Missing or misconfigured fields and values

  • "Certificate is missing AIA information. This violates CA/B Forum baseline requirements."
  • "OCSP URL is required under the CA/B Forum baseline requirements. OCSP is the recommended method to check for certificate revocation."
  • "The AIA field is marked as critical. The AIA fields are required to not be marked critical under the CA/B Forum baseline requirements.
  • "Certificate is missing basic constraints information. This violates CA/B Forum baseline requirements."
  • "The end-entity certificate basic constraints are set to CA=true."
  • "Certificate is missing the TLS webserver authentication EKU."
  • "Certificate is missing EKU information. This violates CA/B Forum baseline requirements."
  • "Certificate is missing Key usage information."
  • "Certificate is missing certificate policies field."
  • "Certificate has a validity start date in the future."

Problem

Continued use of certificates with missing values can put your clients' sensitive data at risk. Certificates without the necessary fields and values can cause browsers to display warnings. Warnings create mistrust when connecting to a site and can cause clients to avoid it. Missing fields and values in certificates can also obstruct applications programmed to look for these fields from operating properly.

Self-signed certificates and certificates which are not signed by a CA may not contain all the required information. Additionally, the cryptology may be inadequate.

Industry standards define the fields and values that Certificate Authorities (CAs) must include in publicly trusted TLS certificates for these certificates to be secure. These fields and values help CAs tackle existing and future threats to online security.

Solution

  • Only use certificates issued by a trusted CA, such as DigiCert.
  • Reissue/renew all your certificates with missing fields or values added and the misconfigured fields to be correctly configured.