Missing or misconfigured fields and values

  • "Certificate is missing AIA information. This violates CA/B Forum baseline requirements."
  • "OCSP URL is required under the CA/B Forum baseline requirements. OCSP is the recommended method to check for certificate revocation."
  • "The AIA field is marked as critical. The AIA fields are required to not be marked critical under the CA/B Forum baseline requirements.
  • "Certificate is missing basic constraints information. This violates CA/B Forum baseline requirements."
  • "The end-entity certificate basic constraints are set to CA=true."
  • "Certificate is missing the TLS webserver authentication EKU."
  • "Certificate is missing EKU information. This violates CA/B Forum baseline requirements."
  • "Certificate is missing Key usage information."
  • "Certificate is missing certificate policies field."
  • "Certificate has a validity start date in the future."

Problem

Continued use of certificates with missing values can put your clients' sensitive data at risk. Certificates without the necessary fields and values can cause browsers to display warnings. Warnings create mistrust when connecting to a site and can cause clients to avoid it. Missing fields and values in certificates can also obstruct applications programmed to look for these fields from operating properly.

Self-signed certificates and certificates which are not signed by a CA may not contain all the required information. Additionally, the cryptology may be inadequate.

Industry standards define the fields and values that Certificate Authorities (CAs) must include in publicly trusted TLS certificates for these certificates to be secure. These fields and values help CAs tackle existing and future threats to online security.

Solution

  • Only use certificates issued by a trusted CA, such as DigiCert.
  • Reissue/renew all your certificates with missing fields or values added and the misconfigured fields to be correctly configured.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.