Some of these may be false-positives. You should review closely before taking action.
| # of affected certificates | CA | CCADB Owner | Severity | Description |
|---|---|---|---|---|
| 71021 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 71021 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 05 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 70974 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 06 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 70974 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 06 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 62953 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 02 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 62953 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 02 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 62612 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 62612 | C=US, O=Microsoft Corporation, CN=Microsoft Azure TLS Issuing CA 01 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 44636 | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | GoDaddy | W | BR certificates should be 397 days in validity or less |
| 43862 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 43862 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 02 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 43074 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 43074 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01 | DigiCert | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 15917 | C=US, O="Cloudflare, Inc.", CN=Cloudflare Inc ECC CA-3 | DigiCert | W | Unknown Extension: 1.3.6.1.4.1.11129.2.1.22 |
| 7186 | C=BE, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 5300 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 DV TLS CA 2020 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 3079 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 2866 | C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 | GoDaddy | W | BR certificates should be 397 days in validity or less |
| 2445 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G3 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 457 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=FujiSSL Public Validation Authority - G3 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 241 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web SR 3.0 CA | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 208 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Extended Validation CA - SHA256 - G3 | GlobalSign nv-sa | W | EV certificates should be 397 days in validity or less |
| 182 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 160 | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | GoDaddy | W | EV certificates should be 397 days in validity or less |
| 103 | C=BR, O=Rede Nacional de Ensino e Pesquisa - RNP, CN=RNP ICPEdu OV SSL CA 2019 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 94 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 05 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 94 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 05 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 92 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 06 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 92 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 06 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 55 | C=CN, O=China Financial Certification Authority, CN=CFCA OV OCA | China Financial Certification Authority (CFCA) | W | Extension should be critical for KeyUsage |
| 44 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 01 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 44 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 01 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 36 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 02 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 36 | C=US, O=Microsoft Corporation, CN=Microsoft Azure ECC TLS Issuing CA 02 | DigiCert / Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 34 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.15.2 |
| 34 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.11.2 |
| 34 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.7.2 |
| 20 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=SECOM Passport for Web EV 2.0 CA | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 18 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.7.1 |
| 18 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.15.1 |
| 18 | CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US | DigiCert | W | Unknown Extension: 1.2.840.113635.100.6.27.11.1 |
| 15 | C=DE, O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU=DFN-PKI, CN=DFN-Verein Global Issuing CA | Deutsche Telekom Security GmbH | W | Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension |
| 15 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA | DigiCert | W | Unknown Extension: 1.3.6.1.4.1.44363.44 |
| 14 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 12 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=EINS/PKI Public Certification Authority V4 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 10 | C=US, ST=Arizona, L=Scottsdale, O="Starfield Technologies, Inc.", OU=http://certs.starfieldtech.com/repository/, CN=Starfield Secure Certificate Authority - G2 | GoDaddy | W | EV certificates should be 397 days in validity or less |
| 10 | C=CN, O=UniTrust, CN=SHECA OV Server CA G5 | Shanghai Electronic Certification Authority Co., Ltd. | W | BR certificates should be 397 days in validity or less |
| 9 | C=US, ST=Texas, L=Houston, O=SSL Corp, CN=SSL.com SSL Intermediate CA ECC R2 | SSL.com | W | Unknown Extension: 1.3.6.1.4.1.44363.44 |
| 9 | C=BR, O=VALID CERTIFICADORA DIGITAL, CN=Valid Certificadora Digital AlphaSSL CA 2018 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 7 | C=CN, O=China Financial Certification Authority, CN=CFCA EV OCA | China Financial Certification Authority (CFCA) | W | Extension should be critical for KeyUsage |
| 6 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 OV TLS CA 2022 Q1 | GlobalSign nv-sa | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 6 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust OV CA5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 6 | C=JP, O="SECOM Trust Systems CO.,LTD.", CN=CrossTrust DV CA5 | SECOM Trust Systems CO., LTD. | W | BR certificates should include an HTTP URL of the issuing CA's certificate |
| 6 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 | GlobalSign nv-sa | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 5 | C=TW, O=行政院, CN=政府伺服器數位憑證管理中心 - G1 | Chunghwa Telecom | W | Name has multiple localityName attributes |
| 5 | C=DE, ST=Bayern, L=Muenchen, O=Fraunhofer, OU=Fraunhofer Corporate PKI, CN=Fraunhofer Service CA - G02 | Deutsche Telekom Security GmbH | W | Microsoft extension 1.3.6.1.4.1.311.20.2 treated as opaque extension |
| 4 | CN=ACCVCA-120, OU=PKIACCV, O=ACCV, C=ES | Government of Spain, Autoritat de Certificació de la Comunitat Valenciana (ACCV) | E | EV certificates must not contain wildcard FQDNs |
| 3 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G3 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 3 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign GCC R3 EV QWAC CA 2020 | GlobalSign nv-sa | W | EV certificates should be 397 days in validity or less |
| 3 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2 | DigiCert | W | TLS Server auth certificates should not contain Microsoft Smartcard Login usage |
| 3 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2 | DigiCert | W | TLS Server auth certificates should not contain Signing KDC Response usage |
| 2 | C=US, O=Microsoft Corporation, CN=Microsoft ECC TLS Issuing AOC CA 01 | Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 2 | C=BR, O=VALID CERTIFICADORA DIGITAL, CN=Valid Certificadora Digital SSL DV CA 2018 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 2 | C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA | DigiCert | W | Unknown Extension: 2.23.140.1.31 |
| 2 | C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 | DigiCert | W | Unknown Extension: 1.3.6.1.4.1.11129.2.1.22 |
| 2 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing AOC CA 01 | Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 2 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing AOC CA 01 | Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 2 | C=US, O=Microsoft Corporation, CN=Microsoft ECC TLS Issuing AOC CA 01 | Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 2 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing EOC CA 01 | Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.10 treated as opaque extension |
| 2 | C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS Issuing EOC CA 01 | Microsoft Corporation | W | Microsoft extension 1.3.6.1.4.1.311.21.7 treated as opaque extension |
| 2 | C=CN, O=UniTrust, CN=SHECA DV Server CA G5 | Shanghai Electronic Certification Authority Co., Ltd. | W | BR certificates should be 397 days in validity or less |
| 1 | C=BR, O=SOLUTI - SOLUCOES EM NEGOCIOS INTELIGENTES S/A, CN=Soluti CA - DV | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 1 | C=GR, O=Hellenic Academic and Research Institutions CA, CN=University of the Peloponnese TLS RSA SubCA R1 | HARICA | W | Duplicate SAN entry |
| 1 | C=NL, O=KPN B.V., CN=KPN PKIoverheid Server CA 2020 | Government of The Netherlands, PKIoverheid (Logius) | W | Duplicate SAN entry |
| 1 | C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA | DigiCert | E | BR certificates must be 825 days in validity or less |
| 1 | C=BR, O=SOLUTI - SOLUCOES EM NEGOCIOS INTELIGENTES S/A, CN=Soluti CA - EV | GlobalSign nv-sa | W | EV certificates should be 397 days in validity or less |
| 1 | C=US, O=Google Trust Services LLC, CN=GTS CA 2A1 | Google Trust Services LLC | W | Unknown Extension: 1.3.6.1.4.1.11129.2.1.22 |
| 1 | C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 | DigiCert | W | Unknown Extension: 2.23.140.1.31 |
| 1 | C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC CloudSSL CA - SHA384 - G3 | GlobalSign nv-sa | W | BR certificates should be 397 days in validity or less |
| 1 | C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1 | DigiCert | E | EV certificates must not contain wildcard FQDNs |