Certificate Inspector: Missing Fields

DigiCert Certificate Inspector is included as part of the CertCentral BETA program DigiCert announced on April 20, 2015. Although Certificate Inspector is not a new certificate management service, it is still essential for assuring that your SSL Certificates are compliant with industry standards and are deployed correctly.

Certificate Inspector helps you make sure your certificates are adhering to Certificate Authority/Browser Forum (CA/B Forum) baseline requirements and other industry standards.

In this post we’ll be zooming in on specific fields Certificate Inspector scans for that are missing or input incorrectly. If certain fields and values are missing or configured incorrectly, browsers will alert users with a warning. Popup warnings will scare users away from your site.

As you may know, Certificate Inspector assigns a grade to your certificate based on whether or not it meets certain criteria. Below are four fields required by the CA/B Forum for an SSL Certificate to be considered secure. Certificates with missing or incorrectly configured fields may fall short of industry standards, potentially causing certificate warnings in browsers and even exposing users to web attacks.

Missing AIA (Authority Information Access) information

Authority Information Access fields contain information and links that browsers and other applications can use to check the validity and revocation status of a certificate. One AIA method is the Online Certificate Status Protocol (OCSP), which is used to check that a certificate has not been revoked. If the OCSP method is missing, revocation checking can only be performed through the Certificate Revocation Lists (CRLs). If both are missing, revocation checking can’t be performed.

Missing Basic Constraints information

If a certificate does not include the Basic Constraints information, then some software could interpret it incorrectly. Because each software library could interpret it slightly different, it’s best to always identify the certificate as an End Entity so that it cannot be mistaken as a CA certificate that could be used to sign non-compliant or malicious certificates.

Missing EKU (extKeyUsage) information

  • Missing the TLS Web Server Authentication EKU
  • Missing the TLS Web Client Authentication EKU

EKUs specify the purposes for which the public key in a certificate may be used. The CA/B Forum baseline requirements specify that any publicly trusted SSL Certificate include the Web Server Authentication EKU, Web Client Authentication EKU, or both.

Missing Key Usage information

  • Missing the Key Usage Digital Signature field
  • Missing the Key Usage Key Encipherment field

Key Usage fields ensure a certificate can only be used for its specified purposes. When Key Usage is missing, a certificate may be vulnerable because it could be mis-used for unintended purposes.

After using Certificate Inspector, you can easily see if your certificate is missing fields or values. The way to fix any missing fields or values is to reissue/renew your certificate with the missing fields or values added in. DigiCert issues top-notch digital certificates, compliant with established industry security requirements and trusted in all major browsers. For more information about DigiCert Certificate Inspector please click here.