Skip to main content

Certificate issues and security ratings

When DigiCert​​®​​ Trust Lifecycle Manager adds certificates to your inventory, it checks them for security-related issues and assigns each certificate a security rating. Certificate issues that might affect the security rating broadly fall under these categories:

  • Certificate compliance issues: Occurs if the certificate was issued by a non-trusted certificate authority (CA) or does not follow the CA/Browser Forum baseline requirements.

  • Misconfigured certificates: Occurs if necessary fields and values are missing from the certificate. Industry standards define the fields and values that certificate authorities (CAs) must include in publicly trusted TLS certificates for these certificates to be secure. These fields and values help CAs tackle existing and future threats to online security.

  • Weak keys: This error occurs when there is continuous use of weak keys in certificates that might put sensitive data at risk. Exhaustive key searches or brute force attacks against certificates with weak keys can be dangerous to network security.

Security rating levels

Trust Lifecycle Manager uses the following ratings to assess certificate security, in order from most to least secure:

  • Very secure

  • Secure

  • At risk

  • Not secure

중요

For certificates rated At risk or Not secure, DigiCert recommends viewing the issues that impact the rating and taking appropriate action to protect your systems and users.

View the security ratings for certificates

Inventory table

In the Inventory table in Trust Lifecycle Manager, the Security rating column shows the current security rating for each certificate. If this column is not present, use the Add column icon on the top-right of the table to add it.

Certificate details

For certificates that have a security rating, the current rating is shown in the Security tab on the certificate details page. Select the certificate in the Inventory table to view the certificate details and access this tab.

Dashboard

Your account dashboard includes the following widgets to help you monitor security issues in both your Public and Other (private and self-signed) certificates:

  • Certificate issues: Bar chart shows the number of certificates with specific security ratings. For more information, see View certificate issues.

  • Certificate security ratings: Donut chart shows the relative number of certificates with different security ratings. Select a rating in the donut chart to view all certificates with that rating in the Inventory table.

View certificate issues

The Certificate issues chart on the dashboard displays issues discovered in your public and other (private or self-signed) certificates. The chart includes both critical and non-critical issues.

Certificate issues are:

  • Missing certificate profiles

  • Duplicate Common Name (CN) in Distinguished Name (DN)

  • Issue with internal names

  • No null characters in common name

  • Missing CN in Subject Alternative Name (SAN) list

  • Missing extended key usage

  • Weak end-entity certificate strength

  • CA constraint found in end entity

  • Weak end-entity certificate hash algorithm

  • Missing Authority Information Access (AIA)

  • Invalid certificate

  • Missing key usage

  • Invalid certificate content

  • Alias mismatch

  • Missing Certificate Revocation List (CRL)

You can also select the bars in the chart to load and manage the certificates with each issue.

View certificate security details

Select the security rating in the Inventory table or Certificate details page to open a sidebar with the details on how the rating was calculated.

The Certificate security details sidebar includes the following sections:

  • Security risks: General security-related issues.

  • CA/Browser-Forum: Compliance issues with security standards defined by CA/Browser Forum.

  • Certificate and chain attributes: Issues with the attributes of the end-entity certificate or CA certificate chain.