Skip to main content

View certificate issues

In DigiCert​​®​​ Trust Lifecycle Manager, the network scan checks your network for TLS/SSL certificate issues or threats. If it identifies a certificate issue, it lowers the certificate's security rating.

Certificate issues may include:

  • Certificate compliance issues: Occurs if the certificates are issued by a non-trusted Certificate Authority (CA) and is not per the the CA/B baseline requirements.

  • Misconfigured certificates: Occurs if necessary fields and values are missing from the certificate. Industry standards define the fields and values that Certificate Authorities (CAs) must include in publicly trusted TLS certificates for these certificates to be secure. These fields and values help CAs tackle existing and future threats to online security.

  • Weak keys: This error occurs when there is continuous usage of weak keys in certificates which might put your clients' sensitive data at risk. Exhaustive key searches or brute force attacks against certificates with weak keys can be dangerous to network security.

Security rating

Security rating identifies these possible certificate issues from the discovered data and helps in assessing and resolving them.

To investigate and analyze the discovered data:

  1. From the main menu, select Inventory.

  2. Select Load view from the drop down menu at top to display the view options. Choose Discovery.

  3. Review the following information:

    Fields

    Description

    Common name

    Common name used for the certificate.

    Thumbprint

    Thumbprint of the certificate.

    Status

    Certificate status.

    Valid from/to

    Certificate validity.

    Seat ID

    Seat ID mapped against the certificate.

    Seat type

    Seat type mapped against the certificate

    Business unit

    Business unit assigned.

    Security rating

    Security rating measures the expected harm to your certificate after a successful exploit of this vulnerability. Possible values can be:

    • Secure

    • Very secure

    • Not secure

    • At risk

    SANs

    List of additional subject alternative names (SANs)

  4. Further investigation can be done by clicking on the security rating value and verifying the different certificate security details. This includes:

    1. Security rating: Includes details like security risks, CA/Browser-forum and certificate attributes.

    2. Handshake protocols: For secure communication, the TLS client and server need to agree on the cryptographic algorithms and keys that both use for secured connection. These details are mentioned in this section.

    3. Security headers: Includes the HTTP response headers that can be used to increase the security of your application.

    4. HTTP response headers: Includes information such as the date, size, and type of file the server is sending back to the browser upon receiving an HTTP request.

  5. Customize the table columns by selecting the table settings icon at the right side of the table header. There are many available fields reflecting different certificate properties and install locations.

  6. Refine the list of certificates using column header filters to include in a custom report. See Create custom report.

View and investigate other certificate types

To view and analyze other certificate types, use the Load view option which includes different set of certificates and displays different columns of information. This is helpful in comparing different certificate types based on the search results. For more information, see View inventory.

Nesta secção: