How is the TLS/SSL Certificates Risk Vector Observed? Ingrid TLS/SSL Certificates data is collected by establishing a TLS connection between an asset and a hostname or IP address. When a scan begins with a hostname, a TLS handshake is performed with the Server Name Indication (SNI) field set to the hostname. This allows the server to know which certificate to present to the connecting client. When a scan begins without a hostname, the TLS connection is established with an IP address. There is no way to provide a hostname in the SNI field of the TLS handshake so the collected certificate is subject to all of the assessments performed by our algorithm (graded negatively). See recommendations. Some services in their default configuration present an automatically-generated, self-signed certificate. Examples: Kubernetes Ingress and Traefik Proxy. A unique finding is generated for each asset/certificate combination. Certificates can be applied to multiple assets and findings are generated based on each unique access point so the asset could be identified by: Domain name IP:port combination Both (domain name and IP:port) November 13, 2025: Update to clean up language. November 29, 2023: How a TLS/SSL Certificates finding is generated. January 4, 2023: Published. Related articles TLS/SSL Finding Remediation & Remediation Verification TLS/SSL Certificates Connected Without a Specified SNI TLS/SSL Certificates Risk Vector How is the TLS/SSL Certificates Risk Vector Assessed? TLS/SSL Certificate Best Practices Feedback 0 comments Please sign in to leave a comment.