Managed TLS Under Migration: Authentication Authority Across CDN and Hosting Transitions

TL;DR

This paper examines how managed TLS platforms retain control over certificates during domain migrations, revealing that they continue serving old certificates until expiration, which impacts domain authentication security during transitions.

Contribution

It provides the first detailed measurement study of managed TLS behavior during provider transitions, highlighting the persistence of authentication authority with the original platform.

Findings

Platforms serve the same certificate until expiration after migration.

No new certificates are issued post-migration.

Authentication persists independently of DNS changes.

Abstract

Managed TLS has become a common approach for deploying HTTPS, with platforms generating and storing private keys and automating certificate issuance on behalf of domain operators. This model simplifies operational management but shifts control of authentication material from the domain owner to the platform. The implications of this shift during provider transitions remain insufficiently examined. This study investigates how managed TLS platforms behave when a domain is moved away from the platform that originally issued and stored its certificate. A controlled measurement environment was used to monitor multiple platforms after migration. Each platform was observed for the full remaining lifetime of the certificate that had been active during delegation. The measurements show that platforms continue to serve the same certificate until it expires, even after DNS resolvers direct traffic toward new infrastructure. No platform revoked, replaced, or retired the certificate, and no new certificate was issued after delegation ended. Direct connections to the previous platform continued to complete TLS handshakes with the stale certificate, which confirms that authentication capability persisted independently of DNS state. These findings indicate that authentication authority remains with the previous platform for the entire lifetime of certificates issued during the delegation period. The gap between DNS control and control of authentication material introduces a window in which multiple environments can authenticate the same domain. As managed TLS adoption grows, clearer mechanisms for key retirement and certificate invalidation are needed to ensure that the authentication authority follows operational authority during transitions.