Certificate Inspector helps you make sure your certificates are adhering to Certificate Authority/Browser Forum (CA/B Forum) baseline requirements and other industry standards.
In this post we’ll be zooming in on specific fields Certificate Inspector scans for that are missing or input incorrectly. If certain fields and values are missing or configured incorrectly, browsers will alert users with a warning. Popup warnings will scare users away from your site.
As you may know, Certificate Inspector assigns a grade to your certificate based on whether or not it meets certain criteria. Below are four fields required by the CA/B Forum for an SSL Certificate to be considered secure. Certificates with missing or incorrectly configured fields may fall short of industry standards, potentially causing certificate warnings in browsers and even exposing users to web attacks.
Authority Information Access fields contain information and links that browsers and other applications can use to check the validity and revocation status of a certificate. One AIA method is the Online Certificate Status Protocol (OCSP), which is used to check that a certificate has not been revoked. If the OCSP method is missing, revocation checking can only be performed through the Certificate Revocation Lists (CRLs). If both are missing, revocation checking can’t be performed.
If a certificate does not include the Basic Constraints information, then some software could interpret it incorrectly. Because each software library could interpret it slightly different, it’s best to always identify the certificate as an End Entity so that it cannot be mistaken as a CA certificate that could be used to sign non-compliant or malicious certificates.
EKUs specify the purposes for which the public key in a certificate may be used. The CA/B Forum baseline requirements specify that any publicly trusted SSL Certificate include the Web Server Authentication EKU, Web Client Authentication EKU, or both.
Key Usage fields ensure a certificate can only be used for its specified purposes. When Key Usage is missing, a certificate may be vulnerable because it could be mis-used for unintended purposes.
After using Certificate Inspector, you can easily see if your certificate is missing fields or values. The way to fix any missing fields or values is to reissue/renew your certificate with the missing fields or values added in. DigiCert issues top-notch digital certificates, compliant with established industry security requirements and trusted in all major browsers. For more information about DigiCert Certificate Inspector please click here.