GOOD
| Message | Description | Remediation Instructions |
|---|---|---|
| Large number of DNS Names: | This certificate contains more than 25 domains, allowing for a greater possibility of malicious use and a larger impact if the certificate is compromised. | Consider reducing the number of domains secured by the certificate to fewer than 25. |
| Symantec CAs will be distrusted in Chrome | The certificate is still trusted in the official Chrome build and in beta, but may be scheduled for distrust. | If your organization has certificates from Symantec certificate authorities (CA), check the Chrome release timeline to see if and when your organization should replace its certificates. |
FAIR
| Message | Description | Remediation Instructions |
|---|---|---|
| Entrust certificate distrusted by Google and Mozilla | Certificates signed by Entrust after November 11th, 2024 receive a FAIR grade. | Obtain and implement a replacement certificate from a trusted certificate authority. |
| Symantec certificate distrusted in Chrome Beta | The certificate is still trusted in the official Chrome build, but not in Beta. | Obtain and implement a replacement certificate from a certificate authority trusted by Chrome. See the Chrome release timeline for more details. |
WARN
| Message | Description | Remediation Instructions |
|---|---|---|
| Certificate with deprecated root | The root certificate used to sign this certificate is not from a trusted authority. | See our approved certificate authorities list. |
| Entrust certificate distrusted by Google and Mozilla | Certificates signed by Entrust after November 30th, 2024 receive a WARN grade. | Obtain and implement a replacement certificate from a trusted certificate authority. |
| Kubernetes Ingress Self-signed certificate | This certificate was signed by the same server that is hosting the domain, rather than a trusted certificate authority. Specifically, this is a default Kubernetes Ingress self-signed certificate. In these cases, the "Subject" and "Issuer" fields will be the same. Self-signed certificates can be easily compromised and are flagged by most browsers. For more information about the dangers of self-signed certificates, see Thawte's, “The Hidden Costs of Self-Signed SSL Certificates”. | The default Kubernetes Ingress certificate should be set to a TLS certificate signed by an industry certificate authority provider that resolves to a known certificate authority. See our approved certificate authorities list. |
| RSA public key is less than 2048 bits | RSA keys shorter than 2048 bits may be insecure. According to the NIST’s Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, keys above 1024 bits and below 2048 bits are acceptable only for legacy use. | Your TLS certificate will need to be re-issued or regenerated by your certificate provider with an RSA public key strength greater than or equal to 2048 bits. |
| Self-signed certificate | This certificate was signed by the same server that is hosting the domain, rather than a trusted certificate authority. | Update the certificate to be signed by an industry certificate authority provider that resolves to a known certificate authority. See our list of approved and trusted certificate authorities. |
| Symantec certificate distrusted in Chrome | The certificate is distrusted in the official Chrome build. | Obtain and implement a replacement certificate from a Certificate Authority trusted by Chrome. See the Chrome release timeline for more details. |
BAD
| Message | Description | Remediation Instructions |
|---|---|---|
| Expired certificate | This certificate has expired. While the traffic to the host is still encrypted, it may be vulnerable to new attacks. | Replace the certificate with one that has a valid expiration date. Reference the ‘Key Evidence’ field for certificate’s specific location in your network (IP address, domain, etc.). Once located, identify the finding by the certificate serial number. Note that a new certificate serial number is generated when generating a new certificate, which creates a new finding. |
| Insecure signature algorithm | The algorithm encrypting this traffic has a known vulnerability, making the connection susceptible to man-in-the-middle (MITM) attacks. | Your certificates are using insecure signature algorithms. Obtain updated leaf certificates from your certificate vendor. |
| Insecure signature algorithm: MD2 | MD2 is not collision-resistant and its support has been discontinued. | Your TLS certificate uses a signing algorithm that’s no longer supported by the security industry. Renew your TLS certificate with your certificate vendor and specify a stronger signature algorithm, such as SHA-256. |
| Insecure signature algorithm: MD5 | MD5 is not collision-resistant and its support has been discontinued. | Your TLS certificate uses a signing algorithm which is no longer supported by the security industry. Renew your TLS certificate with your certificate vendor and specify a stronger signature algorithm, such as SHA-256. |
| Insecure signature algorithm: SHA1 | SHA-1 is vulnerable to partial-message collision attacks; Internet Explorer, Chrome, and Firefox will not accept SHA-1-signed certificates starting in 2017. | Your TLS certificate uses a signing algorithm which is no longer supported by the security industry. Renew your TLS certificate with your certificate vendor and specify a stronger signature algorithm, such as SHA-256. |
| RSA public key is less than 1024 bits | Keys shorter than 1024 bits can be broken with consumer devices. | A key length of 2048 bits is recommended. Your TLS certificate will need to be re-issued or regenerated immediately by your TLS provider with an RSA public key strength greater than 1024 bits. |
- October 15, 2024: Certain Entrust-signed certificates no longer trusted by Google and Mozilla.
- December 21, 2023: Several updates to remediation tips linking to the TLS/SSL Finding Remediation & Remediation Verification guide.
- November 29, 2023: Several updates to remediation tips; Added missing messages.
Feedback
0 comments
Please sign in to leave a comment.