (DNS records, web content), and review your DNS and registrar logs.

A note on subdomains

If you enabled Scan subdomains on a domain (see Managing domains), CertShield also watches subdomains against the parent domain’s allow-list. A certificate for mail.example.com issued by a CA not on example.com’s allow-list will also trigger an alert.

What’s next

← Back to Help Center Contact support