Some of these may be false-positives. You should review closely before taking action.
| # of affected certificates | CA | CCADB Owner | Severity | Description |
|---|---|---|---|---|
| 5641 | C=US, ST=CA, L=San Francisco, O="CloudFlare, Inc.", CN=CloudFlare Inc ECC CA-2 | DigiCert | W | Unknown Extension: 1.3.6.1.4.1.11129.2.1.22 |
| 564 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 | DigiCert | W | Extension should be critical for KeyUsage |
| 564 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 564 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 552 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 552 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Extension should be critical for KeyUsage |
| 552 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 533 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Extension should be critical for KeyUsage |
| 533 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 533 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 5 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 508 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 508 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Extension should be critical for KeyUsage |
| 508 | C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 147 | C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 | QuoVadis | W | TLS Server auth certificates should not contain IPSec End System usage |
| 147 | C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 | QuoVadis | W | TLS Server auth certificates should not contain IPSec User usage |
| 147 | C=US, O=HydrantID (Avalanche Cloud Corporation), CN=HydrantID SSL ICA G2 | QuoVadis | W | TLS Server auth certificates should not contain IPSec Tunnel usage |
| 35 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=FujiSSL Public Validation Authority - G3 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 35 | C=JP, O=National Institute of Informatics, CN=NII Open Domain CA - G5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 34 | C=PL, O=home.pl S.A., CN=Certyfikat SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 34 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=KDDI Web Communications Certification Authority 3 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 26 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Domain Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 17 | C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | commonNames in BR certificate contains U-labels |
| 15 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 12 | C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Domain Validation Authority - G2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 11 | C=PL, O=Dreamcommerce S.A., OU=Dreamcommerce S.A., CN=Shoper® SSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 6 | C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Deprecated Netscape extension 2.16.840.1.113730.1.1 treated as opaque extension |
| 6 | C=PL, O=nazwa.pl sp. z o.o., OU=http://nazwa.pl, CN=nazwaSSL | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Certificate Policies should not contain notice references |
| 4 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | DigiCert | W | Extension should be critical for KeyUsage |
| 2 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV 2.0 CA | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 2 | C=NL, 2.5.4.97=NTRNL-30237459, O=QuoVadis Trustlink B.V., CN=QuoVadis Qualified Web ICA G1 | QuoVadis | W | Name has unknown attribute 2.5.4.97 |
| 2 | C=CN, O=China Financial Certification Authority, CN=CFCA OV OCA | China Financial Certification Authority (CFCA) | W | Extension should be critical for KeyUsage |
| 2 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust DV CA5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 1 | C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 | T-Systems International GmbH (Deutsche Telekom) | W | TLS Server auth certificates should not contain 1.3.6.1.5.2.3.5 usage |
| 1 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust OV CA5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 1 | C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Organization Validation CA SHA2 | Asseco Data Systems S.A. (previously Unizeto Certum) | W | Name has deprecated attribute emailAddress |
| 1 | C=FR, O=DHIMYOTIS, OU=0002 48146308100036, 2.5.4.97=NTRFR-48146308100036, CN=Certigna Services CA | Dhimyotis / Certigna | W | Name has unknown attribute 2.5.4.97 |
| 1 | C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 | T-Systems International GmbH (Deutsche Telekom) | W | TLS Server auth certificates should not contain Microsoft Smartcardlogin usage |
| 1 | C=JP, O="Japan Registry Services Co., Ltd.", CN=JPRS Organization Validation Authority - G2 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 1 | C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 | T-Systems International GmbH (Deutsche Telekom) | W | Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension |