Missing or misconfigured fields and values

  • "Certificate is missing AIA information. This violates CA/B Forum baseline requirements."
  • "OCSP URL is required under the CA/B Forum baseline requirements. OCSP is the recommended method to check for certificate revocation."
  • "The AIA field is marked as critical. The AIA fields are required to not be marked critical under the CA/B Forum baseline requirements.
  • "Certificate is missing basic constraints information. This violates CA/B Forum baseline requirements."
  • "The end entity certificate basic constraints is set to CA=true."
  • "Certificate is missing the TLS web server authentication EKU."
  • "Certificate is missing EKU information. This violates CA/B Forum baseline requirements."
  • "Certificate is missing Key usage information."
  • "Certificate is missing certificate policies field."
  • "Certificate has a validity start date in the future."

Problem

Continued use of certificates with missing values may put your clients' sensitive data at risk. Certificates without the necessary fields and values may cause browsers to display warnings. Warnings create mistrust when connecting to a site and can cause clients to avoid your site. Missing fields and values in certificates may also obstruct applications programmed to look for these fields from operating properly.

Self-signed certificates and certificates not signed by a CA may not contain all the required information. In addition, the cryptology may not be adequate.

Industry standards define the fields and values that Certificate Authorities (CAs) must include in publicly trusted TLS certificates for these certificates to be secure. These fields and values help CAs tackle existing and future threats to online security.

Solution

  • Only use certificates issued by a trusted CA, such as DigiCert.
  • Reissue/renew all of your certificates with the missing fields or values added and the misconfigured fields correctly configured.